diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
deleted file mode 100644
index f8760bbd918a797b062baa12df31da5afce65d44..0000000000000000000000000000000000000000
--- a/.gitlab-ci.yml
+++ /dev/null
@@ -1,893 +0,0 @@
-stages:
- - prepare
- - build_images
- - deploy
- - configure
-
-variables:
- DEPLOY_PATH: deploy
-
- JOOS_IO_BASE_URL: joos.io
-
- BASE_URL: 420joos.dev
- IMAGE_SERVER: registry.420joos.dev
- BASH_IMAGE: bash:4.0-alpine3.15
- SSH_DOCKERIMAGE: linuxserver/openssh-server:2021.11.21
- PYTHON_IMAGE: "$IMAGE_SERVER/python_pyyaml:3.10.0"
- GITLAB_IMAGE: "$IMAGE_SERVER/gitlab-ce:15.6.0"
- NFS_IMAGE: $IMAGE_SERVER/nfs-alpine:1.0
- CLUSTER_TOOLS_IMAGE: $IMAGE_SERVER/cluster-tools:1.0
- DOCKER_BUILDX_IMAGE: $IMAGE_SERVER/docker-buildx:1.1
- DOCKER_BUILD_BUILDX_IMAGE: andrijoos/docker-buildx:1.0
- ELEMENT_IMAGE: "$IMAGE_SERVER/element:v1.11.34"
- STREAMA_IMAGE: "$IMAGE_SERVER/streama:1.10.4"
- MY_BOT_IMAGE: "$IMAGE_SERVER/my-bot:0.2"
- UBUNTU_IMAGE: "$IMAGE_SERVER/ubuntu:22.04"
-
-
- K3D_TESTCLUSTER_NAME: "test"
- TESTCLUSTER_NAME: k3d-$K3D_TESTCLUSTER_NAME
- TESTCLUSTER_DEVICE_USERNAME: "root"
-
- PRODCLUSTER_NAME: "default"
-
- # SSH_CONNECT_TO_TESTCLUSTER_CMD: "ssh -o StrictHostKeyChecking=no -i /ssh_config/id_rsa $TESTCLUSTER_DEVICE_USERNAME@$TESTCLUSTER_DEVICE_IP"
- SSH_CONFIG_DIR: $DEPLOY_PATH/ssh_config
- SSH_CONFIG_FILENAME: config
- SSH_SOURCE_CONFIG_FILENAME: ssh_config
- SSH_SOURCE_CONFIG_PATH: $SSH_CONFIG_DIR/$SSH_SOURCE_CONFIG_FILENAME
- SSH_CONFIG_PATH: /root/.ssh
- SSH_CONFIG_FILE_DESTINATION: $SSH_CONFIG_PATH/$SSH_CONFIG_FILENAME
- SSH_MAKE_DIR_CMD: mkdir -p $SSH_CONFIG_PATH
- SSH_CONFIG_COPY_CMD: cp $SSH_SOURCE_CONFIG_FILENAME $SSH_CONFIG_FILE_DESTINATION
- SSH_TESTCLUSTER_CONFIG_NAME: testcluster
- SSH_TO_TESTCLUSTER_CMD: ssh $SSH_TESTCLUSTER_CONFIG_NAME
- SSH_IMAGEBUILDER_CONFIG_NAME: imagebuilder
- SSH_TO_IMAGEBUILDER_CMD: ssh $SSH_IMAGEBUILDER_CONFIG_NAME
- SSH_PREPARE_SSH_CONNECTION_FILENAME: prepare_ssh_connections.sh
- SSH_PREPARE_SSH_CONNECTION_CMD: source $SSH_PREPARE_SSH_CONNECTION_FILENAME
- SSH_PRIV_KEY_PATH: $SSH_CONFIG_DIR/id_rsa
- SSH_CHMOD_PRIV_KEY_FILE_CMD: chmod 600 $SSH_PRIV_KEY_PATH
-
- TEST_NFS_PATH: /external_data/cluster_data
- CLUSTER_DATA_PATH: /cluster_data
- NFS_PORT: 2049
- NFS_LOCAL_MOUNTPATH: /nfsshare
- MOUNT_PARAM: "--mount"
- REPOCOPY_PARAM: "--repocopy" # repocopy will replace current file
- DELETE_FILE_PARAM: "--delete"
- CHMOD_FILE_PARAM: "--chmod"
- MOUNT_NFS_CMD: "/bin/bash $DEPLOY_PATH/mount_nfs.sh"
-
- TURN_PORT: 3478
-
- KUBECONFIGS_FOLDER: /kubeconfig
- TEST_KUBECONFIG_FOLDER: $KUBECONFIGS_FOLDER/test_config
- PROD_KUBECONFIG_SOURCE: $KUBECONFIGS_FOLDER/prod_config/config
- TEST_KUBECONFIG_SOURCE: $TEST_KUBECONFIG_FOLDER/config
- PROD_KUBECONFIG: prod_conf
- TEST_KUBECONFIG: test_conf
- KUBECONFIG: $TEST_KUBECONFIG
-
- KUBECTL_USE_CONTEXT_CMD: kubectl config use-context
- KUBECTL_USE_CONTEXT_TEST_CMD: $KUBECTL_USE_CONTEXT_CMD $TESTCLUSTER_NAME
- KUBECTL_USE_CONTEXT_PROD_CMD: $KUBECTL_USE_CONTEXT_CMD $PRODCLUSTER_NAME
- KUBECTL_USE_CONTEXT_CURRENT_CMD: $KUBECTL_USE_CONTEXT_TEST_CMD
-
- CHANGE_CONTEXT_CURRENT_FILENAME: kube_current_setup.sh
- CHANGE_CONTEXT_PROD_FILENAME: kube_prod_setup.sh
- CHANGE_CONTEXT_TEST_FILENAME: kube_test_setup.sh
- CHANGE_KUBECTL_CONTEXT_DEFAULT_CMD: source $CHANGE_CONTEXT_CURRENT_FILENAME
- CHANGE_KUBECTL_CONTEXT_PROD_CMD: source $CHANGE_CONTEXT_PROD_FILENAME
- CHANGE_KUBECTL_CONTEXT_TEST_CMD: source $CHANGE_CONTEXT_TEST_FILENAME
- CHANGE_KUBECTL_CONTEXT_MOUNT_DEFAULT_CMD: $CHANGE_KUBECTL_CONTEXT_DEFAULT_CMD $MOUNT_PARAM
-
- DOCKER_BUILDX_CONTEXT_NAME: autobuilder
- DOCKER_BUILDX_PLATFORMS: linux/amd64,linux/arm64
- DOCKER_BUILDX_CREATE_CMD: docker buildx create --name $DOCKER_BUILDX_CONTEXT_NAME --platform $DOCKER_BUILDX_PLATFORMS --driver docker-container --bootstrap # --config testbuilder.toml only needed when using http image registry
- DOCKER_BUILDX_DELETE_CMD: docker buildx rm $DOCKER_BUILDX_CONTEXT_NAME
- DOCKER_PREPARE_CMD: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
- DOCKER_LOGIN_CMD: docker login $IMAGE_SERVER --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
- DOCKER_LOGOUT_CMD: docker logout $IMAGE_SERVER
-
-.prepare_env_job_template:
- stage: prepare
- tags:
- - kubernetes
- retry: 2
- needs:
- - job: prepare_ssh_scripts
- artifacts: true
- dependencies: null
- image: $SSH_DOCKERIMAGE
- artifacts:
- paths:
- - $CHANGE_CONTEXT_CURRENT_FILENAME
- - $CHANGE_CONTEXT_PROD_FILENAME
- - $CHANGE_CONTEXT_TEST_FILENAME
- - $PROD_KUBECONFIG
- - $TEST_KUBECONFIG
- expire_in: 1 day
- allow_failure: false
- script:
- # - ls /config/.ssh/authorized_keys
- - cp $PROD_KUBECONFIG_SOURCE $PROD_KUBECONFIG
- - KUBECONFIG="$PROD_KUBECONFIG"
- - KUBECTL_USE_CONTEXT_CURRENT_CMD="$KUBECTL_USE_CONTEXT_PROD_CMD"
- - echo "KUBECONFIG=$KUBECONFIG" >> $CHANGE_CONTEXT_PROD_FILENAME
- - echo "$KUBECTL_USE_CONTEXT_CURRENT_CMD" >> $CHANGE_CONTEXT_PROD_FILENAME
- - echo "$MOUNT_PROD_NFS" >> $CHANGE_CONTEXT_PROD_FILENAME
- - $SSH_PREPARE_SSH_CONNECTION_CMD
- # --registry-config should be removed when https available
- # "systemctl restart docker" after deletion of cluster to overcome bug
- - >
- if [ "$RENEW_TEST_ENV" = "true" ]; then
- echo "renewing test environment";
- $SSH_TO_TESTCLUSTER_CMD \
- "kubectl label ns to_delete=true --all; kubectl label ns default to_delete-; kubectl label ns kube-system to_delete-; kubectl label ns kube-public to_delete-; kubectl label ns kube-node-lease to_delete-; kubectl label ns nfs-server to_delete-; kubectl delete ns --selector to_delete=true; kubectl delete ns nfs-server;" \
- "k3d cluster delete $K3D_TESTCLUSTER_NAME " \
- "&& rm -rf $TEST_NFS_PATH || true && mkdir -p $TEST_NFS_PATH && touch $TEST_NFS_PATH/init" \
- "&& k3d cluster create $K3D_TESTCLUSTER_NAME -a 2 -s 1 --k3s-arg=\"--no-deploy=traefik@server:0\" \
- -i rancher/k3s:v1.22.7-k3s1 --volume \"$TEST_NFS_PATH:$CLUSTER_DATA_PATH@agent:0\" --api-port $TESTCLUSTER_DEVICE_IP:6550 \
- -p \"80:80@loadbalancer\" -p \"443:443@loadbalancer\" -p \"$NFS_PORT:$NFS_PORT@loadbalancer\" -p \"$TURN_PORT:$TURN_PORT@loadbalancer\" --kubeconfig-update-default=true --kubeconfig-switch-context=true" \
- "&& kubectl label nodes k3d-test-agent-0 kubernetes.io/hostname=cluster-node-00 --overwrite && kubectl label nodes k3d-test-server-0 kubernetes.io/hostname=cluster-master-00 --overwrite"
- fi
-
- - >
- TEST_CONFIG=$(${SSH_TO_TESTCLUSTER_CMD} -- kubectl config view --output=json --raw)
-
- - >
- echo "$TEST_CONFIG" > $TEST_KUBECONFIG
-
- - >
- KUBECONFIG=$TEST_KUBECONFIG
-
- - >
- KUBECTL_USE_CONTEXT_CURRENT_CMD=$KUBECTL_USE_CONTEXT_TEST_CMD
-
- - >
- echo "KUBECONFIG=$KUBECONFIG" >> $CHANGE_CONTEXT_TEST_FILENAME
-
- - >
- echo "$KUBECTL_USE_CONTEXT_CURRENT_CMD" >> $CHANGE_CONTEXT_TEST_FILENAME
-
- - >
- if [ "$PROD" = "true" ]; then
- echo "$CHANGE_KUBECTL_CONTEXT_PROD_CMD" >> $CHANGE_CONTEXT_CURRENT_FILENAME
- else
- echo "$CHANGE_KUBECTL_CONTEXT_TEST_CMD" >> $CHANGE_CONTEXT_CURRENT_FILENAME
- fi
-
-# Required vars:
-## IMAGE_PATH
-## IMAGE_NAME
-# Optional vars:
-.build_image_job_template:
- stage: build_images
- tags:
- - docker
- retry: 2
- image: $DOCKER_BUILDX_IMAGE
- allow_failure: false
- when: manual
- script:
- - $DOCKER_LOGIN_CMD
- - $DOCKER_PREPARE_CMD
- - $DOCKER_BUILDX_CREATE_CMD
- - docker buildx build $IMAGE_PATH --tag $IMAGE_NAME --platform $DOCKER_BUILDX_PLATFORMS --builder $DOCKER_BUILDX_CONTEXT_NAME --push --build-arg IMAGE_SERVER="$IMAGE_SERVER"
- - $DOCKER_BUILDX_DELETE_CMD
- - $DOCKER_LOGOUT_CMD
-
-# Required vars:
-## DEPLOYMENT_FILE
-## PVS_FILE
-## SA_FILE
-## DEPLOYMENT_NAME
-## NAMESPACE
-# Optional vars:
-## INGRESS_FILE
-## OPT_KUBECTL_CMD
-## MOUNT
-## MOUNT_PARAMS # repocopy will replace current file
-.deploy_job_template:
- stage: deploy
- retry: 2
- tags:
- - kubernetes
- needs:
- - prepare_scripts
- - job: prepare_prod_env
- optional: true
- - job: prepare_test_env
- optional: true
- when: manual
- image: $CLUSTER_TOOLS_IMAGE
- dependencies:
- - prepare_prod_env
- - prepare_test_env
- - prepare_scripts
- script:
- - $CHANGE_KUBECTL_CONTEXT_DEFAULT_CMD
- - if [ "$MOUNT" = "true" ]; then if ! [ -z "$MOUNT_PARAMS" ]; then $MOUNT_NFS_CMD $MOUNT_PARAM $MOUNT_PARAMS; else $MOUNT_NFS_CMD; fi; fi;
- - if ! [ -z "$OPT_KUBECTL_CMD" ]; then sh -c "$OPT_KUBECTL_CMD"; fi;
- - if [ "$RECREATE_DEPLOYMENTS" = "true" ]; then echo "Note that only objects in $DEPLOYMENT_FILE will be deleted!"; kubectl delete --ignore-not-found=true -f "$DEPLOYMENT_FILE"; fi;
- - if [ "$RECREATE_VOLUMES" = "true" ]; then echo "Note that only volumes in $PVS_FILE will be deleted!"; kubectl delete --ignore-not-found=true -f "$PVS_FILE"; fi;
- - if [ "$RECREATE_SA" = "true" ]; then echo "Note that only sa in $SA_FILE will be deleted!"; kubectl delete --ignore-not-found=true -f "$SA_FILE"; fi;
- - kubectl apply -f "$PVS_FILE" -f "$SA_FILE" -f "$DEPLOYMENT_FILE"
- # - kubectl rollout status deployment -n $NAMESPACE $DEPLOYMENT_NAME
- - kubectl rollout restart deployment -n $NAMESPACE $DEPLOYMENT_NAME
- - kubectl rollout status deployment -n $NAMESPACE $DEPLOYMENT_NAME
- - echo "only deployment $DEPLOYMENT_NAME in namespace $NAMESPACE restarted. please restart any helper deployments (like databases) manually"
- - if ! [ -z "$INGRESS_FILE" ]; then if [ "$PROD" = "true" ]; then kubectl apply -f "$INGRESS_FILE"; else kubectl apply -f ${INGRESS_FILE/ingress/testingress}; fi; fi;
-
-
-# prepare env scripts
-
-prepare_ssh_scripts:
- stage: prepare
- retry: 2
- image: $BASH_IMAGE
- allow_failure: false
- artifacts:
- paths:
- - $SSH_SOURCE_CONFIG_FILENAME
- - $SSH_PREPARE_SSH_CONNECTION_FILENAME
- expire_in: 1 day
- script:
- # on real k3s config must be copied and edited wit correct url
- - cp $SSH_SOURCE_CONFIG_PATH $SSH_SOURCE_CONFIG_FILENAME
- - echo "$SSH_MAKE_DIR_CMD" >> $SSH_PREPARE_SSH_CONNECTION_FILENAME
- - echo "$SSH_CONFIG_COPY_CMD" >> $SSH_PREPARE_SSH_CONNECTION_FILENAME
- - echo "$SSH_CHMOD_PRIV_KEY_FILE_CMD" >> $SSH_PREPARE_SSH_CONNECTION_FILENAME
-
-# prepare envs
-
-prepare_prod_env:
- extends: .prepare_env_job_template
- only:
- variables:
- - $PROD == "true"
-
-prepare_test_env:
- extends: .prepare_env_job_template
- except:
- variables:
- - $PROD == "true"
-
-# build service images
-
-# - ssh-keygen -t rsa -f /ssh_config/id_rsa -N "" # only for generating public/private key pair, pub key must be added to servers .ssh/authorized_keys (/root/.ssh/authorized_keys in case of root). Additionally PermitRootLogin should be set to yes on server if root login is required
-build_docker_buildx:
- extends: .build_image_job_template
- image: $DOCKER_BUILD_BUILDX_IMAGE
- variables:
- IMAGE_PATH: images/docker_buildx
- IMAGE_NAME: $DOCKER_BUILDX_IMAGE
-
-build_nfs:
- extends: .build_image_job_template
- variables:
- IMAGE_PATH: images/nfs
- IMAGE_NAME: $NFS_IMAGE
-
-build_cluster_tools:
- extends: .build_image_job_template
- variables:
- IMAGE_PATH: images/cluster_tools/
- IMAGE_NAME: $CLUSTER_TOOLS_IMAGE
-
-build_ubuntu:
- extends: .build_image_job_template
- variables:
- IMAGE_PATH: images/ubuntu/
- IMAGE_NAME: $UBUNTU_IMAGE
-
-build_python:
- extends: .build_image_job_template
- variables:
- IMAGE_PATH: images/python_pyyaml/
- IMAGE_NAME: $PYTHON_IMAGE
-
-build_gitlab:
- extends: .build_image_job_template
- variables:
- IMAGE_PATH: images/gitlab/
- IMAGE_NAME: $GITLAB_IMAGE
-
-build_element:
- extends: .build_image_job_template
- variables:
- IMAGE_PATH: images/element/
- IMAGE_NAME: $ELEMENT_IMAGE
-
-build_streama:
- extends: .build_image_job_template
- variables:
- IMAGE_PATH: images/streama/
- IMAGE_NAME: $STREAMA_IMAGE
-
-build_my_bot:
- extends: .build_image_job_template
- variables:
- IMAGE_PATH: images/my_bot/
- IMAGE_NAME: $MY_BOT_IMAGE
-
-# prepare scripts
-
-prepare_scripts:
- stage: prepare
- retry: 2
- # when: manual
- image: $PYTHON_IMAGE
- allow_failure: false
- artifacts:
- expire_in: 1 week
- paths:
- - distribution_ingress_config.yaml
- - ingress_deployment.yaml
- - endpoints.yaml
- - prod_issuer.yaml
- - staging_issuer.yaml
- - test-back.yaml
- - test-back_sa.yaml
- - test-back_pvs.yaml
- - gitlab.yaml
- - gitlab_sa.yaml
- - gitlab_pvs.yaml
- - gitlab_ingress.yaml
- - gitlab_testingress.yaml
- - nfs.yaml
- - nfs_sa.yaml
- - nfs_pvs.yaml
- - synapse.yaml
- - synapse_sa.yaml
- - synapse_pvs.yaml
- - synapse_ingress.yaml
- - synapse_testingress.yaml
- - turn.yaml
- - turn_sa.yaml
- - turn_pvs.yaml
- - wordpress.yaml
- - wordpress_sa.yaml
- - wordpress_pvs.yaml
- - wordpress_ingress.yaml
- - wordpress_testingress.yaml
- - nextcloud.yaml
- - nextcloud_sa.yaml
- - nextcloud_pvs.yaml
- - nextcloud_ingress.yaml
- - nextcloud_testingress.yaml
- - docker-registry.yaml
- - docker-registry_pvs.yaml
- - docker-registry_sa.yaml
- - docker-registry_ingress.yaml
- - docker-registry_testingress.yaml
- - gitlab-runner-kubernetes.yaml
- - gitlab-runner-kubernetes_pvs.yaml
- - gitlab-runner-kubernetes_sa.yaml
- - octobot.yaml
- - octobot_pvs.yaml
- - octobot_sa.yaml
- - synapse-admin.yaml
- - synapse-admin_pvs.yaml
- - synapse-admin_sa.yaml
- - synapse-admin_ingress.yaml
- - synapse-admin_testingress.yaml
- - ddclient.yaml
- - ddclient_pvs.yaml
- - ddclient_sa.yaml
- - wordpress-cli-10001.yaml
- - wordpress-cli-10001_pvs.yaml
- - wordpress-cli-10001_sa.yaml
- - wordpress-cli-10001_ingress.yaml
- - wordpress-cli-10001_testingress.yaml
- - wordpress-cli-10002.yaml
- - wordpress-cli-10002_pvs.yaml
- - wordpress-cli-10002_sa.yaml
- - wordpress-cli-10002_ingress.yaml
- - wordpress-cli-10002_testingress.yaml
- - wordpress-cli-10003.yaml
- - wordpress-cli-10003_pvs.yaml
- - wordpress-cli-10003_sa.yaml
- - wordpress-cli-10003_ingress.yaml
- - wordpress-cli-10003_testingress.yaml
- - mautrix-telegram.yaml
- - mautrix-telegram_pvs.yaml
- - mautrix-telegram_sa.yaml
- - mautrix-whatsapp.yaml
- - mautrix-whatsapp_pvs.yaml
- - mautrix-whatsapp_sa.yaml
- - my-synapse.yaml
- - my-synapse_sa.yaml
- - my-synapse_pvs.yaml
- - my-synapse_ingress.yaml
- - my-synapse_testingress.yaml
- - element.yaml
- - element_sa.yaml
- - element_pvs.yaml
- - element_ingress.yaml
- - element_testingress.yaml
- - streama.yaml
- - streama_sa.yaml
- - streama_pvs.yaml
- - streama_ingress.yaml
- - streama_testingress.yaml
- - gitlab-shared-runner-0.yaml
- - gitlab-shared-runner-0_sa.yaml
- - gitlab-shared-runner-0_pvs.yaml
- - my-bot.yaml
- - my-bot_sa.yaml
- - my-bot_pvs.yaml
- - vaultwarden.yaml
- - vaultwarden_sa.yaml
- - vaultwarden_pvs.yaml
- - vaultwarden_ingress.yaml
- - vaultwarden_testingress.yaml
- - joos-io-homepage.yaml
- - joos-io-homepage_sa.yaml
- - joos-io-homepage_pvs.yaml
- - joos-io-homepage_ingress.yaml
- - joos-io-homepage_testingress.yaml
- - gitlab-runner-docker.yaml
- - gitlab-runner-docker_pvs.yaml
- - gitlab-runner-docker_sa.yaml
- - gitlab-shared-runner-4.yaml
- - gitlab-shared-runner-4_sa.yaml
- - gitlab-shared-runner-4_pvs.yaml
- - sonarqube.yaml
- - sonarqube_pvs.yaml
- - sonarqube_sa.yaml
- - sonarqube_ingress.yaml
- - sonarqube_testingress.yaml
- script:
- - >
- python3 deploy/generate_scripts/generate_deployment_from_middle.py \
- --small \
- testing/small_testing.yaml \
- gitlab/gitlab_small.yaml \
- nfs/nfs_small.yaml \
- synapse/synapse_small.yaml \
- turn/turn_small.yaml \
- wordpress/wordpress_small.yaml \
- nextcloud/nextcloud_small.yaml \
- docker_registry/docker_registry_small.yaml \
- "gitlab/runner/gitlab_runner_kubernetes/gitlab_runner_kubernetes_small.yaml" \
- "octobot/octobot_small.yaml" \
- "synapse-admin/synapse_admin_small.yaml" \
- "ddclient/ddclient_small.yaml" \
- "wordpress/cli_10001/wordpress_small.yaml" \
- "wordpress/cli_10002/wordpress_small.yaml" \
- "synapse/bridges/mautrix-telegram/mautrix-telegram.yaml" \
- "synapse/bridges/mautrix-whatsapp/mautrix-whatsapp.yaml" \
- "synapse/my_synapse/synapse_small.yaml" \
- "element/element.yaml" \
- "streama/streama_small.yaml" \
- "gitlab/runner/shared_runner_0/gitlab_shared_runner_0.yaml" \
- "my_bot/my_bot.yaml" \
- "vaultwarden/vaultwarden_small.yaml" \
- "joos.io/homepage/joos.io_small.yaml" \
- "wordpress/cli_10003/wordpress_small.yaml" \
- "gitlab/runner/gitlab_runner_docker/gitlab_runner_docker_small.yaml" \
- "gitlab/runner/shared_runner_4/gitlab_shared_runner_4.yaml" \
- "sonarqube/sonarqube.yaml"\
-
-# deploy
-
-# when updating, nginx.tmpl must be also updated matching controller release (https://github.com/kubernetes/ingress-nginx/releases)
-deploy_ingress_controller:
- stage: deploy
- tags:
- - kubernetes
- retry: 2
- needs:
- - prepare_scripts
- - job: prepare_prod_env
- optional: true
- - job: prepare_test_env
- optional: true
- when: manual
- image: $CLUSTER_TOOLS_IMAGE
- dependencies:
- - prepare_prod_env
- - prepare_test_env
- - prepare_scripts
- script:
- - $CHANGE_KUBECTL_CONTEXT_DEFAULT_CMD
- - kubectl apply -f ingress_deployment.yaml
- - kubectl rollout status deployment -n ingress-nginx ingress-nginx-controller
- - kubectl rollout restart deployment -n ingress-nginx ingress-nginx-controller
- - kubectl rollout status deployment -n ingress-nginx ingress-nginx-controller
-
-deploy_cert_manager:
- stage: deploy
- tags:
- - kubernetes
- retry: 2
- needs:
- - prepare_scripts
- - job: prepare_prod_env
- optional: true
- - job: prepare_test_env
- optional: true
- when: manual
- image: $CLUSTER_TOOLS_IMAGE
- script:
- - $CHANGE_KUBECTL_CONTEXT_DEFAULT_CMD
- - kubectl apply -f cert-manager/cert-manager_v1.7.1.yaml
- - kubectl rollout status deployment -n cert-manager cert-manager-cainjector
- - kubectl rollout status deployment -n cert-manager cert-manager
- - kubectl rollout status deployment -n cert-manager cert-manager-webhook
- # restarts
- - kubectl rollout restart deployment -n cert-manager cert-manager-cainjector
- - kubectl rollout status deployment -n cert-manager cert-manager-cainjector
- - kubectl rollout restart deployment -n cert-manager cert-manager
- - kubectl rollout status deployment -n cert-manager cert-manager
- - kubectl rollout restart deployment -n cert-manager cert-manager-webhook
- - kubectl rollout status deployment -n cert-manager cert-manager-webhook
- # certificate
- - >
- if [ "$PROD" = "true" ]; then
- echo "applying prod issuer"
- kubectl apply -f prod_issuer.yaml
- else
- echo "applying prod issuer"
- kubectl apply -f staging_issuer.yaml
- # kubectl apply -f prod_issuer.yaml
- fi
-
-deploy_nfs:
- except:
- variables:
- - $PROD == "true" # currently only supported in test mode, applying nfs while backends depend on it brakes whole cluster
- extends: .deploy_job_template
- retry: 0
- variables:
- DEPLOYMENT_FILE: nfs.yaml
- PVS_FILE: nfs_pvs.yaml
- SA_FILE: nfs_sa.yaml
- DEPLOYMENT_NAME: nfs-server
- NAMESPACE: nfs-server
- OPT_KUBECTL_CMD: if [ "$PROD" != "true" ]; then kubectl label nodes $TESTCLUSTER_NAME-agent-0 kubernetes.io/hostname=cluster-node-00 --overwrite; fi;
-
-deploy_test_script:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: test-back.yaml
- PVS_FILE: test-back_pvs.yaml
- SA_FILE: test-back_sa.yaml
- DEPLOYMENT_NAME: test-back
- NAMESPACE: test-back
-
-deploy_gitlab:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: gitlab.yaml
- PVS_FILE: gitlab_pvs.yaml
- SA_FILE: gitlab_sa.yaml
- INGRESS_FILE: gitlab_ingress.yaml
- DEPLOYMENT_NAME: gitlab
- NAMESPACE: gitlab
- MOUNT: "true"
- MOUNT_PARAMS: gitlab/data gitlab/config gitlab/logs gitlab/db $REPOCOPY_PARAM gitlab/gitlab.rb:gitlab/config
- after_script:
- - sleep 30
- - POD=$(kubectl get pod -l app=$DEPLOYMENT_NAME -n $NAMESPACE -o jsonpath="{.items[0].metadata.name}");
- - pw_str=$(kubectl exec --stdin --tty -n $NAMESPACE $POD -- grep "Password:" /etc/gitlab/initial_root_password)
- - pw=${pw_str##*:}
- - pw=${pw//[[:blank:]]/}
- - echo "initial root pw is $pw"
-
-deploy_synapse:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: synapse.yaml
- PVS_FILE: synapse_pvs.yaml
- SA_FILE: synapse_sa.yaml
- INGRESS_FILE: synapse_ingress.yaml
- DEPLOYMENT_NAME: synapse
- NAMESPACE: synapse
- MOUNT: "true"
- MOUNT_PARAMS: synapse/media/media_store synapse/media/uploads synapse/db synapse/bridges/telegram/config synapse/bridges/whatsapp/config $CHMOD_FILE_PARAM synapse/bridges/whatsapp/config/registration.yaml:666
-
-deploy_telegram_bridge:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: mautrix-telegram.yaml
- PVS_FILE: mautrix-telegram_pvs.yaml
- SA_FILE: mautrix-telegram_sa.yaml
- DEPLOYMENT_NAME: mautrix-telegram
- NAMESPACE: synapse
- MOUNT: "true"
- MOUNT_PARAMS: synapse/bridges/telegram/config synapse/bridges/telegram/db $REPOCOPY_PARAM synapse/bridges/mautrix-telegram/config.yaml:synapse/bridges/telegram/config $DELETE_FILE_PARAM synapse/bridges/telegram/config/registration.yaml
-
-deploy_whatsapp_bridge:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: mautrix-whatsapp.yaml
- PVS_FILE: mautrix-whatsapp_pvs.yaml
- SA_FILE: mautrix-whatsapp_sa.yaml
- DEPLOYMENT_NAME: mautrix-whatsapp
- NAMESPACE: synapse
- MOUNT: "true"
- MOUNT_PARAMS: synapse/bridges/whatsapp/config synapse/bridges/whatsapp/db $REPOCOPY_PARAM synapse/bridges/mautrix-whatsapp/config.yaml:synapse/bridges/whatsapp/config $DELETE_FILE_PARAM synapse/bridges/whatsapp/config/registration.yaml
-
-deploy_element:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: element.yaml
- PVS_FILE: element_pvs.yaml
- SA_FILE: element_sa.yaml
- INGRESS_FILE: element_ingress.yaml
- DEPLOYMENT_NAME: element
- NAMESPACE: element
-
-deploy_turn:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: turn.yaml
- PVS_FILE: turn_pvs.yaml
- SA_FILE: turn_sa.yaml
- DEPLOYMENT_NAME: turn-server
- NAMESPACE: turn
-
-deploy_wordpress:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: wordpress.yaml
- PVS_FILE: wordpress_pvs.yaml
- SA_FILE: wordpress_sa.yaml
- INGRESS_FILE: wordpress_ingress.yaml
- DEPLOYMENT_NAME: wordpress-server
- NAMESPACE: wordpress
- MOUNT: "true"
- MOUNT_PARAMS: wordpress/html wordpress/db
-
-deploy_nextcloud:
- extends: .deploy_job_template
- timeout: 24 hours
- variables:
- DEPLOYMENT_FILE: nextcloud.yaml
- PVS_FILE: nextcloud_pvs.yaml
- SA_FILE: nextcloud_sa.yaml
- INGRESS_FILE: nextcloud_ingress.yaml
- DEPLOYMENT_NAME: nextcloud-server
- NAMESPACE: nextcloud
- MOUNT: "true"
- MOUNT_PARAMS: nextcloud/config nextcloud/data nextcloud/custom_apps nextcloud/themes nextcloud/db
-
-deploy_docker-registry:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: docker-registry.yaml
- PVS_FILE: docker-registry_pvs.yaml
- SA_FILE: docker-registry_sa.yaml
- INGRESS_FILE: docker-registry_ingress.yaml
- DEPLOYMENT_NAME: docker-registry-server
- NAMESPACE: docker-registry
- MOUNT: "true"
- MOUNT_PARAMS: docker_registry/registry
-
-deploy_gitlab-runner-kubernetes:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: gitlab-runner-kubernetes.yaml
- PVS_FILE: gitlab-runner-kubernetes_pvs.yaml
- SA_FILE: gitlab-runner-kubernetes_sa.yaml
- DEPLOYMENT_NAME: gitlab-runner-kubernetes
- NAMESPACE: gitlab-runner
- MOUNT: "true"
- MOUNT_PARAMS: kubernetes_gitlab_runner/ssh_config
- OPT_KUBECTL_CMD: if [ "$PROD" != "true" ]; then kubectl label nodes k3d-default-server-0 kubernetes.io/hostname=cluster-master-00 --overwrite; fi;
-
-deploy_gitlab-shared-runner-0:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: gitlab-shared-runner-0.yaml
- PVS_FILE: gitlab-shared-runner-0_pvs.yaml
- SA_FILE: gitlab-shared-runner-0_sa.yaml
- DEPLOYMENT_NAME: gitlab-shared-runner-0
- NAMESPACE: gitlab-runner
-
-deploy_gitlab-runner-docker:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: gitlab-runner-docker.yaml
- PVS_FILE: gitlab-runner-docker_pvs.yaml
- SA_FILE: gitlab-runner-docker_sa.yaml
- DEPLOYMENT_NAME: gitlab-runner-docker
- NAMESPACE: gitlab-runner
- MOUNT: "true"
- OPT_KUBECTL_CMD: if [ "$PROD" != "true" ]; then kubectl label nodes $TESTCLUSTER_NAME-agent-0 kubernetes.io/hostname=cluster-node-00 --overwrite; fi;
-
-deploy_gitlab-shared-runner-4:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: gitlab-shared-runner-4.yaml
- PVS_FILE: gitlab-shared-runner-4_pvs.yaml
- SA_FILE: gitlab-shared-runner-4_sa.yaml
- DEPLOYMENT_NAME: gitlab-shared-runner-4
- NAMESPACE: gitlab-runner
-
-deploy_octobot:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: octobot.yaml
- PVS_FILE: octobot_pvs.yaml
- SA_FILE: octobot_sa.yaml
- DEPLOYMENT_NAME: octobot
- NAMESPACE: octobot
- MOUNT: "true"
- MOUNT_PARAMS: octobot/user octobot/tentacles
-
-deploy_synapse_admin:
- extends: .deploy_job_template
- except:
- variables:
- - $PROD == "true"
- variables:
- DEPLOYMENT_FILE: synapse-admin.yaml
- PVS_FILE: synapse-admin_pvs.yaml
- SA_FILE: synapse-admin_sa.yaml
- INGRESS_FILE: synapse-admin_ingress.yaml
- DEPLOYMENT_NAME: synapse-admin
- NAMESPACE: synapse-admin
-
-deploy_ddclient:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: ddclient.yaml
- PVS_FILE: ddclient_pvs.yaml
- SA_FILE: ddclient_sa.yaml
- DEPLOYMENT_NAME: ddclient
- NAMESPACE: ddclient
-
-deploy_wordpress-cli-10001:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: wordpress-cli-10001.yaml
- PVS_FILE: wordpress-cli-10001_pvs.yaml
- SA_FILE: wordpress-cli-10001_sa.yaml
- INGRESS_FILE: wordpress-cli-10001_ingress.yaml
- DEPLOYMENT_NAME: wordpress-server
- NAMESPACE: wordpress-cli-10001
- MOUNT: "true"
- MOUNT_PARAMS: wordpress-cli-10001/html wordpress-cli-10001/db
-
-deploy_wordpress-cli-10002:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: wordpress-cli-10002.yaml
- PVS_FILE: wordpress-cli-10002_pvs.yaml
- SA_FILE: wordpress-cli-10002_sa.yaml
- INGRESS_FILE: wordpress-cli-10002_ingress.yaml
- DEPLOYMENT_NAME: wordpress-server
- NAMESPACE: wordpress-cli-10002
- MOUNT: "true"
- MOUNT_PARAMS: wordpress-cli-10002/html wordpress-cli-10002/db
-
-deploy_my-synapse:
- extends: .deploy_job_template
- except:
- variables:
- - $PROD == "true"
- variables:
- DEPLOYMENT_FILE: my-synapse.yaml
- PVS_FILE: my-synapse_pvs.yaml
- SA_FILE: my-synapse_sa.yaml
- INGRESS_FILE: my-synapse_ingress.yaml
- DEPLOYMENT_NAME: synapse
- NAMESPACE: my-synapse
- MOUNT: "true"
- MOUNT_PARAMS: my_synapse/media/media_store my_synapse/media/uploads my_synapse/db
-
-deploy_streama:
- extends: .deploy_job_template
- timeout: 24 hours
- variables:
- DEPLOYMENT_FILE: streama.yaml
- PVS_FILE: streama_pvs.yaml
- SA_FILE: streama_sa.yaml
- INGRESS_FILE: streama_ingress.yaml
- DEPLOYMENT_NAME: streama-server
- NAMESPACE: streama
- MOUNT: "true"
- MOUNT_PARAMS: streama/media streama/db /nextcloud/data/video-store/files/
-
-deploy_my-bot:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: my-bot.yaml
- PVS_FILE: my-bot_pvs.yaml
- SA_FILE: my-bot_sa.yaml
- DEPLOYMENT_NAME: my-bot
- NAMESPACE: my-bot
- MOUNT: "true"
- MOUNT_PARAMS: my_bot/backup my_bot/matrix_data
-
-deploy_vaultwarden:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: vaultwarden.yaml
- PVS_FILE: vaultwarden_pvs.yaml
- SA_FILE: vaultwarden_sa.yaml
- INGRESS_FILE: vaultwarden_ingress.yaml
- DEPLOYMENT_NAME: vaultwarden
- NAMESPACE: vaultwarden
- MOUNT: "true"
- MOUNT_PARAMS: vaultwarden/data vaultwarden/db
-
-deploy_wordpress-cli-10003:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: wordpress-cli-10003.yaml
- PVS_FILE: wordpress-cli-10003_pvs.yaml
- SA_FILE: wordpress-cli-10003_sa.yaml
- INGRESS_FILE: wordpress-cli-10003_ingress.yaml
- DEPLOYMENT_NAME: wordpress-server
- NAMESPACE: wordpress-cli-10003
- MOUNT: "true"
- MOUNT_PARAMS: wordpress-cli-10003/html wordpress-cli-10003/db
-
-deploy_sonarqube:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: sonarqube.yaml
- PVS_FILE: sonarqube_pvs.yaml
- SA_FILE: sonarqube_sa.yaml
- INGRESS_FILE: sonarqube_ingress.yaml
- DEPLOYMENT_NAME: sonarqube
- NAMESPACE: sonarqube
- MOUNT: "true"
- MOUNT_PARAMS: sonarqube/data sonarqube/db $CHMOD_FILE_PARAM sonarqube/data:777
-
-### joos.io deployments
-
-deploy_joos.io_homepage:
- extends: .deploy_job_template
- variables:
- DEPLOYMENT_FILE: joos-io-homepage.yaml
- PVS_FILE: joos-io-homepage_pvs.yaml
- SA_FILE: joos-io-homepage_sa.yaml
- INGRESS_FILE: joos-io-homepage_ingress.yaml
- DEPLOYMENT_NAME: nginx
- NAMESPACE: joos-io-homepage
- MOUNT: "true"
- MOUNT_PARAMS: >-
- joos.io/homepage/assets/fonts joos.io/homepage/assets/favicon
- $REPOCOPY_PARAM joos.io/homepage/assets/assets/fonts/nothing.ttf:joos.io/homepage/assets/fonts/nothing.ttf
- joos.io/homepage/assets/assets/fonts/nothing.woff:joos.io/homepage/assets/fonts/nothing.woff
- joos.io/homepage/assets/assets/favicon/favicon.ico:joos.io/homepage/assets/favicon/favicon.ico
-
-
-# Configure
-
-configure_ingress_entries:
- stage: configure
- tags:
- - kubernetes
- retry: 2
- when: manual
- needs:
- # - build_cluster_tools
- - prepare_scripts
- - job: prepare_prod_env
- optional: true
- - job: prepare_test_env
- optional: true
- image: $CLUSTER_TOOLS_IMAGE
- dependencies:
- - prepare_prod_env
- - prepare_test_env
- - prepare_scripts
- script:
- - $CHANGE_KUBECTL_CONTEXT_PROD_CMD
- - kubectl delete -f endpoints.yaml --ignore-not-found=true
- - kubectl apply -f endpoints.yaml
- - kubectl apply -f distribution_ingress_config.yaml
-
- # - $KUBECTL_USE_CONTEXT_TEST_CMD
- # - kubectl apply -f test_ingress_config.yaml
- # if $ingress_restart:
- # - kubectl rollout status deployment -n ingress-nginx ingress-nginx-controller
- # - kubectl rollout restart deployment -n ingress-nginx ingress-nginx-controller
- # - kubectl rollout status deployment -n ingress-nginx ingress-nginx-controller
diff --git a/.vscode/launch.json b/.vscode/launch.json
deleted file mode 100644
index 96011dc62c9f30d10ed162a14e908f37172f0ad6..0000000000000000000000000000000000000000
--- a/.vscode/launch.json
+++ /dev/null
@@ -1,50 +0,0 @@
-{
- // Use IntelliSense to learn about possible attributes.
- // Hover to view descriptions of existing attributes.
- // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
- "version": "0.2.0",
- "configurations": [
- {
- "name": "Python: Current File",
- "type": "python",
- "request": "launch",
- "program": "${file}",
- "console": "integratedTerminal",
- "args": [
- "--small",
- "nfs/nfs_small.yaml",
- "testing/small_testing.yaml",
- "gitlab/gitlab_small.yaml",
- "synapse/synapse_small.yaml",
- "turn/turn_small.yaml",
- "wordpress/wordpress_small.yaml",
- "nextcloud/nextcloud_small.yaml",
- "gitlab/runner/gitlab_runner_kubernetes/gitlab_runner_kubernetes_small.yaml",
- "docker_registry/docker_registry_small.yaml",
- "octobot/octobot_small.yaml",
- "synapse-admin/synapse_admin_small.yaml",
- "ddclient/ddclient_small.yaml",
- "wordpress/cli_10001/wordpress_small.yaml",
- "wordpress/cli_10002/wordpress_small.yaml",
- "synapse/bridges/mautrix-telegram/mautrix-telegram.yaml",
- "synapse/bridges/mautrix-whatsapp/mautrix-whatsapp.yaml",
- "synapse/my_synapse/synapse_small.yaml",
- "element/element.yaml",
- "gitlab/runner/shared_runner_0/gitlab_shared_runner_0.yaml",
- "my_bot/my_bot.yaml",
- "vaultwarden/vaultwarden_small.yaml",
- "joos.io/homepage/joos.io_small.yaml",
- "wordpress/cli_10003/wordpress_small.yaml",
- "gitlab/runner/gitlab_runner_docker/gitlab_runner_docker_small.yaml",
- "gitlab/runner/shared_runner_4/gitlab_shared_runner_4.yaml",
- ],
- "env": {
- "PROD": "true",
- "TESTCLUSTER_DEVICE_IP": "192.168.1.146",
- "PRODCLUSTER_DEVICE_IP": "192.168.8.222",
- "IMAGE_SERVER": "registry.420joos.dev",
- "BASE_URL": "420joos.dev"
- }
- }
- ]
-}
\ No newline at end of file
diff --git a/images/nfs/Dockerfile b/Dockerfile
similarity index 100%
rename from images/nfs/Dockerfile
rename to Dockerfile
diff --git a/README.md b/README.md
deleted file mode 100644
index e84d79616ab89e8e0d40de2c89e0be60fb10a4d6..0000000000000000000000000000000000000000
--- a/README.md
+++ /dev/null
@@ -1,42 +0,0 @@
- cgroup_memory=1 cgroup_enable=memory
-
-[How to Set Up an Nginx Ingress with Cert-Manager on DigitalOcean Kubernetes](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes)
-
-[Set up docker-ce for testcluster device] (https://medium.com/@artur.klauser/building-multi-architecture-docker-images-with-buildx-27d80f7e2408), docker-ce must be installed for buildx
-https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04-de
-snap install kubectl --classic
-https://stackoverflow.com/questions/63170642/push-cache-to-insecure-registry-by-buildx
-https://github.com/docker/buildx/blob/master/docs/guides/custom-registry-config.md, http=true
-https://rancher.com/docs/k3s/latest/en/installation/private-registry/
-
-https://github.com/JetsonHacksNano/buildKernelAndModules jetson build nfs kernel (getKernelSources, editconfig, makeModules, make (kernel dir))
-
-
-required services for cluster init: nfs (image: andrijoos/nfs-alpine:0.1), registry (manually build and push docker_buildx image), gitlab-runner-kubernetes, ingress, cert-manager, (gitlab if no other gitlab available)
-
-[gitlab kubernetes agent (kas)](https://about.gitlab.com/blog/2021/09/10/setting-up-the-k-agent/)
-
-
-shitty raspi-vents prevent os start!
-# TODOS
-- update images and cert-manager
-- update imagePullSecrets in templates
-- monitoring data usage of each service (mail if more needed in future) (monthly mail to me with report of all services)
-
-## server improvements
-- jeda namespace ein eigna ingress (+ distribution ingress, möglichkeit zum eina über json ds definiera)
- - mehreri exposedHttpPort erlauba (mit backwards compatibility wenn nur en int)
- - gsamts unnötigs zügs druslöscha (e.g. externalname)
-- ingress controller uf traefik (mit http3)
-- gitlab kubernetes templates uufsplitta in eigni projekt
- - rework ci script (includes, templating etc)
- - kubernetes runner uf da kubernetes runner vo gitlab umstella
-
-## additional deployments
-- [TIG stack](https://github.com/alekece/tig-stack) for monitoring
-
-# VPN
-- [tutorial](https://www.howtoforge.com/how-to-install-openconnect-vpn-server-on-ubuntu-22-04/)
- - [openssl](https://support.microfocus.com/kb/doc.php?id=7013103) instead of letsencrypt, since letsencrypt wants to make HTTP request onto the server (lb in the middle => letsencrypt gets encrypted traffic, since https is defined as backend protocol; could be resolved with multiple ingresses)
- - in config comment out last lines with sample vhost config
-- [android app](https://play.google.com/store/apps/details?id=com.github.digitalsoftwaresolutions.openconnect&hl=en&gl=US)
diff --git a/cert-manager/cert-manager_v1.5.4.yaml b/cert-manager/cert-manager_v1.5.4.yaml
deleted file mode 100644
index 53b87bf552da8248b22b1aa81459aa487cbbac18..0000000000000000000000000000000000000000
--- a/cert-manager/cert-manager_v1.5.4.yaml
+++ /dev/null
@@ -1,17161 +0,0 @@
-# Copyright 2021 The cert-manager Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: certificaterequests.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.5.4"
-spec:
- group: cert-manager.io
- names:
- kind: CertificateRequest
- listKind: CertificateRequestList
- plural: certificaterequests
- shortNames:
- - cr
- - crs
- singular: certificaterequest
- categories:
- - cert-manager
- scope: Namespaced
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhook:
- # We don't actually support `v1beta1` but is listed here as it is a
- # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
- # API server reads the supported versions in order, so _should always_
- # attempt a `v1` request which is understood by the cert-manager webhook.
- # Any `v1beta1` request will return an error and fail closed for that
- # resource (the whole object request is rejected).
- # When we no longer support v1.16 we can remove `v1beta1` from this list.
- conversionReviewVersions: ["v1", "v1beta1"]
- clientConfig:
- #
- service:
- name: 'cert-manager-webhook'
- namespace: "cert-manager"
- path: /convert
- #
- versions:
- - name: v1alpha2
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Approved")].status
- name: Approved
- type: string
- - jsonPath: .status.conditions[?(@.type=="Denied")].status
- name: Denied
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- type: string
- - jsonPath: .spec.username
- name: Requestor
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the CertificateRequest resource.
- type: object
- required:
- - csr
- - issuerRef
- properties:
- csr:
- description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
- type: string
- format: byte
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
- type: string
- extra:
- description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: object
- additionalProperties:
- type: array
- items:
- type: string
- groups:
- description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- isCA:
- description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- uid:
- description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- username:
- description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- status:
- description: Status of the CertificateRequest. This is set and managed automatically.
- type: object
- properties:
- ca:
- description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
- type: string
- format: byte
- certificate:
- description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
- type: string
- format: byte
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
- type: array
- items:
- description: CertificateRequestCondition contains condition information for a CertificateRequest.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
- type: string
- failureTime:
- description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- served: true
- storage: false
- - name: v1alpha3
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Approved")].status
- name: Approved
- type: string
- - jsonPath: .status.conditions[?(@.type=="Denied")].status
- name: Denied
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- type: string
- - jsonPath: .spec.username
- name: Requestor
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the CertificateRequest resource.
- type: object
- required:
- - csr
- - issuerRef
- properties:
- csr:
- description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
- type: string
- format: byte
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
- type: string
- extra:
- description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: object
- additionalProperties:
- type: array
- items:
- type: string
- groups:
- description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- isCA:
- description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- uid:
- description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- username:
- description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- status:
- description: Status of the CertificateRequest. This is set and managed automatically.
- type: object
- properties:
- ca:
- description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
- type: string
- format: byte
- certificate:
- description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
- type: string
- format: byte
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
- type: array
- items:
- description: CertificateRequestCondition contains condition information for a CertificateRequest.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
- type: string
- failureTime:
- description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- served: true
- storage: false
- - name: v1beta1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Approved")].status
- name: Approved
- type: string
- - jsonPath: .status.conditions[?(@.type=="Denied")].status
- name: Denied
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- type: string
- - jsonPath: .spec.username
- name: Requestor
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the CertificateRequest resource.
- type: object
- required:
- - issuerRef
- - request
- properties:
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
- type: string
- extra:
- description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: object
- additionalProperties:
- type: array
- items:
- type: string
- groups:
- description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- isCA:
- description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- request:
- description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
- type: string
- format: byte
- uid:
- description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- username:
- description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- status:
- description: Status of the CertificateRequest. This is set and managed automatically.
- type: object
- properties:
- ca:
- description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
- type: string
- format: byte
- certificate:
- description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
- type: string
- format: byte
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
- type: array
- items:
- description: CertificateRequestCondition contains condition information for a CertificateRequest.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
- type: string
- failureTime:
- description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- served: true
- storage: false
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Approved")].status
- name: Approved
- type: string
- - jsonPath: .status.conditions[?(@.type=="Denied")].status
- name: Denied
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- type: string
- - jsonPath: .spec.username
- name: Requestor
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the CertificateRequest resource.
- type: object
- required:
- - issuerRef
- - request
- properties:
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
- type: string
- extra:
- description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: object
- additionalProperties:
- type: array
- items:
- type: string
- groups:
- description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- isCA:
- description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- request:
- description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
- type: string
- format: byte
- uid:
- description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- username:
- description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- status:
- description: Status of the CertificateRequest. This is set and managed automatically.
- type: object
- properties:
- ca:
- description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
- type: string
- format: byte
- certificate:
- description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
- type: string
- format: byte
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
- type: array
- items:
- description: CertificateRequestCondition contains condition information for a CertificateRequest.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
- type: string
- failureTime:
- description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- served: true
- storage: true
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: certificates.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.5.4"
-spec:
- group: cert-manager.io
- names:
- kind: Certificate
- listKind: CertificateList
- plural: certificates
- shortNames:
- - cert
- - certs
- singular: certificate
- categories:
- - cert-manager
- scope: Namespaced
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhook:
- # We don't actually support `v1beta1` but is listed here as it is a
- # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
- # API server reads the supported versions in order, so _should always_
- # attempt a `v1` request which is understood by the cert-manager webhook.
- # Any `v1beta1` request will return an error and fail closed for that
- # resource (the whole object request is rejected).
- # When we no longer support v1.16 we can remove `v1beta1` from this list.
- conversionReviewVersions: ["v1", "v1beta1"]
- clientConfig:
- #
- service:
- name: 'cert-manager-webhook'
- namespace: "cert-manager"
- path: /convert
- #
- versions:
- - name: v1alpha2
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.secretName
- name: Secret
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Certificate resource.
- type: object
- required:
- - issuerRef
- - secretName
- properties:
- commonName:
- description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- type: string
- dnsNames:
- description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
- type: string
- emailSANs:
- description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- encodeUsagesInRequest:
- description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
- type: boolean
- ipAddresses:
- description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- isCA:
- description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- keyAlgorithm:
- description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm.
- type: string
- enum:
- - rsa
- - ecdsa
- keyEncoding:
- description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default.
- type: string
- enum:
- - pkcs1
- - pkcs8
- keySize:
- description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
- type: integer
- keystores:
- description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
- type: object
- properties:
- jks:
- description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- pkcs12:
- description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- organization:
- description: Organization is a list of organizations to be used on the Certificate.
- type: array
- items:
- type: string
- privateKey:
- description: Options to control private keys used for the Certificate.
- type: object
- properties:
- rotationPolicy:
- description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
- type: string
- renewBefore:
- description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
- type: string
- revisionHistoryLimit:
- description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
- type: integer
- format: int32
- secretName:
- description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
- type: string
- secretTemplate:
- description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
- type: object
- properties:
- annotations:
- description: Annotations is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- subject:
- description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
- type: object
- properties:
- countries:
- description: Countries to be used on the Certificate.
- type: array
- items:
- type: string
- localities:
- description: Cities to be used on the Certificate.
- type: array
- items:
- type: string
- organizationalUnits:
- description: Organizational Units to be used on the Certificate.
- type: array
- items:
- type: string
- postalCodes:
- description: Postal codes to be used on the Certificate.
- type: array
- items:
- type: string
- provinces:
- description: State/Provinces to be used on the Certificate.
- type: array
- items:
- type: string
- serialNumber:
- description: Serial number to be used on the Certificate.
- type: string
- streetAddresses:
- description: Street addresses to be used on the Certificate.
- type: array
- items:
- type: string
- uriSANs:
- description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- status:
- description: Status of the Certificate. This is set and managed automatically.
- type: object
- properties:
- conditions:
- description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
- type: array
- items:
- description: CertificateCondition contains condition information for an Certificate.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `Issuing`).
- type: string
- lastFailureTime:
- description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
- type: string
- format: date-time
- nextPrivateKeySecretName:
- description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
- type: string
- notAfter:
- description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
- type: string
- format: date-time
- notBefore:
- description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
- type: string
- format: date-time
- renewalTime:
- description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
- type: string
- format: date-time
- revision:
- description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
- type: integer
- served: true
- storage: false
- - name: v1alpha3
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.secretName
- name: Secret
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Certificate resource.
- type: object
- required:
- - issuerRef
- - secretName
- properties:
- commonName:
- description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- type: string
- dnsNames:
- description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
- type: string
- emailSANs:
- description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- encodeUsagesInRequest:
- description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
- type: boolean
- ipAddresses:
- description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- isCA:
- description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- keyAlgorithm:
- description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm.
- type: string
- enum:
- - rsa
- - ecdsa
- keyEncoding:
- description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default.
- type: string
- enum:
- - pkcs1
- - pkcs8
- keySize:
- description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
- type: integer
- keystores:
- description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
- type: object
- properties:
- jks:
- description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority.
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- pkcs12:
- description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority.
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- privateKey:
- description: Options to control private keys used for the Certificate.
- type: object
- properties:
- rotationPolicy:
- description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
- type: string
- renewBefore:
- description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
- type: string
- revisionHistoryLimit:
- description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
- type: integer
- format: int32
- secretName:
- description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
- type: string
- secretTemplate:
- description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
- type: object
- properties:
- annotations:
- description: Annotations is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- subject:
- description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
- type: object
- properties:
- countries:
- description: Countries to be used on the Certificate.
- type: array
- items:
- type: string
- localities:
- description: Cities to be used on the Certificate.
- type: array
- items:
- type: string
- organizationalUnits:
- description: Organizational Units to be used on the Certificate.
- type: array
- items:
- type: string
- organizations:
- description: Organizations to be used on the Certificate.
- type: array
- items:
- type: string
- postalCodes:
- description: Postal codes to be used on the Certificate.
- type: array
- items:
- type: string
- provinces:
- description: State/Provinces to be used on the Certificate.
- type: array
- items:
- type: string
- serialNumber:
- description: Serial number to be used on the Certificate.
- type: string
- streetAddresses:
- description: Street addresses to be used on the Certificate.
- type: array
- items:
- type: string
- uriSANs:
- description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- status:
- description: Status of the Certificate. This is set and managed automatically.
- type: object
- properties:
- conditions:
- description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
- type: array
- items:
- description: CertificateCondition contains condition information for an Certificate.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `Issuing`).
- type: string
- lastFailureTime:
- description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
- type: string
- format: date-time
- nextPrivateKeySecretName:
- description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
- type: string
- notAfter:
- description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
- type: string
- format: date-time
- notBefore:
- description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
- type: string
- format: date-time
- renewalTime:
- description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
- type: string
- format: date-time
- revision:
- description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
- type: integer
- served: true
- storage: false
- - name: v1beta1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.secretName
- name: Secret
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Certificate resource.
- type: object
- required:
- - issuerRef
- - secretName
- properties:
- commonName:
- description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- type: string
- dnsNames:
- description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
- type: string
- emailSANs:
- description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- encodeUsagesInRequest:
- description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
- type: boolean
- ipAddresses:
- description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- isCA:
- description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- keystores:
- description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
- type: object
- properties:
- jks:
- description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- pkcs12:
- description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- privateKey:
- description: Options to control private keys used for the Certificate.
- type: object
- properties:
- algorithm:
- description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm.
- type: string
- enum:
- - RSA
- - ECDSA
- encoding:
- description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
- type: string
- enum:
- - PKCS1
- - PKCS8
- rotationPolicy:
- description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
- type: string
- size:
- description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
- type: integer
- renewBefore:
- description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
- type: string
- revisionHistoryLimit:
- description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
- type: integer
- format: int32
- secretName:
- description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
- type: string
- secretTemplate:
- description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
- type: object
- properties:
- annotations:
- description: Annotations is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- subject:
- description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
- type: object
- properties:
- countries:
- description: Countries to be used on the Certificate.
- type: array
- items:
- type: string
- localities:
- description: Cities to be used on the Certificate.
- type: array
- items:
- type: string
- organizationalUnits:
- description: Organizational Units to be used on the Certificate.
- type: array
- items:
- type: string
- organizations:
- description: Organizations to be used on the Certificate.
- type: array
- items:
- type: string
- postalCodes:
- description: Postal codes to be used on the Certificate.
- type: array
- items:
- type: string
- provinces:
- description: State/Provinces to be used on the Certificate.
- type: array
- items:
- type: string
- serialNumber:
- description: Serial number to be used on the Certificate.
- type: string
- streetAddresses:
- description: Street addresses to be used on the Certificate.
- type: array
- items:
- type: string
- uriSANs:
- description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- status:
- description: Status of the Certificate. This is set and managed automatically.
- type: object
- properties:
- conditions:
- description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
- type: array
- items:
- description: CertificateCondition contains condition information for an Certificate.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `Issuing`).
- type: string
- lastFailureTime:
- description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
- type: string
- format: date-time
- nextPrivateKeySecretName:
- description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
- type: string
- notAfter:
- description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
- type: string
- format: date-time
- notBefore:
- description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
- type: string
- format: date-time
- renewalTime:
- description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
- type: string
- format: date-time
- revision:
- description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
- type: integer
- served: true
- storage: false
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.secretName
- name: Secret
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Certificate resource.
- type: object
- required:
- - issuerRef
- - secretName
- properties:
- commonName:
- description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- type: string
- dnsNames:
- description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
- type: string
- emailAddresses:
- description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- encodeUsagesInRequest:
- description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
- type: boolean
- ipAddresses:
- description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- isCA:
- description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- keystores:
- description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
- type: object
- properties:
- jks:
- description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- pkcs12:
- description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- privateKey:
- description: Options to control private keys used for the Certificate.
- type: object
- properties:
- algorithm:
- description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
- type: string
- enum:
- - RSA
- - ECDSA
- - Ed25519
- encoding:
- description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
- type: string
- enum:
- - PKCS1
- - PKCS8
- rotationPolicy:
- description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
- type: string
- size:
- description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
- type: integer
- renewBefore:
- description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
- type: string
- revisionHistoryLimit:
- description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
- type: integer
- format: int32
- secretName:
- description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
- type: string
- secretTemplate:
- description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
- type: object
- properties:
- annotations:
- description: Annotations is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- subject:
- description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
- type: object
- properties:
- countries:
- description: Countries to be used on the Certificate.
- type: array
- items:
- type: string
- localities:
- description: Cities to be used on the Certificate.
- type: array
- items:
- type: string
- organizationalUnits:
- description: Organizational Units to be used on the Certificate.
- type: array
- items:
- type: string
- organizations:
- description: Organizations to be used on the Certificate.
- type: array
- items:
- type: string
- postalCodes:
- description: Postal codes to be used on the Certificate.
- type: array
- items:
- type: string
- provinces:
- description: State/Provinces to be used on the Certificate.
- type: array
- items:
- type: string
- serialNumber:
- description: Serial number to be used on the Certificate.
- type: string
- streetAddresses:
- description: Street addresses to be used on the Certificate.
- type: array
- items:
- type: string
- uris:
- description: URIs is a list of URI subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- status:
- description: Status of the Certificate. This is set and managed automatically.
- type: object
- properties:
- conditions:
- description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
- type: array
- items:
- description: CertificateCondition contains condition information for an Certificate.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `Issuing`).
- type: string
- lastFailureTime:
- description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
- type: string
- format: date-time
- nextPrivateKeySecretName:
- description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
- type: string
- notAfter:
- description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
- type: string
- format: date-time
- notBefore:
- description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
- type: string
- format: date-time
- renewalTime:
- description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
- type: string
- format: date-time
- revision:
- description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
- type: integer
- served: true
- storage: true
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: challenges.acme.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.5.4"
-spec:
- group: acme.cert-manager.io
- names:
- kind: Challenge
- listKind: ChallengeList
- plural: challenges
- singular: challenge
- categories:
- - cert-manager
- - cert-manager-acme
- scope: Namespaced
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhook:
- # We don't actually support `v1beta1` but is listed here as it is a
- # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
- # API server reads the supported versions in order, so _should always_
- # attempt a `v1` request which is understood by the cert-manager webhook.
- # Any `v1beta1` request will return an error and fail closed for that
- # resource (the whole object request is rejected).
- # When we no longer support v1.16 we can remove `v1beta1` from this list.
- conversionReviewVersions: ["v1", "v1beta1"]
- clientConfig:
- #
- service:
- name: 'cert-manager-webhook'
- namespace: "cert-manager"
- path: /convert
- #
- versions:
- - additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.dnsName
- name: Domain
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha2
- schema:
- openAPIV3Schema:
- description: Challenge is a type to represent a Challenge request with an ACME server
- type: object
- required:
- - metadata
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - authzURL
- - dnsName
- - issuerRef
- - key
- - solver
- - token
- - type
- - url
- properties:
- authzURL:
- description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
- type: string
- dnsName:
- description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- key:
- description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
- type: string
- solver:
- description: Solver contains the domain solving configuration that should be used to solve this challenge resource.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmedns:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azuredns:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- clouddns:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- token:
- description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server.
- type: string
- type:
- description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01".
- type: string
- enum:
- - http-01
- - dns-01
- url:
- description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
- type: string
- wildcard:
- description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
- type: boolean
- status:
- type: object
- properties:
- presented:
- description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
- type: boolean
- processing:
- description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
- type: boolean
- reason:
- description: Reason contains human readable information on why the Challenge is in the current state.
- type: string
- state:
- description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.dnsName
- name: Domain
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha3
- schema:
- openAPIV3Schema:
- description: Challenge is a type to represent a Challenge request with an ACME server
- type: object
- required:
- - metadata
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - authzURL
- - dnsName
- - issuerRef
- - key
- - solver
- - token
- - type
- - url
- properties:
- authzURL:
- description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
- type: string
- dnsName:
- description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- key:
- description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
- type: string
- solver:
- description: Solver contains the domain solving configuration that should be used to solve this challenge resource.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmedns:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azuredns:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- clouddns:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- token:
- description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server.
- type: string
- type:
- description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01".
- type: string
- enum:
- - http-01
- - dns-01
- url:
- description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
- type: string
- wildcard:
- description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
- type: boolean
- status:
- type: object
- properties:
- presented:
- description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
- type: boolean
- processing:
- description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
- type: boolean
- reason:
- description: Reason contains human readable information on why the Challenge is in the current state.
- type: string
- state:
- description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.dnsName
- name: Domain
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: Challenge is a type to represent a Challenge request with an ACME server
- type: object
- required:
- - metadata
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - authorizationURL
- - dnsName
- - issuerRef
- - key
- - solver
- - token
- - type
- - url
- properties:
- authorizationURL:
- description: The URL to the ACME Authorization resource that this challenge is a part of.
- type: string
- dnsName:
- description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
- type: string
- issuerRef:
- description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- key:
- description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
- type: string
- solver:
- description: Contains the domain solving configuration that should be used to solve this challenge resource.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- token:
- description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
- type: string
- type:
- description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
- type: string
- enum:
- - HTTP-01
- - DNS-01
- url:
- description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
- type: string
- wildcard:
- description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
- type: boolean
- status:
- type: object
- properties:
- presented:
- description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
- type: boolean
- processing:
- description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
- type: boolean
- reason:
- description: Contains human readable information on why the Challenge is in the current state.
- type: string
- state:
- description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.dnsName
- name: Domain
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1
- schema:
- openAPIV3Schema:
- description: Challenge is a type to represent a Challenge request with an ACME server
- type: object
- required:
- - metadata
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - authorizationURL
- - dnsName
- - issuerRef
- - key
- - solver
- - token
- - type
- - url
- properties:
- authorizationURL:
- description: The URL to the ACME Authorization resource that this challenge is a part of.
- type: string
- dnsName:
- description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
- type: string
- issuerRef:
- description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- key:
- description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
- type: string
- solver:
- description: Contains the domain solving configuration that should be used to solve this challenge resource.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- token:
- description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
- type: string
- type:
- description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
- type: string
- enum:
- - HTTP-01
- - DNS-01
- url:
- description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
- type: string
- wildcard:
- description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
- type: boolean
- status:
- type: object
- properties:
- presented:
- description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
- type: boolean
- processing:
- description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
- type: boolean
- reason:
- description: Contains human readable information on why the Challenge is in the current state.
- type: string
- state:
- description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- served: true
- storage: true
- subresources:
- status: {}
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: clusterissuers.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.5.4"
-spec:
- group: cert-manager.io
- names:
- kind: ClusterIssuer
- listKind: ClusterIssuerList
- plural: clusterissuers
- singular: clusterissuer
- categories:
- - cert-manager
- scope: Cluster
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhook:
- # We don't actually support `v1beta1` but is listed here as it is a
- # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
- # API server reads the supported versions in order, so _should always_
- # attempt a `v1` request which is understood by the cert-manager webhook.
- # Any `v1beta1` request will return an error and fail closed for that
- # resource (the whole object request is rejected).
- # When we no longer support v1.16 we can remove `v1beta1` from this list.
- conversionReviewVersions: ["v1", "v1beta1"]
- clientConfig:
- #
- service:
- name: 'cert-manager-webhook'
- namespace: "cert-manager"
- path: /convert
- #
- versions:
- - name: v1alpha2
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the ClusterIssuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmedns:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azuredns:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- clouddns:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the ClusterIssuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- served: true
- storage: false
- - name: v1alpha3
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the ClusterIssuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmedns:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azuredns:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- clouddns:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the ClusterIssuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- served: true
- storage: false
- - name: v1beta1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the ClusterIssuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the ClusterIssuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- served: true
- storage: false
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the ClusterIssuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the ClusterIssuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- served: true
- storage: true
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: issuers.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.5.4"
-spec:
- group: cert-manager.io
- names:
- kind: Issuer
- listKind: IssuerList
- plural: issuers
- singular: issuer
- categories:
- - cert-manager
- scope: Namespaced
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhook:
- # We don't actually support `v1beta1` but is listed here as it is a
- # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
- # API server reads the supported versions in order, so _should always_
- # attempt a `v1` request which is understood by the cert-manager webhook.
- # Any `v1beta1` request will return an error and fail closed for that
- # resource (the whole object request is rejected).
- # When we no longer support v1.16 we can remove `v1beta1` from this list.
- conversionReviewVersions: ["v1", "v1beta1"]
- clientConfig:
- #
- service:
- name: 'cert-manager-webhook'
- namespace: "cert-manager"
- path: /convert
- #
- versions:
- - name: v1alpha2
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Issuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmedns:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azuredns:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- clouddns:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the Issuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- served: true
- storage: false
- - name: v1alpha3
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Issuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmedns:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azuredns:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- clouddns:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the Issuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- served: true
- storage: false
- - name: v1beta1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Issuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the Issuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- served: true
- storage: false
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Issuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the Issuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- served: true
- storage: true
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: orders.acme.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.5.4"
-spec:
- group: acme.cert-manager.io
- names:
- kind: Order
- listKind: OrderList
- plural: orders
- singular: order
- categories:
- - cert-manager
- - cert-manager-acme
- scope: Namespaced
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhook:
- # We don't actually support `v1beta1` but is listed here as it is a
- # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
- # API server reads the supported versions in order, so _should always_
- # attempt a `v1` request which is understood by the cert-manager webhook.
- # Any `v1beta1` request will return an error and fail closed for that
- # resource (the whole object request is rejected).
- # When we no longer support v1.16 we can remove `v1beta1` from this list.
- conversionReviewVersions: ["v1", "v1beta1"]
- clientConfig:
- #
- service:
- name: 'cert-manager-webhook'
- namespace: "cert-manager"
- path: /convert
- #
- versions:
- - name: v1alpha2
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: Order is a type to represent an Order with an ACME server
- type: object
- required:
- - metadata
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - csr
- - issuerRef
- properties:
- commonName:
- description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
- type: string
- csr:
- description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
- type: string
- format: byte
- dnsNames:
- description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- duration:
- description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
- type: string
- ipAddresses:
- description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- status:
- type: object
- properties:
- authorizations:
- description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
- type: array
- items:
- description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
- type: object
- required:
- - url
- properties:
- challenges:
- description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
- type: array
- items:
- description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
- type: object
- required:
- - token
- - type
- - url
- properties:
- token:
- description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
- type: string
- type:
- description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
- type: string
- url:
- description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
- type: string
- identifier:
- description: Identifier is the DNS name to be validated as part of this authorization
- type: string
- initialState:
- description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL is the URL of the Authorization that must be completed
- type: string
- wildcard:
- description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
- type: boolean
- certificate:
- description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
- type: string
- format: byte
- failureTime:
- description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- finalizeURL:
- description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
- type: string
- reason:
- description: Reason optionally provides more information about a why the order is in the current state.
- type: string
- state:
- description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
- type: string
- served: true
- storage: false
- - name: v1alpha3
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: Order is a type to represent an Order with an ACME server
- type: object
- required:
- - metadata
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - csr
- - issuerRef
- properties:
- commonName:
- description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
- type: string
- csr:
- description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
- type: string
- format: byte
- dnsNames:
- description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- duration:
- description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
- type: string
- ipAddresses:
- description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- status:
- type: object
- properties:
- authorizations:
- description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
- type: array
- items:
- description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
- type: object
- required:
- - url
- properties:
- challenges:
- description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
- type: array
- items:
- description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
- type: object
- required:
- - token
- - type
- - url
- properties:
- token:
- description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
- type: string
- type:
- description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
- type: string
- url:
- description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
- type: string
- identifier:
- description: Identifier is the DNS name to be validated as part of this authorization
- type: string
- initialState:
- description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL is the URL of the Authorization that must be completed
- type: string
- wildcard:
- description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
- type: boolean
- certificate:
- description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
- type: string
- format: byte
- failureTime:
- description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- finalizeURL:
- description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
- type: string
- reason:
- description: Reason optionally provides more information about a why the order is in the current state.
- type: string
- state:
- description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
- type: string
- served: true
- storage: false
- - name: v1beta1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: Order is a type to represent an Order with an ACME server
- type: object
- required:
- - metadata
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - issuerRef
- - request
- properties:
- commonName:
- description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
- type: string
- dnsNames:
- description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- duration:
- description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
- type: string
- ipAddresses:
- description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- request:
- description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
- type: string
- format: byte
- status:
- type: object
- properties:
- authorizations:
- description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
- type: array
- items:
- description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
- type: object
- required:
- - url
- properties:
- challenges:
- description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
- type: array
- items:
- description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
- type: object
- required:
- - token
- - type
- - url
- properties:
- token:
- description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
- type: string
- type:
- description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
- type: string
- url:
- description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
- type: string
- identifier:
- description: Identifier is the DNS name to be validated as part of this authorization
- type: string
- initialState:
- description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL is the URL of the Authorization that must be completed
- type: string
- wildcard:
- description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
- type: boolean
- certificate:
- description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
- type: string
- format: byte
- failureTime:
- description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- finalizeURL:
- description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
- type: string
- reason:
- description: Reason optionally provides more information about a why the order is in the current state.
- type: string
- state:
- description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
- type: string
- served: true
- storage: false
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: Order is a type to represent an Order with an ACME server
- type: object
- required:
- - metadata
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - issuerRef
- - request
- properties:
- commonName:
- description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
- type: string
- dnsNames:
- description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- duration:
- description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
- type: string
- ipAddresses:
- description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- request:
- description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
- type: string
- format: byte
- status:
- type: object
- properties:
- authorizations:
- description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
- type: array
- items:
- description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
- type: object
- required:
- - url
- properties:
- challenges:
- description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
- type: array
- items:
- description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
- type: object
- required:
- - token
- - type
- - url
- properties:
- token:
- description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
- type: string
- type:
- description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
- type: string
- url:
- description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
- type: string
- identifier:
- description: Identifier is the DNS name to be validated as part of this authorization
- type: string
- initialState:
- description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL is the URL of the Authorization that must be completed
- type: string
- wildcard:
- description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
- type: boolean
- certificate:
- description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
- type: string
- format: byte
- failureTime:
- description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- finalizeURL:
- description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
- type: string
- reason:
- description: Reason optionally provides more information about a why the order is in the current state.
- type: string
- state:
- description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
- type: string
- served: true
- storage: true
----
-apiVersion: v1
-kind: Namespace
-metadata:
- name: cert-manager
----
-# Source: cert-manager/templates/cainjector-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: cert-manager-cainjector
- namespace: "cert-manager"
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.5.4"
----
-# Source: cert-manager/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: cert-manager
- namespace: "cert-manager"
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
----
-# Source: cert-manager/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: cert-manager-webhook
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.5.4"
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-cainjector
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["get", "create", "update", "patch"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["apiregistration.k8s.io"]
- resources: ["apiservices"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["auditregistration.k8s.io"]
- resources: ["auditsinks"]
- verbs: ["get", "list", "watch", "update"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Issuer controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-issuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["issuers", "issuers/status"]
- verbs: ["update"]
- - apiGroups: ["cert-manager.io"]
- resources: ["issuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# ClusterIssuer controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-clusterissuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers", "clusterissuers/status"]
- verbs: ["update"]
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Certificates controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-certificates
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
- verbs: ["update"]
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates/finalizers", "certificaterequests/finalizers"]
- verbs: ["update"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders"]
- verbs: ["create", "delete", "get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Orders controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-orders
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders", "orders/status"]
- verbs: ["update"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders", "challenges"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers", "issuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges"]
- verbs: ["create", "delete"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders/finalizers"]
- verbs: ["update"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Challenges controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-challenges
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- # Use to update challenge resource status
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges", "challenges/status"]
- verbs: ["update"]
- # Used to watch challenge resources
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges"]
- verbs: ["get", "list", "watch"]
- # Used to watch challenges, issuer and clusterissuer resources
- - apiGroups: ["cert-manager.io"]
- resources: ["issuers", "clusterissuers"]
- verbs: ["get", "list", "watch"]
- # Need to be able to retrieve ACME account private key to complete challenges
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- # Used to create events
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
- # HTTP01 rules
- - apiGroups: [""]
- resources: ["pods", "services"]
- verbs: ["get", "list", "watch", "create", "delete"]
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- - apiGroups: [ "networking.x-k8s.io" ]
- resources: [ "httproutes" ]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- # We require the ability to specify a custom hostname when we are creating
- # new ingress resources.
- # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- - apiGroups: ["route.openshift.io"]
- resources: ["routes/custom-host"]
- verbs: ["create"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges/finalizers"]
- verbs: ["update"]
- # DNS01 rules (duplicated above)
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# ingress-shim controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-ingress-shim
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests"]
- verbs: ["create", "update", "delete"]
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses/finalizers"]
- verbs: ["update"]
- - apiGroups: ["networking.x-k8s.io"]
- resources: ["gateways", "httproutes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.x-k8s.io"]
- resources: ["gateways/finalizers", "httproutes/finalizers"]
- verbs: ["update"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-view
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges", "orders"]
- verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-edit
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["create", "delete", "deletecollection", "patch", "update"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges", "orders"]
- verbs: ["create", "delete", "deletecollection", "patch", "update"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-approve:cert-manager-io
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["signers"]
- verbs: ["approve"]
- resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Permission to:
-# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
-# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-certificatesigningrequests
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- - apiGroups: ["certificates.k8s.io"]
- resources: ["certificatesigningrequests"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["certificates.k8s.io"]
- resources: ["certificatesigningrequests/status"]
- verbs: ["update"]
- - apiGroups: ["certificates.k8s.io"]
- resources: ["signers"]
- resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
- verbs: ["sign"]
- - apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-webhook:subjectaccessreviews
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.5.4"
-rules:
-- apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-cainjector
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-cainjector
-subjects:
- - name: cert-manager-cainjector
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-issuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-issuers
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-clusterissuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-clusterissuers
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-certificates
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-certificates
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-orders
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-orders
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-challenges
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-challenges
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-ingress-shim
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-ingress-shim
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-approve:cert-manager-io
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-approve:cert-manager-io
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-certificatesigningrequests
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-certificatesigningrequests
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-webhook:subjectaccessreviews
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-webhook:subjectaccessreviews
-subjects:
-- apiGroup: ""
- kind: ServiceAccount
- name: cert-manager-webhook
- namespace: cert-manager
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-# leader election rules
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: cert-manager-cainjector:leaderelection
- namespace: kube-system
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- # Used for leader election by the controller
- # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
- # see cmd/cainjector/start.go#L113
- # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
- # see cmd/cainjector/start.go#L137
- # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
- - apiGroups: [""]
- resources: ["configmaps"]
- resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
- verbs: ["get", "update", "patch"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
- verbs: ["get", "update", "patch"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: cert-manager:leaderelection
- namespace: kube-system
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-rules:
- # Used for leader election by the controller
- # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
- - apiGroups: [""]
- resources: ["configmaps"]
- resourceNames: ["cert-manager-controller"]
- verbs: ["get", "update", "patch"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- resourceNames: ["cert-manager-controller"]
- verbs: ["get", "update", "patch"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: cert-manager-webhook:dynamic-serving
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.5.4"
-rules:
-- apiGroups: [""]
- resources: ["secrets"]
- resourceNames:
- - 'cert-manager-webhook-ca'
- verbs: ["get", "list", "watch", "update"]
-# It's not possible to grant CREATE permission on a single resourceName.
-- apiGroups: [""]
- resources: ["secrets"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-# grant cert-manager permission to manage the leaderelection configmap in the
-# leader election namespace
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: cert-manager-cainjector:leaderelection
- namespace: kube-system
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: cert-manager-cainjector:leaderelection
-subjects:
- - kind: ServiceAccount
- name: cert-manager-cainjector
- namespace: cert-manager
----
-# Source: cert-manager/templates/rbac.yaml
-# grant cert-manager permission to manage the leaderelection configmap in the
-# leader election namespace
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: cert-manager:leaderelection
- namespace: kube-system
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: cert-manager:leaderelection
-subjects:
- - apiGroup: ""
- kind: ServiceAccount
- name: cert-manager
- namespace: cert-manager
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: cert-manager-webhook:dynamic-serving
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.5.4"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: cert-manager-webhook:dynamic-serving
-subjects:
-- apiGroup: ""
- kind: ServiceAccount
- name: cert-manager-webhook
- namespace: cert-manager
----
-# Source: cert-manager/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: cert-manager
- namespace: "cert-manager"
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-spec:
- type: ClusterIP
- ports:
- - protocol: TCP
- port: 9402
- name: tcp-prometheus-servicemonitor
- targetPort: 9402
- selector:
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
----
-# Source: cert-manager/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: cert-manager-webhook
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.5.4"
-spec:
- type: ClusterIP
- ports:
- - name: https
- port: 443
- protocol: TCP
- targetPort: 10250
- selector:
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
----
-# Source: cert-manager/templates/cainjector-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager-cainjector
- namespace: "cert-manager"
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.5.4"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- template:
- metadata:
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.5.4"
- spec:
- serviceAccountName: cert-manager-cainjector
- securityContext:
- runAsNonRoot: true
- containers:
- - name: cert-manager
- image: "quay.io/jetstack/cert-manager-cainjector:v1.5.4"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --leader-election-namespace=kube-system
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- resources:
- {}
----
-# Source: cert-manager/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager
- namespace: "cert-manager"
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- template:
- metadata:
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.5.4"
- annotations:
- prometheus.io/path: "/metrics"
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9402'
- spec:
- serviceAccountName: cert-manager
- securityContext:
- runAsNonRoot: true
- containers:
- - name: cert-manager
- image: "quay.io/jetstack/cert-manager-controller:v1.5.4"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --cluster-resource-namespace=$(POD_NAMESPACE)
- - --leader-election-namespace=kube-system
- ports:
- - containerPort: 9402
- protocol: TCP
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- resources:
- {}
----
-# Source: cert-manager/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager-webhook
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.5.4"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- template:
- metadata:
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.5.4"
- spec:
- serviceAccountName: cert-manager-webhook
- securityContext:
- runAsNonRoot: true
- containers:
- - name: cert-manager
- image: "quay.io/jetstack/cert-manager-webhook:v1.5.4"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --secure-port=10250
- - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
- ports:
- - name: https
- protocol: TCP
- containerPort: 10250
- livenessProbe:
- httpGet:
- path: /livez
- port: 6080
- scheme: HTTP
- initialDelaySeconds: 60
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /healthz
- port: 6080
- scheme: HTTP
- initialDelaySeconds: 5
- periodSeconds: 5
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- resources:
- {}
----
-# Source: cert-manager/templates/webhook-mutating-webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
- name: cert-manager-webhook
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.5.4"
- annotations:
- cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
-webhooks:
- - name: webhook.cert-manager.io
- rules:
- - apiGroups:
- - "cert-manager.io"
- - "acme.cert-manager.io"
- apiVersions:
- - "v1"
- operations:
- - CREATE
- - UPDATE
- resources:
- - "*/*"
- # We don't actually support `v1beta1` but is listed here as it is a
- # required value for
- # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
- # The API server reads the supported versions in order, so _should always_
- # attempt a `v1` request which is understood by the cert-manager webhook.
- # Any `v1beta1` request will return an error and fail closed for that
- # resource (the whole object request is rejected). When we no longer
- # support v1.16 we can remove `v1beta1` from this list.
- admissionReviewVersions: ["v1", "v1beta1"]
- # This webhook only accepts v1 cert-manager resources.
- # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
- # this webhook (after the resources have been converted to v1).
- matchPolicy: Equivalent
- timeoutSeconds: 10
- failurePolicy: Fail
- # Only include 'sideEffects' field in Kubernetes 1.12+
- sideEffects: None
- clientConfig:
- service:
- name: cert-manager-webhook
- namespace: "cert-manager"
- path: /mutate
----
-# Source: cert-manager/templates/webhook-validating-webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: cert-manager-webhook
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.5.4"
- annotations:
- cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
-webhooks:
- - name: webhook.cert-manager.io
- namespaceSelector:
- matchExpressions:
- - key: "cert-manager.io/disable-validation"
- operator: "NotIn"
- values:
- - "true"
- - key: "name"
- operator: "NotIn"
- values:
- - cert-manager
- rules:
- - apiGroups:
- - "cert-manager.io"
- - "acme.cert-manager.io"
- apiVersions:
- - "v1"
- operations:
- - CREATE
- - UPDATE
- resources:
- - "*/*"
- # We don't actually support `v1beta1` but is listed here as it is a
- # required value for
- # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
- # The API server reads the supported versions in order, so _should always_
- # attempt a `v1` request which is understood by the cert-manager webhook.
- # Any `v1beta1` request will return an error and fail closed for that
- # resource (the whole object request is rejected). When we no longer
- # support v1.16 we can remove `v1beta1` from this list.
- admissionReviewVersions: ["v1", "v1beta1"]
- # This webhook only accepts v1 cert-manager resources.
- # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
- # this webhook (after the resources have been converted to v1).
- matchPolicy: Equivalent
- timeoutSeconds: 10
- failurePolicy: Fail
- sideEffects: None
- clientConfig:
- service:
- name: cert-manager-webhook
- namespace: "cert-manager"
- path: /validate
diff --git a/cert-manager/cert-manager_v1.7.1.yaml b/cert-manager/cert-manager_v1.7.1.yaml
deleted file mode 100644
index a5c4ba13fe9b4d0a42baa12a6ca6012929c44af4..0000000000000000000000000000000000000000
--- a/cert-manager/cert-manager_v1.7.1.yaml
+++ /dev/null
@@ -1,5266 +0,0 @@
-# Copyright 2022 The cert-manager Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: certificaterequests.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.7.1"
-spec:
- group: cert-manager.io
- names:
- kind: CertificateRequest
- listKind: CertificateRequestList
- plural: certificaterequests
- shortNames:
- - cr
- - crs
- singular: certificaterequest
- categories:
- - cert-manager
- scope: Namespaced
- versions:
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Approved")].status
- name: Approved
- type: string
- - jsonPath: .status.conditions[?(@.type=="Denied")].status
- name: Denied
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- type: string
- - jsonPath: .spec.username
- name: Requestor
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the CertificateRequest resource.
- type: object
- required:
- - issuerRef
- - request
- properties:
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
- type: string
- extra:
- description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: object
- additionalProperties:
- type: array
- items:
- type: string
- groups:
- description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- isCA:
- description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- request:
- description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
- type: string
- format: byte
- uid:
- description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- username:
- description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- status:
- description: Status of the CertificateRequest. This is set and managed automatically.
- type: object
- properties:
- ca:
- description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
- type: string
- format: byte
- certificate:
- description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
- type: string
- format: byte
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
- type: array
- items:
- description: CertificateRequestCondition contains condition information for a CertificateRequest.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
- type: string
- failureTime:
- description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- served: true
- storage: true
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: certificates.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.7.1"
-spec:
- group: cert-manager.io
- names:
- kind: Certificate
- listKind: CertificateList
- plural: certificates
- shortNames:
- - cert
- - certs
- singular: certificate
- categories:
- - cert-manager
- scope: Namespaced
- versions:
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.secretName
- name: Secret
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Certificate resource.
- type: object
- required:
- - issuerRef
- - secretName
- properties:
- additionalOutputFormats:
- description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components.
- type: array
- items:
- description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
- type: object
- required:
- - type
- properties:
- type:
- description: Type is the name of the format type that should be written to the Certificate's target Secret.
- type: string
- enum:
- - DER
- - CombinedPEM
- commonName:
- description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- type: string
- dnsNames:
- description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
- type: string
- emailAddresses:
- description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- encodeUsagesInRequest:
- description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
- type: boolean
- ipAddresses:
- description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- isCA:
- description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- keystores:
- description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
- type: object
- properties:
- jks:
- description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- pkcs12:
- description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- privateKey:
- description: Options to control private keys used for the Certificate.
- type: object
- properties:
- algorithm:
- description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
- type: string
- enum:
- - RSA
- - ECDSA
- - Ed25519
- encoding:
- description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
- type: string
- enum:
- - PKCS1
- - PKCS8
- rotationPolicy:
- description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
- type: string
- size:
- description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
- type: integer
- renewBefore:
- description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
- type: string
- revisionHistoryLimit:
- description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
- type: integer
- format: int32
- secretName:
- description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
- type: string
- secretTemplate:
- description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret.
- type: object
- properties:
- annotations:
- description: Annotations is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- subject:
- description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
- type: object
- properties:
- countries:
- description: Countries to be used on the Certificate.
- type: array
- items:
- type: string
- localities:
- description: Cities to be used on the Certificate.
- type: array
- items:
- type: string
- organizationalUnits:
- description: Organizational Units to be used on the Certificate.
- type: array
- items:
- type: string
- organizations:
- description: Organizations to be used on the Certificate.
- type: array
- items:
- type: string
- postalCodes:
- description: Postal codes to be used on the Certificate.
- type: array
- items:
- type: string
- provinces:
- description: State/Provinces to be used on the Certificate.
- type: array
- items:
- type: string
- serialNumber:
- description: Serial number to be used on the Certificate.
- type: string
- streetAddresses:
- description: Street addresses to be used on the Certificate.
- type: array
- items:
- type: string
- uris:
- description: URIs is a list of URI subjectAltNames to be set on the Certificate.
- type: array
- items:
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- status:
- description: Status of the Certificate. This is set and managed automatically.
- type: object
- properties:
- conditions:
- description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
- type: array
- items:
- description: CertificateCondition contains condition information for an Certificate.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `Issuing`).
- type: string
- lastFailureTime:
- description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
- type: string
- format: date-time
- nextPrivateKeySecretName:
- description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
- type: string
- notAfter:
- description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
- type: string
- format: date-time
- notBefore:
- description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
- type: string
- format: date-time
- renewalTime:
- description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
- type: string
- format: date-time
- revision:
- description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
- type: integer
- served: true
- storage: true
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: challenges.acme.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.7.1"
-spec:
- group: acme.cert-manager.io
- names:
- kind: Challenge
- listKind: ChallengeList
- plural: challenges
- singular: challenge
- categories:
- - cert-manager
- - cert-manager-acme
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.dnsName
- name: Domain
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1
- schema:
- openAPIV3Schema:
- description: Challenge is a type to represent a Challenge request with an ACME server
- type: object
- required:
- - metadata
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - authorizationURL
- - dnsName
- - issuerRef
- - key
- - solver
- - token
- - type
- - url
- properties:
- authorizationURL:
- description: The URL to the ACME Authorization resource that this challenge is a part of.
- type: string
- dnsName:
- description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
- type: string
- issuerRef:
- description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- key:
- description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
- type: string
- solver:
- description: Contains the domain solving configuration that should be used to solve this challenge resource.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- description: name of the Azure environment (default AzurePublicCloud)
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- description: name of the DNS zone that should be used
- type: string
- managedIdentity:
- description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
- type: object
- properties:
- clientID:
- description: client ID of the managed identity, can not be used at the same time as resourceID
- type: string
- resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID
- type: string
- resourceGroupName:
- description: resource group the DNS zone is located in
- type: string
- subscriptionID:
- description: ID of the Azure subscription
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- token:
- description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
- type: string
- type:
- description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
- type: string
- enum:
- - HTTP-01
- - DNS-01
- url:
- description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
- type: string
- wildcard:
- description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
- type: boolean
- status:
- type: object
- properties:
- presented:
- description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
- type: boolean
- processing:
- description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
- type: boolean
- reason:
- description: Contains human readable information on why the Challenge is in the current state.
- type: string
- state:
- description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- served: true
- storage: true
- subresources:
- status: {}
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: clusterissuers.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.7.1"
-spec:
- group: cert-manager.io
- names:
- kind: ClusterIssuer
- listKind: ClusterIssuerList
- plural: clusterissuers
- singular: clusterissuer
- categories:
- - cert-manager
- scope: Cluster
- versions:
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the ClusterIssuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- description: name of the Azure environment (default AzurePublicCloud)
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- description: name of the DNS zone that should be used
- type: string
- managedIdentity:
- description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
- type: object
- properties:
- clientID:
- description: client ID of the managed identity, can not be used at the same time as resourceID
- type: string
- resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID
- type: string
- resourceGroupName:
- description: resource group the DNS zone is located in
- type: string
- subscriptionID:
- description: ID of the Azure subscription
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the ClusterIssuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- served: true
- storage: true
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: issuers.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.7.1"
-spec:
- group: cert-manager.io
- names:
- kind: Issuer
- listKind: IssuerList
- plural: issuers
- singular: issuer
- categories:
- - cert-manager
- scope: Namespaced
- versions:
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Issuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- description: name of the Azure environment (default AzurePublicCloud)
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- description: name of the DNS zone that should be used
- type: string
- managedIdentity:
- description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
- type: object
- properties:
- clientID:
- description: client ID of the managed identity, can not be used at the same time as resourceID
- type: string
- resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID
- type: string
- resourceGroupName:
- description: resource group the DNS zone is located in
- type: string
- subscriptionID:
- description: ID of the Azure subscription
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
- type: object
- additionalProperties:
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the Issuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- served: true
- storage: true
----
-# Source: cert-manager/templates/templates.out
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: orders.acme.cert-manager.io
- annotations:
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.7.1"
-spec:
- group: acme.cert-manager.io
- names:
- kind: Order
- listKind: OrderList
- plural: orders
- singular: order
- categories:
- - cert-manager
- - cert-manager-acme
- scope: Namespaced
- versions:
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: Order is a type to represent an Order with an ACME server
- type: object
- required:
- - metadata
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - issuerRef
- - request
- properties:
- commonName:
- description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
- type: string
- dnsNames:
- description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- duration:
- description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
- type: string
- ipAddresses:
- description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- request:
- description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
- type: string
- format: byte
- status:
- type: object
- properties:
- authorizations:
- description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
- type: array
- items:
- description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
- type: object
- required:
- - url
- properties:
- challenges:
- description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
- type: array
- items:
- description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
- type: object
- required:
- - token
- - type
- - url
- properties:
- token:
- description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
- type: string
- type:
- description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
- type: string
- url:
- description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
- type: string
- identifier:
- description: Identifier is the DNS name to be validated as part of this authorization
- type: string
- initialState:
- description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL is the URL of the Authorization that must be completed
- type: string
- wildcard:
- description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
- type: boolean
- certificate:
- description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
- type: string
- format: byte
- failureTime:
- description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- finalizeURL:
- description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
- type: string
- reason:
- description: Reason optionally provides more information about a why the order is in the current state.
- type: string
- state:
- description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
- type: string
- served: true
- storage: true
----
-apiVersion: v1
-kind: Namespace
-metadata:
- name: cert-manager
----
-# Source: cert-manager/templates/cainjector-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: cert-manager-cainjector
- namespace: "cert-manager"
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.7.1"
----
-# Source: cert-manager/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: cert-manager
- namespace: "cert-manager"
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
----
-# Source: cert-manager/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: cert-manager-webhook
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.7.1"
----
-# Source: cert-manager/templates/webhook-config.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: cert-manager-webhook
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
-data:
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-cainjector
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["get", "create", "update", "patch"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["apiregistration.k8s.io"]
- resources: ["apiservices"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["auditregistration.k8s.io"]
- resources: ["auditsinks"]
- verbs: ["get", "list", "watch", "update"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Issuer controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-issuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["issuers", "issuers/status"]
- verbs: ["update"]
- - apiGroups: ["cert-manager.io"]
- resources: ["issuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# ClusterIssuer controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-clusterissuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers", "clusterissuers/status"]
- verbs: ["update"]
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Certificates controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-certificates
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
- verbs: ["update"]
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates/finalizers", "certificaterequests/finalizers"]
- verbs: ["update"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders"]
- verbs: ["create", "delete", "get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Orders controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-orders
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders", "orders/status"]
- verbs: ["update"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders", "challenges"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers", "issuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges"]
- verbs: ["create", "delete"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders/finalizers"]
- verbs: ["update"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Challenges controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-challenges
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- # Use to update challenge resource status
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges", "challenges/status"]
- verbs: ["update"]
- # Used to watch challenge resources
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges"]
- verbs: ["get", "list", "watch"]
- # Used to watch challenges, issuer and clusterissuer resources
- - apiGroups: ["cert-manager.io"]
- resources: ["issuers", "clusterissuers"]
- verbs: ["get", "list", "watch"]
- # Need to be able to retrieve ACME account private key to complete challenges
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- # Used to create events
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
- # HTTP01 rules
- - apiGroups: [""]
- resources: ["pods", "services"]
- verbs: ["get", "list", "watch", "create", "delete"]
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- - apiGroups: [ "networking.x-k8s.io" ]
- resources: [ "httproutes" ]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- # We require the ability to specify a custom hostname when we are creating
- # new ingress resources.
- # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- - apiGroups: ["route.openshift.io"]
- resources: ["routes/custom-host"]
- verbs: ["create"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges/finalizers"]
- verbs: ["update"]
- # DNS01 rules (duplicated above)
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# ingress-shim controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-ingress-shim
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests"]
- verbs: ["create", "update", "delete"]
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses/finalizers"]
- verbs: ["update"]
- - apiGroups: ["networking.x-k8s.io"]
- resources: ["gateways", "httproutes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.x-k8s.io"]
- resources: ["gateways/finalizers", "httproutes/finalizers"]
- verbs: ["update"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-view
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges", "orders"]
- verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-edit
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["create", "delete", "deletecollection", "patch", "update"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges", "orders"]
- verbs: ["create", "delete", "deletecollection", "patch", "update"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-approve:cert-manager-io
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["signers"]
- verbs: ["approve"]
- resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Permission to:
-# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
-# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-certificatesigningrequests
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- - apiGroups: ["certificates.k8s.io"]
- resources: ["certificatesigningrequests"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["certificates.k8s.io"]
- resources: ["certificatesigningrequests/status"]
- verbs: ["update"]
- - apiGroups: ["certificates.k8s.io"]
- resources: ["signers"]
- resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
- verbs: ["sign"]
- - apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-webhook:subjectaccessreviews
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.7.1"
-rules:
-- apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-cainjector
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-cainjector
-subjects:
- - name: cert-manager-cainjector
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-issuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-issuers
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-clusterissuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-clusterissuers
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-certificates
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-certificates
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-orders
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-orders
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-challenges
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-challenges
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-ingress-shim
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-ingress-shim
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-approve:cert-manager-io
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-approve:cert-manager-io
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-certificatesigningrequests
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-certificatesigningrequests
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-webhook:subjectaccessreviews
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-webhook:subjectaccessreviews
-subjects:
-- apiGroup: ""
- kind: ServiceAccount
- name: cert-manager-webhook
- namespace: cert-manager
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-# leader election rules
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: cert-manager-cainjector:leaderelection
- namespace: kube-system
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- # Used for leader election by the controller
- # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
- # see cmd/cainjector/start.go#L113
- # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
- # see cmd/cainjector/start.go#L137
- # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
- - apiGroups: [""]
- resources: ["configmaps"]
- resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
- verbs: ["get", "update", "patch"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
- verbs: ["get", "update", "patch"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: cert-manager:leaderelection
- namespace: kube-system
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-rules:
- # Used for leader election by the controller
- # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
- - apiGroups: [""]
- resources: ["configmaps"]
- resourceNames: ["cert-manager-controller"]
- verbs: ["get", "update", "patch"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- resourceNames: ["cert-manager-controller"]
- verbs: ["get", "update", "patch"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: cert-manager-webhook:dynamic-serving
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.7.1"
-rules:
-- apiGroups: [""]
- resources: ["secrets"]
- resourceNames:
- - 'cert-manager-webhook-ca'
- verbs: ["get", "list", "watch", "update"]
-# It's not possible to grant CREATE permission on a single resourceName.
-- apiGroups: [""]
- resources: ["secrets"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-# grant cert-manager permission to manage the leaderelection configmap in the
-# leader election namespace
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: cert-manager-cainjector:leaderelection
- namespace: kube-system
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: cert-manager-cainjector:leaderelection
-subjects:
- - kind: ServiceAccount
- name: cert-manager-cainjector
- namespace: cert-manager
----
-# Source: cert-manager/templates/rbac.yaml
-# grant cert-manager permission to manage the leaderelection configmap in the
-# leader election namespace
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: cert-manager:leaderelection
- namespace: kube-system
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: cert-manager:leaderelection
-subjects:
- - apiGroup: ""
- kind: ServiceAccount
- name: cert-manager
- namespace: cert-manager
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: cert-manager-webhook:dynamic-serving
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.7.1"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: cert-manager-webhook:dynamic-serving
-subjects:
-- apiGroup: ""
- kind: ServiceAccount
- name: cert-manager-webhook
- namespace: cert-manager
----
-# Source: cert-manager/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: cert-manager
- namespace: "cert-manager"
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-spec:
- type: ClusterIP
- ports:
- - protocol: TCP
- port: 9402
- name: tcp-prometheus-servicemonitor
- targetPort: 9402
- selector:
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
----
-# Source: cert-manager/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: cert-manager-webhook
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.7.1"
-spec:
- type: ClusterIP
- ports:
- - name: https
- port: 443
- protocol: TCP
- targetPort: "https"
- selector:
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
----
-# Source: cert-manager/templates/cainjector-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager-cainjector
- namespace: "cert-manager"
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.7.1"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- template:
- metadata:
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.7.1"
- spec:
- serviceAccountName: cert-manager-cainjector
- securityContext:
- runAsNonRoot: true
- containers:
- - name: cert-manager
- image: "quay.io/jetstack/cert-manager-cainjector:v1.7.1"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --leader-election-namespace=kube-system
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
----
-# Source: cert-manager/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager
- namespace: "cert-manager"
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- template:
- metadata:
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.7.1"
- annotations:
- prometheus.io/path: "/metrics"
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9402'
- spec:
- serviceAccountName: cert-manager
- securityContext:
-
- runAsNonRoot: true
- containers:
- - name: cert-manager
- image: "quay.io/jetstack/cert-manager-controller:v1.7.1"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --cluster-resource-namespace=$(POD_NAMESPACE)
- - --leader-election-namespace=kube-system
- ports:
- - containerPort: 9402
- protocol: TCP
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
----
-# Source: cert-manager/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager-webhook
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.7.1"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- template:
- metadata:
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.7.1"
- spec:
- serviceAccountName: cert-manager-webhook
- securityContext:
- runAsNonRoot: true
- containers:
- - name: cert-manager
- image: "quay.io/jetstack/cert-manager-webhook:v1.7.1"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --secure-port=10250
- - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
- ports:
- - name: https
- protocol: TCP
- containerPort: 10250
- livenessProbe:
- httpGet:
- path: /livez
- port: 6080
- scheme: HTTP
- initialDelaySeconds: 60
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /healthz
- port: 6080
- scheme: HTTP
- initialDelaySeconds: 5
- periodSeconds: 5
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
----
-# Source: cert-manager/templates/webhook-mutating-webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
- name: cert-manager-webhook
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.7.1"
- annotations:
- cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
-webhooks:
- - name: webhook.cert-manager.io
- rules:
- - apiGroups:
- - "cert-manager.io"
- - "acme.cert-manager.io"
- apiVersions:
- - "v1"
- operations:
- - CREATE
- - UPDATE
- resources:
- - "*/*"
- admissionReviewVersions: ["v1"]
- # This webhook only accepts v1 cert-manager resources.
- # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
- # this webhook (after the resources have been converted to v1).
- matchPolicy: Equivalent
- timeoutSeconds: 10
- failurePolicy: Fail
- # Only include 'sideEffects' field in Kubernetes 1.12+
- sideEffects: None
- clientConfig:
- service:
- name: cert-manager-webhook
- namespace: "cert-manager"
- path: /mutate
----
-# Source: cert-manager/templates/webhook-validating-webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: cert-manager-webhook
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.7.1"
- annotations:
- cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
-webhooks:
- - name: webhook.cert-manager.io
- namespaceSelector:
- matchExpressions:
- - key: "cert-manager.io/disable-validation"
- operator: "NotIn"
- values:
- - "true"
- - key: "name"
- operator: "NotIn"
- values:
- - cert-manager
- rules:
- - apiGroups:
- - "cert-manager.io"
- - "acme.cert-manager.io"
- apiVersions:
- - "v1"
- operations:
- - CREATE
- - UPDATE
- resources:
- - "*/*"
- admissionReviewVersions: ["v1"]
- # This webhook only accepts v1 cert-manager resources.
- # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
- # this webhook (after the resources have been converted to v1).
- matchPolicy: Equivalent
- timeoutSeconds: 10
- failurePolicy: Fail
- sideEffects: None
- clientConfig:
- service:
- name: cert-manager-webhook
- namespace: "cert-manager"
- path: /validate
diff --git a/ddclient/ddclient.conf b/ddclient/ddclient.conf
deleted file mode 100644
index 91010230a8645ed3d9996b109da1b5a481c2f672..0000000000000000000000000000000000000000
--- a/ddclient/ddclient.conf
+++ /dev/null
@@ -1,316 +0,0 @@
-######################################################################
-##
-## Define default global variables with lines like:
-## var=value [, var=value]*
-## These values will be used for each following host unless overridden
-## with a local variable definition.
-##
-## Define local variables for one or more hosts with:
-## var=value [, var=value]* host.and.domain[,host2.and.domain...]
-##
-## Lines can be continued on the following line by ending the line
-## with a \
-##
-##
-## Warning: not all supported routers or dynamic DNS services
-## are mentioned here.
-##
-######################################################################
-daemon=300 # check every 300 seconds
-syslog=yes # log update msgs to syslog
-#mail=root # mail all msgs to root
-#mail-failure=root # mail failed update msgs to root
-pid=/var/run/ddclient/ddclient.pid # record PID in file.
-# ssl=yes # use ssl-support. Works with
-# ssl-library
-# postscript=script # run script after updating. The
-# new IP is added as argument.
-#
-#use=watchguard-soho, fw=192.168.111.1:80 # via Watchguard's SOHO FW
-#use=netopia-r910, fw=192.168.111.1:80 # via Netopia R910 FW
-#use=smc-barricade, fw=192.168.123.254:80 # via SMC's Barricade FW
-#use=netgear-rt3xx, fw=192.168.0.1:80 # via Netgear's internet FW
-#use=linksys, fw=192.168.1.1:80 # via Linksys's internet FW
-#use=maxgate-ugate3x00, fw=192.168.0.1:80 # via MaxGate's UGATE-3x00 FW
-#use=elsa-lancom-dsl10, fw=10.0.0.254:80 # via ELSA LanCom DSL/10 DSL Router
-#use=elsa-lancom-dsl10-ch01, fw=10.0.0.254:80 # via ELSA LanCom DSL/10 DSL Router
-#use=elsa-lancom-dsl10-ch02, fw=10.0.0.254:80 # via ELSA LanCom DSL/10 DSL Router
-#use=alcatel-stp, fw=10.0.0.138:80 # via Alcatel Speed Touch Pro
-#use=xsense-aero, fw=192.168.1.1:80 # via Xsense Aero Router
-#use=allnet-1298, fw=192.168.1.1:80 # via AllNet 1298 DSL Router
-#use=3com-oc-remote812, fw=192.168.0.254:80 # via 3com OfficeConnect Remote 812
-#use=e-tech, fw=192.168.1.1:80 # via E-tech Router
-#use=cayman-3220h, fw=192.168.0.1:1080 # via Cayman 3220-H DSL Router
-#
-#fw-login=admin, fw-password=XXXXXX # FW login and password
-#
-## To obtain an IP address from FW status page (using fw-login, fw-password)
-#use=fw, fw=192.168.1.254/status.htm, fw-skip='IP Address' # found after IP Address
-#
-## To obtain an IP address from Web status page (using the proxy if defined)
-## by default, checkip.dyndns.org is used if you use the dyndns protocol.
-## Using use=web is enough to get it working.
-## WARNING: set deamon at least to 600 seconds if you use checkip or you could
-## get banned from their service.
-#use=web, web=checkip.dyndns.org/, web-skip='IP Address' # found after IP Address
-#
-#use=ip, ip=127.0.0.1 # via static IP's
-#use=if, if=eth0 # via interfaces
-#use=web # via web
-#
-#protocol=dyndns2 # default protocol
-#proxy=fasthttp.sympatico.ca:80 # default proxy
-#server=members.dyndns.org # default server
-#server=members.dyndns.org:8245 # default server (bypassing proxies)
-
-#login=your-login # default login
-#password=test # default password
-#mx=mx.for.your.host # default MX
-#backupmx=yes|no # host is primary MX?
-#wildcard=yes|no # add wildcard CNAME?
-
-use=web
-web=checkip.dyndns.org
-
-##
-## dyndns.org dynamic addresses
-##
-## (supports variables: wildcard,mx,backupmx)
-##
-# server=members.dyndns.org, \
-# protocol=dyndns2 \
-# your-dynamic-host.dyndns.org
-
-##
-## dyndns.org static addresses
-##
-## (supports variables: wildcard,mx,backupmx)
-##
-# static=yes, \
-# server=members.dyndns.org, \
-# protocol=dyndns2 \
-# your-static-host.dyndns.org
-
-##
-##
-## dyndns.org custom addresses
-##
-## (supports variables: wildcard,mx,backupmx)
-##
-# custom=yes, \
-# server=members.dyndns.org, \
-# protocol=dyndns2 \
-# your-domain.top-level,your-other-domain.top-level
-
-##
-## ZoneEdit (zoneedit.com)
-##
-# server=dynamic.zoneedit.com, \
-# protocol=zoneedit1, \
-# login=your-zoneedit-login, \
-# password=your-zoneedit-password \
-# your.any.domain,your-2nd.any.dom
-
-##
-## EasyDNS (easydns.com)
-##
-# server=members.easydns.com, \
-# protocol=easydns, \
-# login=your-easydns-login, \
-# password=your-easydns-password \
-# your.any.domain,your-2nd.any.domain
-
-##
-## Hammernode (hn.org) dynamic addresses
-##
-# server=dup.hn.org, \
-# protocol=hammernode1, \
-# login=your-hn-login, \
-# password=your-hn-password \
-# your-hn-host.hn.org,your-2nd-hn-host.hn.org
-
-##
-## dslreports.com dynamic-host monitoring
-##
-# server=members.dslreports.com \
-# protocol=dslreports1, \
-# login=dslreports-login, \
-# password=dslreports-password \
-# dslreports-unique-id
-
-##
-## OrgDNS.org account-configuration
-##
-# use=web, web=members.orgdns.org/nic/ip
-# server=www.orgdns.org \
-# protocol=dyndns2 \
-# login=yourLoginName \
-# password=yourPassword \
-# yourSubdomain.orgdns.org
-
-##
-## dnspark.com
-## (supports variables: mx, mxpri)
-##
-# use=web, web=ipdetect.dnspark.com, web-skip='Current Address:'
-# protocol=dnspark, \
-# server=www.dnspark.com, \
-# your-host.dnspark.com
-
-##
-## NameCheap (namecheap.com)
-##
-# protocol=namecheap, \
-# server=dynamicdns.park-your-domain.com, \
-# login=my-namecheap.com-login, \
-# password=my-namecheap.com-password \
-# myhost.namecheap.com
-
-##
-## NameCheap (arnaudpas.com)
-##
-protocol=namecheap, \
-server=dynamicdns.park-your-domain.com, \
-login=arnaudpas.com, \
-password=1831ff7350ad4734922c1b7077f8229b \
-@
-
-protocol=namecheap, \
-server=dynamicdns.park-your-domain.com, \
-login=arnaudpas.com, \
-password=1831ff7350ad4734922c1b7077f8229b \
-testenv
-
-protocol=namecheap, \
-server=dynamicdns.park-your-domain.com, \
-login=arnaudpas.com, \
-password=1831ff7350ad4734922c1b7077f8229b \
-*
-
-protocol=namecheap, \
-server=dynamicdns.park-your-domain.com, \
-login=arnaudpas.com, \
-password=1831ff7350ad4734922c1b7077f8229b \
-*.testenv
-
-##
-## NameCheap (joos.io)
-##
-protocol=namecheap, \
-server=dynamicdns.park-your-domain.com, \
-login=joos.io, \
-password=db493216e1a543d5ac05cde11ad4f1dc \
-@
-
-protocol=namecheap, \
-server=dynamicdns.park-your-domain.com, \
-login=joos.io, \
-password=db493216e1a543d5ac05cde11ad4f1dc \
-testenv
-
-protocol=namecheap, \
-server=dynamicdns.park-your-domain.com, \
-login=joos.io, \
-password=db493216e1a543d5ac05cde11ad4f1dc \
-*
-
-protocol=namecheap, \
-server=dynamicdns.park-your-domain.com, \
-login=joos.io, \
-password=db493216e1a543d5ac05cde11ad4f1dc \
-*.testenv
-
-##
-##
-## Loopia (loopia.se)
-##
-# use=web
-# web=loopia
-# protocol=dyndns2
-# server=dns.loopia.se
-# script=/XDynDNSServer/XDynDNS.php
-# login=my-loopia.se-login
-# password=my-loopia.se-password
-# my.domain.tld,other.domain.tld
-
-##
-##
-## ChangeIP (changeip.com)
-##
-## single host update
-# protocol=changeip, \
-# login=my-my-changeip.com-login, \
-# password=my-changeip.com-password \
-# myhost.changeip.org
-
-##
-## DtDNS (www.dtdns.com)
-##
-# protocol=dtdns,
-# server=www.dtdns.com,
-# client=ddclient,
-# password=my-dtdns.com-password
-# myhost.dtdns.net, otherhost.dtdns.net
-
-##
-## CloudFlare (www.cloudflare.com)
-##
-#protocol=cloudflare, \
-#zone=domain.tld, \
-#ttl=1, \
-#login=your-login-email, \
-#password=APIKey \
-#domain.tld,my.domain.tld
-
-##
-## Google Domains (www.google.com/domains)
-##
-protocol=googledomains,
-login=KaR1yZoO4V0SqDFV,
-password=MolYsnTRjMK7k1hg
-420joos.dev
-
-protocol=googledomains,
-login=4IAsFxgMvuPoQdu4,
-password=jW27AhnIbM11Ae3g
-*.420joos.dev
-
-protocol=googledomains,
-login=sVEe2pqLryiu2kFF,
-password=ynngnxTM0Zj41m9w
-testenv.420joos.dev
-
-protocol=googledomains,
-login=l5c7kGMUWk31stJX,
-password=iS0BljKHmU6v03YZ
-*.testenv.420joos.dev
-
-##
-## Duckdns (http://www.duckdns.org/)
-##
-#
-# password=my-auto-generated-password
-# protocol=duckdns hostwithoutduckdnsorg
-
-##
-## Freemyip (http://freemyip.com/)
-##
-#
-# protocol=freemyip,
-# password=my-token
-# myhost
-
-##
-## MyOnlinePortal (http://myonlineportal.net)
-##
-# protocol=dyndns2
-# ssl=yes
-# # ipv6=yes # optional
-# use=web, web=myonlineportal.net/checkip
-# # use=if, if=eth0 # alternative to use=web
-# # if-skip=Scope:Link # alternative to use=web
-# login=your-myonlineportal-username
-# password=your-myonlineportal-password
-# domain.myonlineportal.net
-
-
diff --git a/ddclient/ddclient_small.yaml b/ddclient/ddclient_small.yaml
deleted file mode 100644
index 3d11c3a200646d4277d6d5e9a7669948e4b9147b..0000000000000000000000000000000000000000
--- a/ddclient/ddclient_small.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: v1
-name: ddclient
-namespace: ddclient
-type: ddclient
-deployments:
-- id: default
- image: linuxserver/ddclient@sha256:8ffd683283ba68f186c81fbd2bb02ac69557cfaaf01ceba3a48199f97de0b5e6
- volumes:
- data:
- content:
- - ddclient/ddclient.conf
diff --git a/deploy/.gitignore b/deploy/.gitignore
deleted file mode 100644
index fe33a8ed143ab3694330487d076321d3f5875e63..0000000000000000000000000000000000000000
--- a/deploy/.gitignore
+++ /dev/null
@@ -1,152 +0,0 @@
-# Byte-compiled / optimized / DLL files
-__pycache__/
-*.py[cod]
-*$py.class
-
-# C extensions
-*.so
-
-# Distribution / packaging
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-share/python-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
-
-# PyInstaller
-# Usually these files are written by a python script from a template
-# before PyInstaller builds the exe, so as to inject date/other infos into it.
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Unit test / coverage reports
-htmlcov/
-.tox/
-.nox/
-.coverage
-.coverage.*
-.cache
-nosetests.xml
-coverage.xml
-*.cover
-*.py,cover
-.hypothesis/
-.pytest_cache/
-cover/
-
-# Translations
-*.mo
-*.pot
-
-# Django stuff:
-*.log
-local_settings.py
-db.sqlite3
-db.sqlite3-journal
-
-# Flask stuff:
-instance/
-.webassets-cache
-
-# Scrapy stuff:
-.scrapy
-
-# Sphinx documentation
-docs/_build/
-
-# PyBuilder
-.pybuilder/
-target/
-
-# Jupyter Notebook
-.ipynb_checkpoints
-
-# IPython
-profile_default/
-ipython_config.py
-
-# pyenv
-# For a library or package, you might want to ignore these files since the code is
-# intended to run in multiple environments; otherwise, check them in:
-# .python-version
-
-# pipenv
-# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
-# However, in case of collaboration, if having platform-specific dependencies or dependencies
-# having no cross-platform support, pipenv may install dependencies that don't work, or not
-# install all needed dependencies.
-#Pipfile.lock
-
-# poetry
-# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
-# This is especially recommended for binary packages to ensure reproducibility, and is more
-# commonly ignored for libraries.
-# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
-#poetry.lock
-
-# PEP 582; used by e.g. github.com/David-OConnor/pyflow
-__pypackages__/
-
-# Celery stuff
-celerybeat-schedule
-celerybeat.pid
-
-# SageMath parsed files
-*.sage.py
-
-# Environments
-.env
-.venv
-env/
-venv/
-ENV/
-env.bak/
-venv.bak/
-
-# Spyder project settings
-.spyderproject
-.spyproject
-
-# Rope project settings
-.ropeproject
-
-# mkdocs documentation
-/site
-
-# mypy
-.mypy_cache/
-.dmypy.json
-dmypy.json
-
-# Pyre type checker
-.pyre/
-
-# pytype static type analyzer
-.pytype/
-
-# Cython debug symbols
-cython_debug/
-
-# PyCharm
-# JetBrains specific template is maintained in a separate JetBrains.gitignore that can
-# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
-# and can be added to the global gitignore or merged into this file. For a more nuclear
-# option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
\ No newline at end of file
diff --git a/deploy/external.json b/deploy/external.json
deleted file mode 100644
index f7f242db343ccd7407a8e60b85fbc07c12a5d676..0000000000000000000000000000000000000000
--- a/deploy/external.json
+++ /dev/null
@@ -1,105 +0,0 @@
-{
- "endpoints": {
- "external-ip-joos-io": {
- "ip": "192.168.1.157",
- "ports": {
- "443": {
- "protocols": ["TCP", "UDP"]
- }
- },
- "maxUploadSize": "100m"
- },
- "external-proxmox": {
- "ip": "192.168.1.145",
- "ports": {
- "8006": {
- "protocols": ["TCP", "UDP"]
- }
- },
- "maxUploadSize": "20g"
- },
- "external-proxmox2": {
- "ip": "192.168.1.178",
- "ports": {
- "8006": {
- "protocols": ["TCP", "UDP"]
- }
- },
- "maxUploadSize": "20g"
- },
- "external-stratford-to": {
- "ip": "192.168.1.170",
- "ports": {
- "443": {
- "protocols": ["TCP", "UDP"]
- }
- },
- "maxUploadSize": "100m"
- },
- "external-joos-to": {
- "ip": "192.168.1.170",
- "ports": {
- "443": {
- "protocols": ["TCP", "UDP"]
- }
- },
- "maxUploadSize": "100m"
- },
- "external-sublevia-com": {
- "ip": "192.168.1.170",
- "ports": {
- "443": {
- "protocols": ["TCP", "UDP"]
- }
- },
- "maxUploadSize": "100m"
- }
- },
- "redirects": {
- "proxmox.420joos.dev": {
- "endpoint": "external-proxmox"
- },
- "proxmox2.420joos.dev": {
- "endpoint": "external-proxmox2"
- },
- "stratford.to": {
- "endpoint": "external-stratford-to"
- },
- "blog.stratford.to": {
- "endpoint": "external-stratford-to"
- },
- "seo.stratford.to": {
- "endpoint": "external-stratford-to"
- },
- "rancher.joos.to": {
- "endpoint": "external-joos-to"
- },
- "pwm.joos.to": {
- "endpoint": "external-joos-to"
- },
- "draw.joos.to": {
- "endpoint": "external-joos-to"
- },
- "codimd.joos.to": {
- "endpoint": "external-joos-to"
- },
- "img.joos.to": {
- "endpoint": "external-joos-to"
- },
- "finance.joos.to": {
- "endpoint": "external-joos-to"
- },
- "asset.joos.to": {
- "endpoint": "external-joos-to"
- },
- "chat.joos.to": {
- "endpoint": "external-joos-to"
- },
- "webmail.joos.to": {
- "endpoint": "external-joos-to"
- },
- "sublevia.com": {
- "endpoint": "external-sublevia-com"
- }
- }
-}
diff --git a/deploy/generate_scripts/generate_deployment_from_middle.py b/deploy/generate_scripts/generate_deployment_from_middle.py
deleted file mode 100644
index c3644e90321c1871a34a2c76f4318e57d7ed9d3a..0000000000000000000000000000000000000000
--- a/deploy/generate_scripts/generate_deployment_from_middle.py
+++ /dev/null
@@ -1,1410 +0,0 @@
-from importlib.metadata import distribution
-import os
-import pathlib
-import yaml
-import json
-from kubernetes_yaml_constants import *
-from os import environ, name
-from pathlib import Path
-import argparse
-from copy import deepcopy
-from shutil import copyfile
-from pathlib import Path
-from uuid import uuid4
-
-
-PROD = False
-TESTCLUSTER_DEVICE_IP = None
-
-BUILD_DIR = 'deploy'
-EXTERNAL_PATH = f'{BUILD_DIR}/external.json'
-INGRESS_DIR = 'ingress'
-INGRESS_TEMPLATE_PATH = f'{INGRESS_DIR}/nginx-ingress-v1.1.0.yaml'
-INGRESS_CONFIG_FILENAME = f'nginx.tmpl'
-INGRESS_CONFIG_TEMPLATE_PATH = f'{INGRESS_DIR}/{INGRESS_CONFIG_FILENAME}'
-INGRESS_CONFIG_MOUNT_PATH = "/etc/nginx/template"
-INGRESS_CONFIG_VOLUME_NAME = "nginx-config"
-INGRESS_CONFIG_CUSTOM_MAX_CLIENT_BODY_SIZE_TAG = "#custom_max_client_body_size_definitions_here"
-INGRESS_PROD_ISSUER_PATH = f'{INGRESS_DIR}/prod_issuer.yaml'
-INGRESS_STAGING_ISSUER_PATH = f'{INGRESS_DIR}/staging_issuer.yaml'
-
-INGRESS_DEPLOYMENT_DEPLOY_PATH = "ingress_deployment"
-PROD_INGRESS_DEPLOY_FILENAME = "prod_ingress_config"
-TEST_INGRESS_DEPLOY_FILENAME = "test_ingress_config"
-DISTRIBUTION_INGRESS_DEPLOY_FILENAME = "distribution_ingress_config"
-ENDPOINTS_FILENAME = "endpoints"
-PROD_ISSUER_FILENAME = "prod_issuer"
-STAGING_ISSUER_FILENAME = "staging_issuer"
-
-DEPLOYMENTS_FIELD = "deployments"
-NAMESPACE_FIELD = "namespace"
-NAME_FIELD = "name"
-SERVICE_ACCOUNT_FIELD = "serviceAccount"
-VOLUMES_FIELD = "volumes"
-URI_FIELD = "uri"
-MAX_UPLOAD_SIZE_FIELD = "maxUploadSize"
-PORTS_FIELD = "ports"
-PORT_FIELD = "port"
-TARGET_PORT_FIELD = "targetPort"
-PORT_PROTOCOL_FIELD = "protocol"
-EXPOSED_HTTP_PORT_FIELD = "exposedHttpPort"
-CLUSTER_IP_PORTS_FIELD = "clusterIP"
-LB_PORTS_FIELD = "loadBalancer"
-NODE_PORT_PORTS_FIELD = "nodePort"
-SIZE_FIELD = "size"
-TYPE_FIELD = "type"
-TYPE_PV_VALUE = "pv"
-TYPE_CONFIG_MAP_VALUE = "configMap"
-ACCESS_MODES_FIELD = "accessModes"
-NFS_FIELD = "nfs"
-NFS_SERVER_FIELD = "server"
-PATH_FIELD = "path"
-HOSTPATH_FIELD = "hostpath"
-DEVICE_HOSTNAME_FIELD = "deviceHostname"
-MOUNT_PATH_FIELD = "mountPath"
-CONTENT_FIELD = "content"
-SUBPATH_FIELD = "subPath"
-IMAGE_FIELD = "image"
-RULES_FIELD = "rules"
-API_GROUPS_FIELD = "apiGroups"
-RESOURCES_FIELD = "resources"
-VERBS_FIELD = "verbs"
-ENV_FIELD = "env"
-PRIVILEGED_FIELD = "privileged"
-IMAGE_PULL_SECRETS_FIELD = "imagePullSecrets"
-
-SERVICEACCOUNT_TYPE_CLUSTER = "cluster"
-SERVICEACCOUNT_TYPE_NAMESPACE = "namespace"
-
-TYPE_NONE = "none"
-TYPE_NGINX = "nginx"
-TYPE_GITLAB = "gitlab"
-TYPE_GITLAB_RUNNER = "gitlab-runner"
-TYPE_NFS = "nfs"
-TYPE_MATRIX = "matrix"
-TYPE_TURN = "turn"
-TYPE_WORDPRESS = "wordpress"
-TYPE_NEXTCLOUD = "nextcloud"
-TYPE_DOCKER_REGISTRY = "docker-registry"
-TYPE_OCTOBOT = "octobot"
-TYPE_SYNAPSE_ADMIN = "synapse-admin"
-TYPE_DDCLIENT = "ddclient"
-TYPE_MAUTRIX_BRIDGE = "mautrix-bridge"
-
-ID_FIELD = "id"
-
-EXTERNALS_ENDPOINTS_FIELD = "endpoints"
-EXTERNALS_IP_FIELD = "ip"
-EXTERNALS_PORT_FIELD = "port"
-EXTERNALS_PROTOCOLS_FIELD = "protocols"
-EXTERNALS_TARGETPORT_FIELD = "targetPort"
-EXTERNALS_REDIRECTS_FIELD = "redirects"
-EXTERNALS_ENDPOINT_FIELD = "endpoint"
-
-PORT_DEFAULT = 80
-SECRETNAME_DEFAULT = "echo-tls"
-INGRESS_SECRETNAME_PROD = "prod-tls"
-INGRESS_SECRETNAME_TEST = "test-tls"
-INGRESS_SECRETNAME_DISTRIBUTION = "distribution-tls"
-
-DEFAULT_INGRESS_NAME = "default-ingress"
-DISTRIBUTION_INGRESS_NAME = "distribution-ingress"
-TEST_INGRESS_NAME = "test-ingress"
-INGRESS_CERTIFICATE_PROD = "letsencrypt-prod"
-INGRESS_CERTIFICATE_STAGING = "letsencrypt-staging"
-
-REGISTRY_420JOOS_DEV_CREDS_SECRET_NAME = "registry-420joos-dev-creds"
-IMAGE_PULL_SECRETS_DEFAULT_VALUE = [REGISTRY_420JOOS_DEV_CREDS_SECRET_NAME]
-IMAGE_PULL_SECRETS = {
- REGISTRY_420JOOS_DEV_CREDS_SECRET_NAME: "docker_registry/docker_registry_creds_secret.yaml",
-}
-
-
-def make_deployment_scripts(middle_deployment_scripts: list, middle_deployments: list):
- #get all deployment files
- nginx_bridges = []
- if middle_deployment_scripts is not None:
- for middle_deployment_script in middle_deployment_scripts:
- project_name, namespace, deployment_file_content, persistent_volumes_file_content, service_account_file_content, current_nginx_bridges = make_deployment_script_from_script(middle_deployment_script)
- if current_nginx_bridges:
- nginx_bridges.append((project_name, namespace, current_nginx_bridges))
-
- dump_files(project_name, deployment_file_content, persistent_volumes_file_content, service_account_file_content)
-
- for middle_deployment in middle_deployments:
- project_name, namespace, deployment_file_content, persistent_volumes_file_content, service_account_file_content, current_nginx_bridges = make_deployment_script_from_object(middle_deployment)
- if current_nginx_bridges:
- nginx_bridges.append((project_name, namespace, current_nginx_bridges))
-
- dump_files(project_name, deployment_file_content, persistent_volumes_file_content, service_account_file_content)
-
- prod_ingresses, test_ingresses, distribution_ingress, ingress_deployment_template, endpoints, prod_issuer, staging_issuer = make_ingresses(nginx_bridges)
-
- for project_name, prod_ingress in prod_ingresses:
- dump_file([prod_ingress], project_name + "_ingress")
-
- for project_name, test_ingress in test_ingresses:
- dump_file([test_ingress], project_name + "_testingress")
-
- dump_file([distribution_ingress], DISTRIBUTION_INGRESS_DEPLOY_FILENAME)
- dump_file(endpoints, ENDPOINTS_FILENAME)
- dump_file([prod_issuer], PROD_ISSUER_FILENAME)
- dump_file([staging_issuer], STAGING_ISSUER_FILENAME)
- dump_file(ingress_deployment_template, INGRESS_DEPLOYMENT_DEPLOY_PATH)
-
-
-def make_deployment_script_from_script(middle_deployment_script_path: str):
- middle_deployment = {}
- with open(middle_deployment_script_path, 'r', encoding='utf-8') as f:
- middle_deployment = yaml.load(f, yaml.CLoader)
-
- return make_deployment_script(middle_deployment)
-
-
-def make_deployment_script_from_object(middle_deployment: dict):
- return make_deployment_script(middle_deployment)
-
-
-def make_deployment_script(middle_deployment: dict):
- deployment_file_content = []
- persistent_volumes_file_content = []
- service_account_file_content = []
- nginx_bridges = []
-
- deployments = middle_deployment[DEPLOYMENTS_FIELD]
- ns_name = middle_deployment[NAMESPACE_FIELD]
-
- project_name = middle_deployment[NAME_FIELD] if middle_deployment.get(NAME_FIELD, None) is not None else ns_name
-
- ns = make_ns(ns_name)
- deployment_file_content.append(ns)
- persistent_volumes_file_content.append(ns)
- service_account_file_content.append(ns)
-
- for deployment in deployments:
- deployment_name, _, http_service, env_config_map, cluster_ip_service, lb_services, node_port_service, kubernetes_volumes, config_map_volumes, service_account, role, role_binding, uris, max_upload_size = make_deployment_components(ns_name, deployment)
- kubernetes_deployment = make_deployment(deployment_name, ns_name, deployment, kubernetes_volumes, config_map_volumes, service_account, env_config_map)
-
- persistent_volumes = [pv for pv, pvc, volume_name in kubernetes_volumes]
- persistent_volume_claims = [pvc for pv, pvc, volume_name in kubernetes_volumes]
- config_map_volumes = [volume for volume, volume_name in config_map_volumes]
-
- deployment_file_content.extend(make_deployment_file_content(http_service, env_config_map, cluster_ip_service, lb_services, node_port_service, config_map_volumes, kubernetes_deployment))
- persistent_volumes_file_content.extend(make_persistent_volumes_file_content(persistent_volumes, persistent_volume_claims))
- service_account_file_content.extend(make_service_account_file_content(service_account, role, role_binding))
- if http_service or uris != []:
- nginx_bridges.append((http_service, uris, max_upload_size))
-
- # image_pull_secrets ugly workaround
- image_pull_secret_names = deployment.get(IMAGE_PULL_SECRETS_FIELD, None)
- image_pull_secret_paths = []
- if image_pull_secret_names is None:
- for secret_name in IMAGE_PULL_SECRETS_DEFAULT_VALUE:
- image_pull_secret_paths.append(IMAGE_PULL_SECRETS[secret_name])
- else:
- for secret_name in image_pull_secret_names:
- image_pull_secret_paths.append(IMAGE_PULL_SECRETS[secret_name])
-
- image_pull_secrets = []
- for image_pull_secret_path in image_pull_secret_paths:
- secret = load_registry_secret(image_pull_secret_path)
- secret[KUBERNETES_METADATA_KEY][KUBERNETES_NAMESPACE_KEY] = ns_name
- if secret not in deployment_file_content:
- image_pull_secrets.append(secret)
-
- deployment_file_content.extend(image_pull_secrets)
-
- return project_name, ns, deployment_file_content, persistent_volumes_file_content, service_account_file_content, nginx_bridges
-
-def make_deployment_components(ns_name, deployment: dict):
- deployment_name = deployment[NAME_FIELD]
- bridge_service = {}
- http_service = {}
- uris = []
- max_upload_size = "1m"
- env_config_map = {}
- cluster_ip_service = {}
- lb_services = []
- node_port_service = {}
- kubernetes_volumes = []
- config_map_volumes = []
- service_account = {}
- role = {}
- role_binding = {}
-
- if deployment.get(ENV_FIELD, None) is not None:
- env_config_map = make_env_config_map(deployment[ENV_FIELD], deployment_name, ns_name)
-
- if deployment.get(EXPOSED_HTTP_PORT_FIELD, None) is not None:
- bridge_service = make_bridge_service(deployment_name, ns_name, KUBERNETES_NAMESPACE_DEFAULT)
- http_service = make_exposed_cluster_ip_service(deployment_name, ns_name, deployment[EXPOSED_HTTP_PORT_FIELD])
-
- uris = deployment[URI_FIELD]
- if isinstance(uris, str):
- uris = [uris]
-
- if deployment.get(MAX_UPLOAD_SIZE_FIELD, None) is not None:
- max_upload_size = deployment[MAX_UPLOAD_SIZE_FIELD]
-
- if deployment.get(PORTS_FIELD, None) is not None:
- additional_ports = deployment[PORTS_FIELD]
-
- if additional_ports.get(CLUSTER_IP_PORTS_FIELD, None) is not None:
- cluster_ip_service = make_cluster_ip_service(deployment_name, ns_name, additional_ports[CLUSTER_IP_PORTS_FIELD])
-
- if additional_ports.get(LB_PORTS_FIELD, None) is not None:
- lb_services = make_lb_services(deployment_name, ns_name, additional_ports[LB_PORTS_FIELD])
-
- if additional_ports.get(NODE_PORT_PORTS_FIELD, None) is not None:
- node_port_service = make_node_port_service(deployment_name, ns_name, additional_ports[NODE_PORT_PORTS_FIELD])
-
- if deployment.get(VOLUMES_FIELD, None) is not None:
- kubernetes_volumes, config_map_volumes = make_volumes(deployment[VOLUMES_FIELD], deployment_name, ns_name)
-
- if deployment.get(SERVICE_ACCOUNT_FIELD, None) is not None:
- sa_type = deployment[SERVICE_ACCOUNT_FIELD].get(TYPE_FIELD, None)
- service_account, role, role_binding = make_service_account(f'{deployment_name}-sa', deployment_name, ns_name, deployment[SERVICE_ACCOUNT_FIELD][RULES_FIELD], sa_type)
-
- return deployment_name, bridge_service, http_service, env_config_map, cluster_ip_service, lb_services, node_port_service, kubernetes_volumes, config_map_volumes, service_account, role, role_binding, uris, max_upload_size
-
-
-def make_file_content(*args):
- file_content = []
- for arg in args:
- if isinstance(arg, dict):
- if arg:
- file_content.append(arg)
- elif isinstance(arg, list):
- for item in arg:
- file_content.extend(make_file_content(item))
- else:
- raise TypeError()
-
- return file_content
-
-
-def load_registry_secret(path: str):
- return load_yaml_file_single(path)
-
-
-
-def dump_files(project_name: str, deployment_file_content: list, persistent_volumes_file_content: list, service_account_file_content: list):
- dump_file(deployment_file_content, project_name)
- dump_file(persistent_volumes_file_content, f'{project_name}_pvs')
- dump_file(service_account_file_content, f'{project_name}_sa')
-
-
-def dump_file(file_content, file_name):
- with open(f'{file_name}.yaml', 'w', encoding='utf-8') as f:
- yaml.dump_all(file_content, f)
-
-
-def make_ns(ns_name: str):
- ns = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_DEFAULT_VALUE,
- KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_NAMESPACE,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAME_KEY: ns_name,
- },
- }
-
- return ns
-
-
-def make_bridge_service(deployment_name: str, deployment_ns_name: str, service_ns_name: str = KUBERNETES_NAMESPACE_DEFAULT):
- bridge_service = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_DEFAULT_VALUE,
- KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_SERVICE,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAME_KEY: f'{deployment_ns_name}-{deployment_name}-bridge',
- KUBERNETES_NAMESPACE_KEY: service_ns_name
- },
- KUBERNETES_SPEC_KEY: {
- KUBERNETES_TYPE_KEY: KUBERNETES_SERVICE_TYPE_VALUE_EXTERNAL_NAME,
- KUBERNETES_EXTERNALNAME_KEY: f"{deployment_name}.{deployment_ns_name}.svc.cluster.local"
- },
- }
-
- return bridge_service
-
-
-def make_service(deployment_name: str, ns_name: str, type: str, ports):
- name = deployment_name
- if type == KUBERNETES_SERVICE_TYPE_VALUE_LOADBALANCER:
- name = f"{deployment_name}-{ports[0][PORT_PROTOCOL_FIELD].lower()}-{ports[0][PORT_FIELD]}" # lb service only has one port per service
-
- service = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_DEFAULT_VALUE,
- KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_SERVICE,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAME_KEY: name,
- KUBERNETES_NAMESPACE_KEY: ns_name
- },
- KUBERNETES_SPEC_KEY: {
- KUBERNETES_TYPE_KEY: type,
- KUBERNETES_SELECTOR_KEY: {
- KUBERNETES_APP_KEY: deployment_name,
- },
- KUBERNETES_PORTS_KEY: make_ports(ports),
- },
- }
-
- return service
-
-
-def make_ports(ports):
- kubernetes_ports = []
-
- for port_config in ports:
- kubernetes_port = {}
-
- if PORT_FIELD in port_config:
- kubernetes_port[KUBERNETES_PORT_KEY] = port_config[PORT_FIELD]
-
- if TARGET_PORT_FIELD in port_config:
- kubernetes_port[KUBERNETES_TARGETPORT_KEY] = port_config[TARGET_PORT_FIELD]
-
- if PORT_PROTOCOL_FIELD in port_config:
- kubernetes_port[KUBERNETES_PROTOCOL_KEY] = port_config[PORT_PROTOCOL_FIELD]
-
- if NAME_FIELD in port_config:
- kubernetes_port[KUBERNETES_NAME_KEY] = port_config[NAME_FIELD]
- else:
- port_name = ''
-
- if KUBERNETES_PROTOCOL_KEY in kubernetes_port.keys():
- port_name += kubernetes_port[KUBERNETES_PROTOCOL_KEY].lower()
- else:
- port_name += KUBERNETES_PROTOCOL_VALUE_TCP
-
- if KUBERNETES_PORT_KEY in kubernetes_port.keys():
- port_name += f'-{kubernetes_port[KUBERNETES_PORT_KEY]}'
-
- kubernetes_port[KUBERNETES_NAME_KEY] = port_name
-
- kubernetes_ports.append(kubernetes_port)
-
- return kubernetes_ports
-
-
-def make_persistent_volume(volume_name:str, volume_specs: dict, deployment_name: str, ns: str=KUBERNETES_NAMESPACE_DEFAULT):
- accessModes = volume_specs.get(ACCESS_MODES_FIELD) if volume_specs.get(ACCESS_MODES_FIELD, None) is not None else [KUBERNETES_ACCESSMODES_VALUE_READ_WRITE_MANY,]
-
- volume_name = f"{ns}-{deployment_name}-{volume_name}"
-
- specs = {
- KUBERNETES_STORAGECLASSNAME_KEY: KUBERNETES_STORAGECLASSNAME_DEFAULT_VALUE,
- KUBERNETES_CAPACITY_KEY: {
- KUBERNETES_STORAGE_KEY: volume_specs[SIZE_FIELD],
- },
- KUBERNETES_PERSISTENT_VOLUME_RECLAIM_POLICY_KEY: KUBERNETES_PERSISTENT_VOLUME_RECLAIM_POLICY_VALUE_RETAIN,
- KUBERNETES_ACCESSMODES_KEY: accessModes,
- }
-
- if volume_specs.get(NFS_FIELD, None) is not None:
- server = volume_specs[NFS_FIELD][NFS_SERVER_FIELD] if PROD else TESTCLUSTER_DEVICE_IP
- server = os.path.expandvars(server)
-
- specs.update({
- KUBERNETES_NFS_KEY: {
- KUBERNETES_NFS_SERVER_KEY: server,
- KUBERNETES_PATH_KEY: volume_specs[NFS_FIELD][PATH_FIELD],
- },
- KUBERNETES_NFS_MOUNT_OPTIONS_KEY: KUBERNETES_NFS_MOUNT_OPTIONS_DEFAULT_VALUE,
- })
-
- elif volume_specs.get(HOSTPATH_FIELD, None) is not None:
- specs.update({
- KUBERNETES_HOSTPATH_KEY: {
- KUBERNETES_PATH_KEY: volume_specs[HOSTPATH_FIELD][PATH_FIELD],
- },
- KUBERNETES_NODE_AFFINITY_KEY: {
- KUBERNETES_REQUIRED_KEY: {
- KUBERNETES_NODE_SELECTOR_TERMS_KEY: [
- {
- KUBERNETES_MATCH_EXPRESSIONS_KEY: [
- {
- KUBERNETES_KEY_KEY: KUBERNETES_LABEL_HOSTNAME_VALUE,
- KUBERNETES_OPERATOR_KEY: KUBERNETES_OPERATOR_IN_VALUE,
- KUBERNETES_VALUES_KEY: [volume_specs[HOSTPATH_FIELD][DEVICE_HOSTNAME_FIELD]],
- },
- ],
- },
- ],
- },
- },
- })
-
-
- persistent_volume = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_DEFAULT_VALUE,
- KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_PERSISTENTVOLUME,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAME_KEY: volume_name,
- KUBERNETES_NAMESPACE_KEY: KUBERNETES_NAMESPACE_DEFAULT,
- KUBERNETES_LABELS_KEY: {
- KUBERNETES_APP_KEY: deployment_name,
- },
- },
- KUBERNETES_SPEC_KEY: specs
- }
-
- return persistent_volume
-
-
-def make_persistent_volume_claim(volume_name:str, volume_specs: dict, pv: dict, deployment_name: str, ns_name: str):
- accessModes = volume_specs.get(ACCESS_MODES_FIELD) if volume_specs.get(ACCESS_MODES_FIELD, None) is not None else [KUBERNETES_ACCESSMODES_VALUE_READ_WRITE_MANY]
-
- persistent_volume_claim = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_DEFAULT_VALUE,
- KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_PERSISTENTVOLUMECLAIM,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAME_KEY: f"{deployment_name}-{volume_name}",
- KUBERNETES_NAMESPACE_KEY: ns_name,
- KUBERNETES_LABELS_KEY: {
- KUBERNETES_APP_KEY: deployment_name,
- },
- },
- KUBERNETES_SPEC_KEY: {
- KUBERNETES_VOLUMENAME_KEY: pv[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY],
- KUBERNETES_STORAGECLASSNAME_KEY: KUBERNETES_STORAGECLASSNAME_DEFAULT_VALUE,
- KUBERNETES_ACCESSMODES_KEY: accessModes,
- KUBERNETES_RESOURCES_KEY: {
- KUBERNETES_REQUESTS_KEY: {
- KUBERNETES_STORAGE_KEY: volume_specs[SIZE_FIELD]
- },
- },
- },
- }
-
- return persistent_volume_claim
-
-
-def make_volumes(volumes: dict, deployment_name: str, ns_name: str):
- pvs = []
- config_maps = []
-
- for volume_name, volume_specs in volumes.items():
- if volume_specs[TYPE_FIELD] == TYPE_PV_VALUE:
- pv = make_persistent_volume(volume_name, volume_specs, deployment_name, ns_name)
- pvc = make_persistent_volume_claim(volume_name, volume_specs, pv, deployment_name, ns_name)
- # pvs.append(pv)
- # pvcs.append(pvc)
- pvs.append((pv, pvc, volume_name))
-
- elif volume_specs[TYPE_FIELD] == TYPE_CONFIG_MAP_VALUE:
- config_map = make_config_map(volume_name, volume_specs, ns_name, deployment_name)
- config_maps.append((config_map, volume_name))
-
- return pvs, config_maps
-
-
-def make_config_map(name: str, specs: dict, ns_name: str, deployment_name: str):
- config_map_raw_content = {}
-
- if isinstance(specs[CONTENT_FIELD], dict): # case collection of variables
- config_map_raw_content = specs[CONTENT_FIELD]
- elif isinstance(specs[CONTENT_FIELD], list): # case collection of files
- for file in specs[CONTENT_FIELD]:
- filename = Path(file).name
- try:
- # open as unicode
- with open(file, 'r', encoding='utf-8') as f:
- config_map_raw_content[filename] = f.read()
- except UnicodeDecodeError:
- # open as binary
- with open(file, 'rb') as f:
- config_map_raw_content[filename] = f.read()
-
- config_map_content = {}
- for key, value in config_map_raw_content.items():
- value_with_env_vars = os.path.expandvars(value)
- config_map_content.update({key: value_with_env_vars})
-
- config_map = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_DEFAULT_VALUE,
- KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_CONFIG_MAP,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAME_KEY: f"{deployment_name}-{name}",
- KUBERNETES_NAMESPACE_KEY: ns_name,
- },
- KUBERNETES_DATA_KEY: config_map_content
- }
-
- return config_map
-
-
-# def make_service_accounts(service_accounts: dict, deployment_name: str, ns_name: str):
-# kubernetes_service_accounts = []
-
-# for service_account_name, service_account_specs in service_accounts.items():
-# service_account, role, role_binding = make_service_account(service_account_name, deployment_name, ns_name, service_account_specs[RULES_FIELD], service_account_specs[TYPE_FIELD])
-# kubernetes_service_accounts.append((service_account, role, role_binding))
-
-# return kubernetes_service_accounts
-
-
-def make_service_account(name: str, deployment_name: str, ns_name: str, rules: list, type: str):
- kubernetes_rules = []
-
- for rule in rules:
- rule_config = {
- KUBERNETES_SERVICEACCOUNT_APIGROUPS_KEY: rule[API_GROUPS_FIELD],
- KUBERNETES_RESOURCES_KEY: rule[RESOURCES_FIELD],
- KUBERNETES_SERVICEACCOUNT_VERBS_KEY: rule[VERBS_FIELD],
- }
-
- kubernetes_rules.append(rule_config)
-
- service_account = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_DEFAULT_VALUE,
- KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_SERVICEACCOUNT,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAME_KEY: name,
- KUBERNETES_NAMESPACE_KEY: ns_name,
- KUBERNETES_LABELS_KEY: {
- KUBERNETES_APP_KEY: deployment_name
- },
- },
- }
-
- role = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_RBAC_AUTHORIZATION_DEFAULT_VALUE,
- KUBERNETES_SERVICEACCOUNT_RULES_KEY: kubernetes_rules,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAME_KEY: name,
- KUBERNETES_LABELS_KEY: {
- KUBERNETES_APP_KEY: deployment_name
- },
- },
- }
-
- if type == SERVICEACCOUNT_TYPE_CLUSTER:
- role.update({KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_CLUSTERROLE})
- role[KUBERNETES_METADATA_KEY].update({KUBERNETES_NAMESPACE_KEY: KUBERNETES_NAMESPACE_DEFAULT})
- else:
- role.update({KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_ROLE})
- role[KUBERNETES_METADATA_KEY].update({KUBERNETES_NAMESPACE_KEY: ns_name})
-
- role_binding = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_RBAC_AUTHORIZATION_DEFAULT_VALUE,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAME_KEY: name,
- KUBERNETES_LABELS_KEY: {
- KUBERNETES_APP_KEY: deployment_name
- },
- },
- KUBERNETES_SERVICEACCOUNT_ROLEREF_KEY: {
- KUBERNETES_SERVICEACCOUNT_APIGROUP_KEY: KUBERNETES_API_VERSION_RBAC_AUTHORIZATION_VALUE,
- KUBERNETES_KIND_KEY: role[KUBERNETES_KIND_KEY],
- KUBERNETES_NAME_KEY: role[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY],
- },
- KUBERNETES_SERVICEACCOUNT_SUBJECTS_KEY: [
- {
- KUBERNETES_KIND_KEY: service_account[KUBERNETES_KIND_KEY],
- KUBERNETES_NAME_KEY: service_account[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY],
- KUBERNETES_NAMESPACE_KEY: service_account[KUBERNETES_METADATA_KEY][KUBERNETES_NAMESPACE_KEY],
- },
- ],
- }
-
- if type == SERVICEACCOUNT_TYPE_CLUSTER:
- role_binding.update({KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_CLUSTERROLEBINDING})
- role_binding[KUBERNETES_METADATA_KEY].update({KUBERNETES_NAMESPACE_KEY: KUBERNETES_NAMESPACE_DEFAULT})
- elif type == SERVICEACCOUNT_TYPE_NAMESPACE:
- role_binding.update({KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_ROLEBINDING})
- role_binding[KUBERNETES_METADATA_KEY].update({KUBERNETES_NAMESPACE_KEY: ns_name})
-
- return service_account, role, role_binding
-
-
-def make_deployment(name: str, ns_name: str, deployment_config: dict, kubernetes_volumes: list, config_map_volumes: list, service_account: dict, env: dict):
- deployment_volumes, volume_mounts = make_deployment_volumes_volume_mounts(kubernetes_volumes, config_map_volumes, deployment_config.get(VOLUMES_FIELD, None))
- open_container_ports = []
-
- priviledged = deployment_config.get(PRIVILEGED_FIELD, None)
- if priviledged is None:
- priviledged = KUBERNETES_PRIVILEGED_DEFAULT_VALUE
-
- if deployment_config.get(EXPOSED_HTTP_PORT_FIELD, None) is not None:
- open_container_ports.append({KUBERNETES_DEPLOYMENT_CONTAINERPORT_KEY: deployment_config[EXPOSED_HTTP_PORT_FIELD]})
-
- ports = deployment_config.get(PORTS_FIELD, None)
- if ports is not None:
- for port_type in ports.values():
- if port_type is not None:
- for port_config in port_type:
- container_port = port_config[TARGET_PORT_FIELD]
- if container_port not in [open_container_port[KUBERNETES_DEPLOYMENT_CONTAINERPORT_KEY] for open_container_port in open_container_ports]:
- open_container_ports.append({KUBERNETES_DEPLOYMENT_CONTAINERPORT_KEY: container_port})
-
- env_from = [
- {
- KUBERNETES_DEPLOYMENT_CONFIGMAPREF_KEY: {
- KUBERNETES_NAME_KEY: env[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY],
- },
- },
- ] if env else []
-
- # note about IgnoredDuringExecution: https://www.magalix.com/blog/influencing-kubernetes-scheduler-decisions, but it's not important right now
- affinity = {
- KUBERNETES_NODE_AFFINITY_KEY: {
- KUBERNETES_REQUIRED_DURING_SCHEDULING_IGNORED_DURING_EXECUTION_KEY:{
- KUBERNETES_NODE_SELECTOR_TERMS_KEY : [
- {
- KUBERNETES_MATCH_EXPRESSIONS_KEY: [
- {
- KUBERNETES_KEY_KEY: KUBERNETES_LABEL_NODE_ROLE_MASTER_VALUE,
- KUBERNETES_OPERATOR_KEY: KUBERNETES_OPERATOR_DOES_NOT_EXIST_VALUE,
- },
- ],
- },
- ],
- },
- },
- } if not any([KUBERNETES_NODE_AFFINITY_KEY in pv[KUBERNETES_SPEC_KEY] or KUBERNETES_NODE_AFFINITY_KEY in pvc[KUBERNETES_SPEC_KEY] for pv, pvc, volume_name in kubernetes_volumes]) else {}
-
- image_pull_secrets = deployment_config.get(IMAGE_PULL_SECRETS_FIELD, None)
- if image_pull_secrets is None:
- image_pull_secrets = IMAGE_PULL_SECRETS_DEFAULT_VALUE
-
- image_pull_secrets = [{KUBERNETES_NAME_KEY: image_pull_secret} for image_pull_secret in image_pull_secrets]
-
- deployment = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_NAMESPACE_DEFAULT_VALUE,
- KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_DEPLOYMENT,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAME_KEY: name,
- KUBERNETES_NAMESPACE_KEY: ns_name,
- },
- KUBERNETES_SPEC_KEY: {
- KUBERNETES_DEPLOYMENT_REPLICAS_KEY: KUBERNETES_DEPLOYMENT_REPLICAS_DEFAULT_VALUE,
- KUBERNETES_SELECTOR_KEY: {
- KUBERNETES_MATCHLABELS_KEY: {
- KUBERNETES_APP_KEY: name,
- },
- },
- KUBERNETES_DEPLOYMENT_TEMPLATE_KEY: {
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_LABELS_KEY: {
- KUBERNETES_APP_KEY: name,
- },
- },
- KUBERNETES_SPEC_KEY: {
- KUBERNETES_DEPLOYMENT_SERVICEACCOUNTNAME_KEY: service_account[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY] if service_account else "",
- KUBERNETES_DEPLOYMENT_CONTAINERS_KEY: [
- {
- KUBERNETES_NAME_KEY: name,
- KUBERNETES_DEPLOYMENT_IMAGE_KEY: os.path.expandvars(deployment_config[IMAGE_FIELD]),
- KUBERNETES_DEPLOYMENT_IMAGEPULLPOLICY_KEY: KUBERNETES_DEPLOYMENT_IMAGEPULLPOLICY_DEFAULT_VALUE,
- KUBERNETES_PORTS_KEY: open_container_ports,
- KUBERNETES_DEPLOYMENT_VOLUMEMOUNTS_KEY: volume_mounts,
- KUBERNETES_DEPLOYMENT_ENVFROM_KEY: env_from,
- KUBERNETES_DEPLOYMENT_SECURITYCONTEXT_KEY: {
- KUBERNETES_PRIVILEGED_KEY: priviledged,
- },
- },
- ],
- KUBERNETES_DEPLOYMENT_IMAGE_PULL_SECRETS_KEY: image_pull_secrets,
- KUBERNETES_DEPLOYMENT_VOLUMES_KEY: deployment_volumes,
- KUBERNETES_AFFINITY_KEY: affinity,
- },
- },
- },
- }
-
- return deployment
-
-
-def make_deployment_volumes_volume_mounts(kubernetes_volumes: list, config_maps: list, volumes_config: dict):
- deployment_volumes = []
- volume_mounts = []
-
- for pv, pvc, volume_name in kubernetes_volumes:
- deployment_volume, volume_mount = make_deployment_pvc_volume_mount(volume_name, pvc, volumes_config[volume_name][MOUNT_PATH_FIELD])
-
- deployment_volumes.append(deployment_volume)
- volume_mounts.append(volume_mount)
-
- for config_map, volume_name in config_maps:
- configmap_volumes, configmap_volume_mounts = make_deployment_configmap_volume_mount(volume_name, config_map, volumes_config[volume_name][MOUNT_PATH_FIELD], volumes_config[volume_name].get(SUBPATH_FIELD, False))
-
- deployment_volumes.extend(configmap_volumes)
- volume_mounts.extend(configmap_volume_mounts)
-
- # for volume_name, volume_config in volumes.items():
- # mount_path = volume_config[MOUNT_PATH_FIELD]
- # volume_type = volume_config[TYPE_FIELD]
- # volume_type_key = ''
-
- # if volume_type == TYPE_PV_VALUE:
- # volume_type_key = KUBERNETES_DEPLOYMENT_PERSISTENTVOLUMECLAIM_KEY
-
- # if volume_type == TYPE_CONFIG_MAP_VALUE:
- # volume_type_key = KUBERNETES_DEPLOYMENT_CONFIG_MAP_KEY
-
- # deployment_volume, volume_mount = make_deployment_volume_volume_mount(volume_name, volume_type_key, mount_path)
-
- # deployment_volumes.append(deployment_volume)
- # volume_mounts.append(volume_mount)
-
- return deployment_volumes, volume_mounts
-
-
-def make_deployment_pvc_volume_mount(volume_name: str, pvc: dict, mount_path: str):
- pvc_name = pvc[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY]
-
- volume = {
- KUBERNETES_NAME_KEY: volume_name,
- KUBERNETES_DEPLOYMENT_PERSISTENTVOLUMECLAIM_KEY: {
- KUBERNETES_DEPLOYMENT_CLAIMNAME_KEY: pvc_name,
- },
- }
-
- volume_mount = make_deployment_volume_mount(volume_name, mount_path)
-
- return volume, volume_mount
-
-def make_deployment_configmap_volume_mount(volume_name: str, config_map: dict, mount_path: str, sub_pathed: bool):
- volumes = []
- volume_mounts = []
-
- config_map_name = config_map[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY]
-
- if sub_pathed:
- for filename in config_map[KUBERNETES_DATA_KEY].keys():
- subpath_volume_name = f"{volume_name}-{filename.replace('.', '-')}"
- volume = make_deployment_configmap_volume(subpath_volume_name, config_map_name)
- volume[KUBERNETES_DEPLOYMENT_CONFIG_MAP_KEY].update({
- KUBERNETES_ITEMS_KEY: [
- {
- KUBERNETES_KEY_KEY: filename,
- KUBERNETES_PATH_KEY: filename,
- },
- ],
- })
-
- volume_mount = make_deployment_volume_mount(subpath_volume_name, mount_path, filename)
-
- volumes.append(volume)
- volume_mounts.append(volume_mount)
- else:
- volume = make_deployment_configmap_volume(volume_name, config_map_name)
- volume_mount = make_deployment_volume_mount(volume_name, mount_path)
-
- volumes.append(volume)
- volume_mounts.append(volume_mount)
-
- return volumes, volume_mounts
-
-def make_deployment_configmap_volume(volume_name: str, config_map_name: str):
- return {
- KUBERNETES_NAME_KEY: volume_name,
- KUBERNETES_DEPLOYMENT_CONFIG_MAP_KEY: {
- KUBERNETES_NAME_KEY: config_map_name,
- },
- }
-
-def make_deployment_volume_mount(volume_name: str, mount_path: str, sub_path: str=None):
- volume_mount = {
- KUBERNETES_NAME_KEY: volume_name,
- }
-
- if sub_path is not None:
- mount_path = str(pathlib.Path(mount_path) / pathlib.Path(sub_path))
- volume_mount.update({
- KUBERNETES_DEPLOYMENT_MOUNTPATH_KEY: mount_path,
- KUBERNETES_SUBPATH_KEY: sub_path,
- })
- else:
- volume_mount.update({
- KUBERNETES_DEPLOYMENT_MOUNTPATH_KEY: mount_path,
- })
-
- return volume_mount
-
-
-def make_exposed_cluster_ip_service(deployment_name: str, ns_name: str, exposed_http_port):
- tcp_port = {
- PORT_FIELD: PORT_DEFAULT,
- TARGET_PORT_FIELD: exposed_http_port,
- PORT_PROTOCOL_FIELD: KUBERNETES_PROTOCOL_VALUE_TCP
- }
-
- return make_cluster_ip_service(deployment_name, ns_name, [tcp_port])
-
-
-def make_endpoint(name: str, ip: str, middle_ports_config: list):
- ports = make_ports(middle_ports_config)
-
- endpoint = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_DEFAULT_VALUE,
- KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_ENDPOINTS,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAMESPACE_KEY: KUBERNETES_NAMESPACE_DEFAULT,
- KUBERNETES_NAME_KEY: name,
- # KUBERNETES_LABELS_KEY: {
- # KUBERNETES_APP_KEY: name,
- # },
- },
- KUBERNETES_ENDPOINTS_SUBSETS_KEY: [
- {
- KUBERNETES_ENDPOINTS_ADDRESSES_KEY: [
- {
- KUBERNETES_ENDPOINTS_IP_KEY: ip,
- },
- ],
- KUBERNETES_PORTS_KEY: ports,
- },
- ],
- }
-
- return endpoint
-
-
-def make_endpoint_service(name: str, middle_port_configs: list):
- endpoint_service = make_service(name, KUBERNETES_NAMESPACE_DEFAULT, KUBERNETES_SERVICE_TYPE_VALUE_CLUSTER_IP, middle_port_configs)
- endpoint_service[KUBERNETES_SPEC_KEY][KUBERNETES_SERVICE_SPEC_CLUSTERIP_KEY] = KUBERNETES_SERVICE_SPEC_CLUSTERIP_NONE_VALUE
- endpoint_service[KUBERNETES_SPEC_KEY].pop(KUBERNETES_SELECTOR_KEY)
-
- return endpoint_service
-
-def import_from_file(path: str):
- with open(path, 'r', encoding='utf-8') as f:
- return list(yaml.load_all(f, yaml.CLoader))
-
-
-def make_cluster_ip_service(deployment_name: str, ns_name: str, ports):
- return make_service(deployment_name, ns_name, KUBERNETES_SERVICE_TYPE_VALUE_CLUSTER_IP, ports)
-
-
-def make_lb_services(deployment_name: str, ns_name: str, ports):
- # for each port, a new service has to be created, occurs only in loadbalancer
- lb_services = []
-
- for port in ports:
- lb_service = make_service(deployment_name, ns_name, KUBERNETES_SERVICE_TYPE_VALUE_LOADBALANCER, [port])
- lb_services.append(lb_service)
- return lb_services
-
-
-def make_node_port_service(deployment_name: str, ns_name: str, ports):
- return make_service(deployment_name, ns_name, KUBERNETES_SERVICE_TYPE_VALUE_NODE_PORT, ports)
-
-
-def make_env_config_map(specs: dict, deployment_name: str, ns_name: str):
- return make_config_map('env', specs, ns_name, deployment_name)
-
-def make_deployment_file_content(http_service: dict, env: dict, cluster_ip_service: dict,
- lb_services: list, node_port_service: list, config_map_volumes: list, deployment: dict):
-
- return make_file_content(http_service, env, cluster_ip_service, lb_services, node_port_service, config_map_volumes, deployment)
-
-
-def make_persistent_volumes_file_content(pvs: list, pvcs: list):
- return make_file_content(pvs, pvcs)
-
-
-def make_service_account_file_content(service_account: dict, role: dict, role_binding: dict):
- return make_file_content(service_account, role, role_binding)
-
-
-
-def publish_external_source(path: str):
- content = import_from_file(path)
- #publish content
-
-
-def load_nginx_middle_template():
- return load_yaml_file_single('deploy/templates/nginx/nginx_middle_template.yaml')
-
-def load_gitlab_middle_template():
- return load_yaml_file_single('deploy/templates/gitlab/gitlab_middle_template.yaml')
-
-def load_nfs_middle_template():
- return load_yaml_file_single('deploy/templates/nfs/nfs_middle_template.yaml')
-
-def load_matrix_middle_template():
- return load_yaml_file_single('deploy/templates/synapse/synapse_middle_template.yaml')
-
-def load_turn_middle_template():
- return load_yaml_file_single('deploy/templates/turn/turn_middle_template.yaml')
-
-def load_wordpress_middle_template():
- return load_yaml_file_single('deploy/templates/wordpress/wordpress_middle_template.yaml')
-
-def load_nextcloud_middle_template():
- return load_yaml_file_single('deploy/templates/nextcloud/nextcloud_middle_template.yaml')
-
-def load_gitlab_runner_middle_template():
- return load_yaml_file_single('deploy/templates/gitlab_runner/gitlab_runner_middle_template.yaml')
-
-def load_docker_registry_middle_template():
- return load_yaml_file_single('deploy/templates/docker_registry/docker_registry_middle_template.yaml')
-
-def load_octobot_middle_template():
- return load_yaml_file_single('deploy/templates/octobot/octobot_middle_template.yaml')
-
-def load_synapse_admin_middle_template():
- return load_yaml_file_single('deploy/templates/synapse_admin/synapse_admin_middle_template.yaml')
-
-def load_ddclient_middle_template():
- return load_yaml_file_single('deploy/templates/ddclient/ddclient_middle_template.yaml')
-
-def load_mautrix_bridge_middle_template():
- return load_yaml_file_single('deploy/templates/synapse/bridges/mautrix_bridge_middle_template.yaml')
-
-
-def load_yaml_file_single(path: str):
- yaml_content = {}
- with open(path, 'r') as f:
- yaml_content = yaml.load(f, yaml.CLoader)
-
- return yaml_content
-
-
-def small_to_middle_deployments(small_deployments: list):
- middle_deployments = []
-
- if small_deployments is not None:
- for small_deployment_path in small_deployments:
- small_deployment = {}
- with open(small_deployment_path, 'r') as f:
- small_deployment = yaml.load(f, yaml.CLoader)
-
- middle_deployment_template = {}
- if small_deployment[TYPE_FIELD] == TYPE_NGINX:
- middle_deployment_template = load_nginx_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_GITLAB:
- middle_deployment_template = load_gitlab_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_NFS:
- middle_deployment_template = load_nfs_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_MATRIX:
- middle_deployment_template = load_matrix_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_TURN:
- middle_deployment_template = load_turn_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_WORDPRESS:
- middle_deployment_template = load_wordpress_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_NEXTCLOUD:
- middle_deployment_template = load_nextcloud_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_GITLAB_RUNNER:
- middle_deployment_template = load_gitlab_runner_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_DOCKER_REGISTRY:
- middle_deployment_template = load_docker_registry_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_OCTOBOT:
- middle_deployment_template = load_octobot_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_SYNAPSE_ADMIN:
- middle_deployment_template = load_synapse_admin_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_DDCLIENT:
- middle_deployment_template = load_ddclient_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_MAUTRIX_BRIDGE:
- middle_deployment_template = load_mautrix_bridge_middle_template()
- elif small_deployment[TYPE_FIELD] == TYPE_NONE:
- middle_deployment_template = small_deployment
- else:
- print(f"no template for {small_deployment[TYPE_FIELD]} found. skipping")
-
- if middle_deployment_template:
- middle_deployment = deepmerge_dicts(middle_deployment_template, small_deployment)
- middle_deployment.pop(TYPE_FIELD)
- middle_deployments.append(middle_deployment)
-
- return middle_deployments
-
-
-def deepmerge_dicts(template: dict, update_values: dict):
- merged = {}
- merged.update(template)
-
- for key, value in update_values.items():
- merged_node = {}
- node_template = merged.get(key, None)
- if isinstance(value, dict):
- if node_template is None:
- merged_node = {key: value}
- else:
- merged_node = {key: deepmerge_dicts(node_template, value)}
- elif isinstance(value, list):
- if node_template is None:
- merged_node = {key: value}
- else:
- merged_list = []
- for node_value in value:
- if isinstance(node_value, str):
- merged_list.append(node_value)
-
- elif isinstance(node_value, dict):
- item_id = node_value.get(ID_FIELD, None)
- if item_id is not None: # case container_definition
- inner_node_template = next((item for item in node_template if item.get(ID_FIELD, None) is not None and item[ID_FIELD] == item_id), None)
-
- if inner_node_template is None:
- merged_list.append(node_value)
- else:
- merged_list.append(deepmerge_dicts(inner_node_template, node_value))
- else:
- merged_list.append(node_value)
-
- else:
- raise ValueError(f"Cannot merge type {type(node_value)} into the list")
-
- merged_node = {key: merged_list}
- else:
- merged_node = {key: value}
-
- merged.update(merged_node)
-
- return merged
-
-
-def make_endpoints(endpoint_configs: dict):
- endpoints = []
-
- for endpoint_name, endpoint_config in endpoint_configs.items():
- endpoint_middle_port_configs = []
- endpoint_service_middle_port_configs = []
- port_configs = endpoint_config[PORTS_FIELD]
- max_upload_size = endpoint_config[MAX_UPLOAD_SIZE_FIELD]
-
- for port_number, port_config in port_configs.items():
- port_number = int(port_number)
- for protocol in port_config[EXTERNALS_PROTOCOLS_FIELD]:
- endpoint_port = {
- PORT_FIELD: port_number,
- PORT_PROTOCOL_FIELD: protocol,
- }
-
- endpoint_service_port = {
- PORT_FIELD: port_number,
- PORT_PROTOCOL_FIELD: protocol,
- }
-
- endpoint_middle_port_configs.append(endpoint_port)
- endpoint_service_middle_port_configs.append(endpoint_service_port)
-
- endpoint = make_endpoint(endpoint_name, endpoint_config[EXTERNALS_IP_FIELD], endpoint_middle_port_configs)
- endpoint_service = make_endpoint_service(endpoint_name, endpoint_service_middle_port_configs)
-
- endpoints.append((endpoint, endpoint_service, max_upload_size))
-
- return endpoints
-
-
-def make_test_endpoint():
- endpoints = {
- 'testcluster-endpoint': {
- EXTERNALS_IP_FIELD: TESTCLUSTER_DEVICE_IP,
- MAX_UPLOAD_SIZE_FIELD: '1024m',
- PORTS_FIELD: {
- '443': {
- EXTERNALS_PROTOCOLS_FIELD: ["TCP",],
- },
- }
- }
- }
- return make_endpoints(endpoints)[0]
-
-
-def make_ingress_rule(uri: str, service_name: str, service_port: int):
- rule = {
- KUBERNETES_INGRESS_HOST_KEY: uri,
- KUBERNETES_INGRESS_HTTP_KEY: {
- KUBERNETES_INGRESS_PATHS_KEY: [
- {
- KUBERNETES_PATH_KEY: KUBERNETES_INGRESS_PATH_DEFAULT_VALUE,
- KUBERNETES_INGRESS_PATHTYPE_KEY: KUBERNETES_INGRESS_PATHTYPE_DEFAULT_VALUE,
- KUBERNETES_INGRESS_BACKEND_KEY: {
- KUBERNETES_INGRESS_SERVICE_KEY: {
- KUBERNETES_NAME_KEY: service_name,
- KUBERNETES_PORT_KEY: {
- KUBERNETES_INGRESS_SERVICEPORTNUMBER_KEY: service_port,
- },
- },
- },
- },
- ],
- },
- }
-
- return rule
-
-
-def make_ingress(name: str, hosts: list, rules: list, certificate_name: str, secretName: str = SECRETNAME_DEFAULT, redirect_https: bool=False, namespace=KUBERNETES_NAMESPACE_DEFAULT):
- annotations = {
- "cert-manager.io/cluster-issuer": certificate_name,
- "kubernetes.io/ingress.class": "nginx",
- }
-
- annotations["nginx.ingress.kubernetes.io/backend-protocol"] = "HTTPS" if redirect_https else "HTTP"
-
- specs = {KUBERNETES_INGRESS_RULES_KEY: rules}
- # if not redirect_https:
- specs.update({
- KUBERNETES_INGRESS_TLS_KEY: [
- {
- KUBERNETES_INGRESS_HOSTS_KEY: hosts,
- KUBERNETES_INGRESS_SECRETNAME_KEY: secretName,
- },
- ]
- })
-
- ingress = {
- KUBERNETES_API_VERSION_KEY: KUBERNETES_API_VERSION_INGRESS_CONFIG_DEFAULT_VALUE,
- KUBERNETES_KIND_KEY: KUBERNETES_KIND_VALUE_INGRESS,
- KUBERNETES_METADATA_KEY: {
- KUBERNETES_NAMESPACE_KEY: namespace,
- KUBERNETES_NAME_KEY: name,
- KUBERNETES_ANNOTATIONS_KEY: annotations,
- },
- KUBERNETES_SPEC_KEY: specs,
- }
-
- return ingress
-
-
-def make_upload_size_config(backends: list):
- header = ' # Custom upload sizes\n'
- upload_size_config = ''
- for backend, max_upload_size in backends:
- is_first_entry = len(upload_size_config) == 0
- upload_size_config += (' {{ ' + ('if' if is_first_entry else 'else if') + ' (contains $location.Backend "' + backend + '") }}\n' +
- f' client_max_body_size {max_upload_size};\n')
-
- is_first_entry = len(upload_size_config) == 0
-
- if not is_first_entry:
- upload_size_config += ' {{ else }}\n'
- upload_size_config += ' client_max_body_size 1m;\n'
- if not is_first_entry:
- upload_size_config += ' {{ end }}\n'
-
- return header + upload_size_config
-
-
-def make_ingress_entry_rules(uri: str, endpoint_name: str, service_port: int, create_test_entries=True):
- uri = os.path.expandvars(uri)
-
- test_uri = make_testenv_uri(uri) if create_test_entries else None
-
- prod_rule = make_ingress_rule(uri, endpoint_name, service_port)
- test_rule = make_ingress_rule(test_uri, endpoint_name, service_port) if create_test_entries else None
-
- return (prod_rule, uri), (test_rule, test_uri)
-
-
-def make_prod_test_ingress(ingress_bridges: list):
- prod_configs = []
- test_configs = []
- upload_size_configs = []
- for project_name, namespace, ingress_config in ingress_bridges:
- ns_name = namespace[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY]
- prod_rules = []
- prod_hosts = []
- test_hosts = []
- test_rules = []
- for http_service, uris, max_upload_size in ingress_config:
- service_name = http_service[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY]
- service_port = http_service[KUBERNETES_SPEC_KEY][KUBERNETES_PORTS_KEY][0][KUBERNETES_PORT_KEY]
-
- for uri in uris:
- (prod_rule, prod_uri), (test_rule, test_uri) = make_ingress_entry_rules(uri, service_name, service_port)
- prod_hosts.append(prod_uri)
- prod_rules.append(prod_rule)
-
- test_hosts.append(test_uri)
- test_rules.append(test_rule)
-
- prod_configs.append((project_name, ns_name, prod_hosts, prod_rules))
- test_configs.append((project_name, ns_name, test_hosts, test_rules))
-
- upload_size_configs.append((service_name, max_upload_size))
-
- return prod_configs, test_configs, upload_size_configs
-
-def make_distribution_ingress(externals: dict, external_endpoints: dict, test_hosts: list, test_rules: list, test_service: dict, test_max_upload_size: str):
- external_hosts = []
- external_rules = []
- upload_size_configs = {}
-
- for test_rule in test_rules:
- distribution_paths = []
- for path in test_rule[KUBERNETES_INGRESS_HTTP_KEY][KUBERNETES_INGRESS_PATHS_KEY]:
- endpoint_ports = test_service[KUBERNETES_SPEC_KEY][KUBERNETES_PORTS_KEY]
- distribution_path = deepcopy(path)
-
- backend = distribution_path[KUBERNETES_INGRESS_BACKEND_KEY]
- backend[KUBERNETES_INGRESS_SERVICE_KEY][KUBERNETES_NAME_KEY] = test_service[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY]
- backend[KUBERNETES_INGRESS_SERVICE_KEY][KUBERNETES_PORT_KEY][KUBERNETES_INGRESS_SERVICEPORTNUMBER_KEY] = test_service[KUBERNETES_SPEC_KEY][KUBERNETES_PORTS_KEY][0][KUBERNETES_PORT_KEY]
- # backend[KUBERNETES_INGRESS_SERVICEPORT_KEY] = next((port for port in endpoint_ports if next((other_protocol_port for other_protocol_port in endpoint_ports if port[KUBERNETES_PORT_KEY] == other_protocol_port[KUBERNETES_PORT_KEY] and port[KUBERNETES_PROTOCOL_KEY] != other_protocol_port[KUBERNETES_PROTOCOL_KEY]), None) is not None), None)[KUBERNETES_PORT_KEY]
-
- distribution_path[KUBERNETES_INGRESS_BACKEND_KEY] = backend
- distribution_paths.append(distribution_path)
-
- test_distribution_rule = deepcopy(test_rule)
- test_distribution_rule[KUBERNETES_INGRESS_HTTP_KEY][KUBERNETES_INGRESS_PATHS_KEY] = distribution_paths
- external_rules.append(test_distribution_rule)
-
- external_hosts.extend(test_hosts)
- upload_size_configs.update({test_service[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY]: test_max_upload_size})
-
- for external_uri, external_config in externals.items():
- endpoint_name = external_config[EXTERNALS_ENDPOINT_FIELD]
- endpoint_port = external_config.get(PORT_FIELD, None)
- if endpoint_port is None:
- endpoint_port = int(list(external_endpoints[endpoint_name][PORTS_FIELD].keys())[0])
- max_upload_size = external_endpoints[endpoint_name][MAX_UPLOAD_SIZE_FIELD]
- (external_rule, uri), (test_rule, test_uri) = make_ingress_entry_rules(external_uri, endpoint_name, endpoint_port, create_test_entries=False)
-
- upload_size_configs.update({endpoint_name: max_upload_size})
-
- external_hosts.append(uri)
- external_rules.append(external_rule)
-
- return external_hosts, external_rules, upload_size_configs.items()
-
-
-def make_ingresses(ingress_bridges: list):
- prod_ingresses = []
- test_ingresses = []
- externals = {}
- with open(EXTERNAL_PATH, 'r', encoding='utf-8') as f:
- externals = json.load(f)
-
- external_endpoint_configs = externals[EXTERNALS_ENDPOINTS_FIELD]
- external_endpoints = make_endpoints(external_endpoint_configs)
-
- test_endpoint, test_service, test_max_upload_size = make_test_endpoint()
-
- endpoints = [test_endpoint, test_service]
-
- for external_endpoint_config in external_endpoints:
- external_endpoint, external_service, external_max_upload_size = external_endpoint_config
- endpoints.extend([external_endpoint, external_service])
-
- prod_configs, test_configs, prod_test_upload_size_configs = make_prod_test_ingress(ingress_bridges)
- test_hosts = []
- test_rules = []
- for _, _, hosts, rules in test_configs:
- test_hosts.extend(hosts)
- test_rules.extend(rules)
-
- distribution_hosts, distribution_rules, distribution_upload_size_configs = make_distribution_ingress(externals[EXTERNALS_REDIRECTS_FIELD], externals[EXTERNALS_ENDPOINTS_FIELD], test_hosts, test_rules, test_service, test_max_upload_size)
-
- upload_size_configs = prod_test_upload_size_configs
- upload_size_configs.extend(distribution_upload_size_configs)
-
- for project_name, project_namespace, prod_hosts, prod_rules in prod_configs:
- prod_ingress = make_ingress(project_name, prod_hosts, prod_rules, INGRESS_CERTIFICATE_PROD, INGRESS_SECRETNAME_PROD, redirect_https=False, namespace=project_namespace)
- prod_ingresses.append((project_name, prod_ingress))
-
- for project_name, project_namespace, test_hosts, test_rules in test_configs:
- test_ingress = make_ingress(project_name, test_hosts, test_rules, INGRESS_CERTIFICATE_STAGING, INGRESS_SECRETNAME_TEST, redirect_https=False, namespace=project_namespace)
- test_ingresses.append((project_name, test_ingress))
-
- # test_ingress = make_ingress(TEST_INGRESS_NAME, test_hosts, test_rules, INGRESS_CERTIFICATE_STAGING, INGRESS_SECRETNAME_TEST, redirect_https=False) # when here prod, https should work / test, distribution ingress separate
- distribution_ingress = make_ingress(DISTRIBUTION_INGRESS_NAME, distribution_hosts, distribution_rules, INGRESS_CERTIFICATE_PROD, INGRESS_SECRETNAME_DISTRIBUTION, redirect_https=True)
-
- upload_size_config = make_upload_size_config(upload_size_configs)
-
- ingress_template_config_content = []
- with open(INGRESS_CONFIG_TEMPLATE_PATH, 'r', encoding='utf-8') as f:
- ingress_template_config_content = f.readlines()
-
- insert_index = next(i for i, line in enumerate(ingress_template_config_content) if INGRESS_CONFIG_CUSTOM_MAX_CLIENT_BODY_SIZE_TAG in line) + 1
- ingress_template_config_content.insert(insert_index, upload_size_config)
- ingress_template_config_content = ''.join(ingress_template_config_content)
-
- ingress_deployment_content = import_from_file(INGRESS_TEMPLATE_PATH)
- ingress_controller_deployment = next(ingress_resource for ingress_resource in ingress_deployment_content if ingress_resource.get(KUBERNETES_KIND_KEY) == KUBERNETES_KIND_VALUE_DEPLOYMENT)
- nginx_config_specs = {
- INGRESS_CONFIG_VOLUME_NAME: {
- CONTENT_FIELD: {INGRESS_CONFIG_FILENAME: ingress_template_config_content},
- MOUNT_PATH_FIELD: INGRESS_CONFIG_MOUNT_PATH,
- TYPE_FIELD: TYPE_CONFIG_MAP_VALUE,
- }
- }
- nginx_config_config_map = make_config_map(INGRESS_CONFIG_VOLUME_NAME,
- nginx_config_specs[INGRESS_CONFIG_VOLUME_NAME],
- ingress_controller_deployment[KUBERNETES_METADATA_KEY][KUBERNETES_NAMESPACE_KEY],
- ingress_controller_deployment[KUBERNETES_METADATA_KEY][KUBERNETES_NAME_KEY])
-
- deployment_volumes, volume_mounts = make_deployment_volumes_volume_mounts(
- [],
- [(nginx_config_config_map, INGRESS_CONFIG_VOLUME_NAME)],
- nginx_config_specs)
-
- ingress_controller_deployment[KUBERNETES_SPEC_KEY][KUBERNETES_DEPLOYMENT_TEMPLATE_KEY][KUBERNETES_SPEC_KEY][KUBERNETES_DEPLOYMENT_VOLUMES_KEY].extend(deployment_volumes)
- controller_deployment = next(container for container in ingress_controller_deployment[KUBERNETES_SPEC_KEY][KUBERNETES_DEPLOYMENT_TEMPLATE_KEY][KUBERNETES_SPEC_KEY][KUBERNETES_DEPLOYMENT_CONTAINERS_KEY] if container.get(KUBERNETES_NAME_KEY) == "controller")
- controller_deployment[KUBERNETES_DEPLOYMENT_VOLUMEMOUNTS_KEY].extend(volume_mounts)
-
- ingress_controller_config_map = next(ingress_resource for ingress_resource in ingress_deployment_content if ingress_resource.get(KUBERNETES_KIND_KEY) == KUBERNETES_KIND_VALUE_CONFIG_MAP and ingress_resource[KUBERNETES_METADATA_KEY].get(KUBERNETES_NAME_KEY) == "ingress-nginx-controller")
- ingress_controller_config_map[KUBERNETES_DATA_KEY][KUBERNETES_INGRESS_USE_PROXY_PROTOCOL_KEY] = KUBERNETES_INGRESS_USE_PROXY_PROTOCOL_DEFAULT_VALUE
-
- prod_issuer = load_yaml_file_single(INGRESS_PROD_ISSUER_PATH)
- staging_issuer = load_yaml_file_single(INGRESS_STAGING_ISSUER_PATH)
-
- ingress_deployment_content.append(nginx_config_config_map)
-
- return prod_ingresses, test_ingresses, distribution_ingress, ingress_deployment_content, endpoints, prod_issuer, staging_issuer
-
-
-def make_testenv_uri(original_uri: str):
- test_uri = original_uri.split('.')
- test_uri.insert(-2, 'testenv')
- return '.'.join(test_uri)
-
-
-def publish_sideloads(sideload_paths: list):
- if sideload_paths is not None:
- for path in sideload_paths:
- sideloaded = Path(path)
- copyfile(sideloaded, sideloaded.name)
- return None
-
-
-def parse_args():
- parser = argparse.ArgumentParser()
- parser.add_argument('--small', type=str, nargs='+')
- parser.add_argument('--middle', type=str, nargs='+')
- parser.add_argument('--sideload', type=str, nargs='+')
-
- return parser.parse_args()
-
-
-if __name__ == "__main__":
- PROD = environ.get('PROD') == "true"
- TESTCLUSTER_DEVICE_IP = environ.get('TESTCLUSTER_DEVICE_IP')
- # generate_ingress_files()
- # test()
- args = parse_args()
- created_middle_deployments = small_to_middle_deployments(args.small)
- make_deployment_scripts(args.middle, created_middle_deployments)
- publish_sideloads(args.sideload)
- # with open("testing/test-backend.yaml", 'r', encoding='utf-8') as f:
- # with open("testing/test-backend.json", 'w', encoding='utf-8') as ff:
- # json.dump(yaml.load_all(f, yaml.CLoader), ff, indent=2)
-
-
-# configIn = {
-# "kind": "EncryptionConfig",
-# "apiVersion": "v1",
-# "resources": [
-# {
-# "resources": [
-# "secrets"
-# ],
-# "providers": [
-# {
-# "aescbc": {
-# "keys": [
-# {
-# "name": "key1",
-# "secret": "%s" % (generateSecret(32))
-# }
-# ]
-# }
-# }
-# ]
-# }
-# ]
-# }
diff --git a/deploy/generate_scripts/kubernetes_yaml_constants.py b/deploy/generate_scripts/kubernetes_yaml_constants.py
deleted file mode 100644
index 1d095bdfd215bf4f85bbdfbad49af58ad1b915f0..0000000000000000000000000000000000000000
--- a/deploy/generate_scripts/kubernetes_yaml_constants.py
+++ /dev/null
@@ -1,150 +0,0 @@
-# keys, values
-KUBERNETES_METADATA_KEY = "metadata"
-KUBERNETES_NAME_KEY = "name"
-KUBERNETES_NAMESPACE_KEY = "namespace"
-KUBERNETES_SPEC_KEY = "spec"
-KUBERNETES_EXTERNALNAME_KEY = "externalName"
-KUBERNETES_SELECTOR_KEY = "selector"
-KUBERNETES_APP_KEY = "app"
-KUBERNETES_PORTS_KEY = "ports"
-KUBERNETES_PORT_KEY = "port"
-KUBERNETES_TARGETPORT_KEY = "targetPort"
-KUBERNETES_PROTOCOL_KEY = "protocol"
-KUBERNETES_CAPACITY_KEY = "capacity"
-KUBERNETES_STORAGE_KEY = "storage"
-KUBERNETES_LABELS_KEY = "labels"
-KUBERNETES_VOLUMENAME_KEY = "volumeName"
-KUBERNETES_RESOURCES_KEY = "resources"
-KUBERNETES_REQUESTS_KEY = "requests"
-KUBERNETES_DATA_KEY = "data"
-KUBERNETES_MATCHLABELS_KEY = "matchLabels"
-KUBERNETES_ANNOTATIONS_KEY = "annotations"
-KUBERNETES_RULES_KEY = "rules"
-KUBERNETES_PATH_KEY = "path"
-KUBERNETES_AFFINITY_KEY = "affinity"
-KUBERNETES_NODE_AFFINITY_KEY = "nodeAffinity"
-KUBERNETES_NODE_SELECTOR_TERMS_KEY = "nodeSelectorTerms"
-KUBERNETES_MATCH_EXPRESSIONS_KEY = "matchExpressions"
-KUBERNETES_KEY_KEY = "key"
-KUBERNETES_OPERATOR_KEY = "operator"
-KUBERNETES_VALUES_KEY = "values"
-KUBERNETES_REQUIRED_KEY = "required"
-KUBERNETES_REQUIRED_DURING_SCHEDULING_IGNORED_DURING_EXECUTION_KEY = "requiredDuringSchedulingIgnoredDuringExecution"
-KUBERNETES_WEIGHT_KEY = "weight"
-KUBERNETES_PREFERENCE_KEY = "preference"
-KUBERNETES_PRIVILEGED_KEY = "privileged"
-KUBERNETES_ITEMS_KEY = "items"
-KUBERNETES_SUBPATH_KEY = "subPath"
-
-KUBERNETES_LABEL_HOSTNAME_VALUE = "kubernetes.io/hostname"
-KUBERNETES_LABEL_NODE_ROLE_MASTER_VALUE = "node-role.kubernetes.io/master"
-KUBERNETES_OPERATOR_IN_VALUE = "In"
-KUBERNETES_OPERATOR_DOES_NOT_EXIST_VALUE = "DoesNotExist"
-
-KUBERNETES_API_VERSION_KEY = "apiVersion"
-KUBERNETES_API_VERSION_V1_VALUE = "v1"
-KUBERNETES_API_VERSION_DEFAULT_VALUE = KUBERNETES_API_VERSION_V1_VALUE
-KUBERNETES_API_VERSION_RBAC_AUTHORIZATION_VALUE = "rbac.authorization.k8s.io"
-KUBERNETES_API_VERSION_RBAC_AUTHORIZATION_DEFAULT_VALUE = f"{KUBERNETES_API_VERSION_RBAC_AUTHORIZATION_VALUE}/{KUBERNETES_API_VERSION_V1_VALUE}"
-KUBERNETES_API_VERSION_NAMESPACE_DEFAULT_VALUE = "apps/v1"
-KUBERNETES_API_VERSION_INGRESS_CONFIG_DEFAULT_VALUE = "networking.k8s.io/v1"
-
-KUBERNETES_KIND_KEY = "kind"
-KUBERNETES_KIND_VALUE_NAMESPACE = "Namespace"
-KUBERNETES_KIND_VALUE_SERVICE = "Service"
-KUBERNETES_KIND_VALUE_CONFIG_MAP = "ConfigMap"
-KUBERNETES_KIND_VALUE_DEPLOYMENT = "Deployment"
-KUBERNETES_KIND_VALUE_PERSISTENTVOLUME = "PersistentVolume"
-KUBERNETES_KIND_VALUE_PERSISTENTVOLUMECLAIM = "PersistentVolumeClaim"
-KUBERNETES_KIND_VALUE_SERVICEACCOUNT = "ServiceAccount"
-KUBERNETES_KIND_VALUE_ROLE = "Role"
-KUBERNETES_KIND_VALUE_CLUSTERROLE = "ClusterRole"
-KUBERNETES_KIND_VALUE_ROLEBINDING = "RoleBinding"
-KUBERNETES_KIND_VALUE_CLUSTERROLEBINDING = "ClusterRoleBinding"
-KUBERNETES_KIND_VALUE_INGRESS = "Ingress"
-KUBERNETES_KIND_VALUE_ENDPOINTS = "Endpoints"
-
-KUBERNETES_TYPE_KEY = "type"
-KUBERNETES_SERVICE_TYPE_VALUE_EXTERNAL_NAME = "ExternalName"
-KUBERNETES_SERVICE_TYPE_VALUE_CLUSTER_IP = "ClusterIP"
-KUBERNETES_SERVICE_TYPE_VALUE_NODE_PORT = "NodePort"
-KUBERNETES_SERVICE_TYPE_VALUE_LOADBALANCER = "LoadBalancer"
-KUBERNETES_SERVICE_SPEC_CLUSTERIP_KEY = "clusterIP"
-KUBERNETES_SERVICE_SPEC_CLUSTERIP_NONE_VALUE = "None"
-
-KUBERNETES_PROTOCOL_KEY = "protocol"
-KUBERNETES_PROTOCOL_VALUE_TCP = "TCP"
-KUBERNETES_PROTOCOL_VALUE_UDP = "UDP"
-
-KUBERNETES_STORAGECLASSNAME_KEY = "storageClassName"
-KUBERNETES_STORAGECLASSNAME_DEFAULT_VALUE = "manual"
-
-KUBERNETES_ACCESSMODES_KEY = "accessModes"
-KUBERNETES_ACCESSMODES_VALUE_READ_WRITE_MANY = "ReadWriteMany"
-KUBERNETES_ACCESSMODES_VALUE_READ_ONLY = "ReadOnly"
-
-KUBERNETES_PERSISTENT_VOLUME_RECLAIM_POLICY_KEY = "persistentVolumeReclaimPolicy"
-KUBERNETES_PERSISTENT_VOLUME_RECLAIM_POLICY_VALUE_RETAIN = "Retain"
-KUBERNETES_PERSISTENT_VOLUME_RECLAIM_POLICY_VALUE_DELETE = "Delete"
-
-KUBERNETES_NFS_KEY = "nfs"
-KUBERNETES_NFS_SERVER_KEY = "server"
-KUBERNETES_HOSTPATH_KEY = "hostPath"
-
-KUBERNETES_NFS_MOUNT_OPTIONS_KEY = "mountOptions"
-KUBERNETES_NFS_MOUNT_OPTIONS_DEFAULT_VALUE = ["nfsvers=4.1", "hard"]
-
-KUBERNETES_DEPLOYMENT_REPLICAS_KEY = "replicas"
-KUBERNETES_DEPLOYMENT_REPLICAS_DEFAULT_VALUE = 1
-KUBERNETES_DEPLOYMENT_TEMPLATE_KEY = "template"
-KUBERNETES_DEPLOYMENT_CONTAINERS_KEY = "containers"
-KUBERNETES_DEPLOYMENT_IMAGE_KEY = "image"
-KUBERNETES_DEPLOYMENT_IMAGEPULLPOLICY_KEY = "imagePullPolicy"
-KUBERNETES_DEPLOYMENT_IMAGEPULLPOLICY_IFNOTPRESENT_VALUE = "IfNotPresent"
-KUBERNETES_DEPLOYMENT_IMAGEPULLPOLICY_ALWAYS_VALUE = "Always"
-KUBERNETES_DEPLOYMENT_IMAGEPULLPOLICY_DEFAULT_VALUE = KUBERNETES_DEPLOYMENT_IMAGEPULLPOLICY_ALWAYS_VALUE
-KUBERNETES_DEPLOYMENT_VOLUMEMOUNTS_KEY = "volumeMounts"
-KUBERNETES_DEPLOYMENT_MOUNTPATH_KEY = "mountPath"
-KUBERNETES_DEPLOYMENT_VOLUMES_KEY = "volumes"
-KUBERNETES_DEPLOYMENT_CONFIG_MAP_KEY = "configMap"
-KUBERNETES_DEPLOYMENT_PERSISTENTVOLUMECLAIM_KEY = "persistentVolumeClaim"
-KUBERNETES_DEPLOYMENT_CLAIMNAME_KEY = "claimName"
-KUBERNETES_DEPLOYMENT_CONTAINERPORT_KEY = "containerPort"
-KUBERNETES_DEPLOYMENT_SERVICEACCOUNTNAME_KEY = "serviceAccountName"
-KUBERNETES_DEPLOYMENT_ENVFROM_KEY = "envFrom"
-KUBERNETES_DEPLOYMENT_CONFIGMAPREF_KEY = "configMapRef"
-KUBERNETES_DEPLOYMENT_SECURITYCONTEXT_KEY = "securityContext"
-KUBERNETES_DEPLOYMENT_IMAGE_PULL_SECRETS_KEY = "imagePullSecrets"
-
-KUBERNETES_SERVICEACCOUNT_RULES_KEY = KUBERNETES_RULES_KEY
-KUBERNETES_SERVICEACCOUNT_APIGROUPS_KEY = "apiGroups"
-KUBERNETES_SERVICEACCOUNT_VERBS_KEY = "verbs"
-KUBERNETES_SERVICEACCOUNT_ROLEREF_KEY = "roleRef"
-KUBERNETES_SERVICEACCOUNT_SUBJECTS_KEY = "subjects"
-KUBERNETES_SERVICEACCOUNT_APIGROUP_KEY = "apiGroup"
-
-KUBERNETES_ENDPOINTS_SUBSETS_KEY = "subsets"
-KUBERNETES_ENDPOINTS_ADDRESSES_KEY = "addresses"
-KUBERNETES_ENDPOINTS_IP_KEY = "ip"
-
-KUBERNETES_INGRESS_HOSTS_KEY = "hosts"
-KUBERNETES_INGRESS_TLS_KEY = "tls"
-KUBERNETES_INGRESS_SECRETNAME_KEY = "secretName"
-KUBERNETES_INGRESS_HOST_KEY = "host"
-KUBERNETES_INGRESS_HTTP_KEY = "http"
-KUBERNETES_INGRESS_PATHS_KEY = "paths"
-KUBERNETES_INGRESS_PATHTYPE_KEY = "pathType"
-KUBERNETES_INGRESS_BACKEND_KEY = "backend"
-KUBERNETES_INGRESS_SERVICE_KEY = "service"
-KUBERNETES_INGRESS_SERVICEPORTNUMBER_KEY = "number"
-KUBERNETES_INGRESS_RULES_KEY = KUBERNETES_RULES_KEY
-KUBERNETES_INGRESS_USE_PROXY_PROTOCOL_KEY = "use-proxy-protocol"
-
-
-# some default values
-KUBERNETES_NAMESPACE_DEFAULT = "default"
-KUBERNETES_PRIVILEGED_DEFAULT_VALUE = False
-KUBERNETES_WEIGHT_DEFAULT_VALUE = 1
-KUBERNETES_INGRESS_PATH_DEFAULT_VALUE = "/"
-KUBERNETES_INGRESS_PATHTYPE_DEFAULT_VALUE = "Prefix"
-KUBERNETES_INGRESS_USE_PROXY_PROTOCOL_DEFAULT_VALUE = "false"
diff --git a/deploy/mount_nfs.sh b/deploy/mount_nfs.sh
deleted file mode 100644
index 66905fe383bcdb05dcda8033dd2c440bdd86357a..0000000000000000000000000000000000000000
--- a/deploy/mount_nfs.sh
+++ /dev/null
@@ -1,198 +0,0 @@
-#!/bin/bash
-
-MKDIR="mkdir -p";
-COPY_DIR="cp -rp";
-MOUNT_CMD="mount -vv -t nfs4 -o rw,hard,nolock";
-
-echo "executing mount script"
-
-if [ "$1" = "$MOUNT_PARAM" ]
-then
- echo "mounting";
- TEST_MOUNT_PATH="$CLUSTER_DATA_PATH/testmount";
- PROD_MOUNT_PATH="$CLUSTER_DATA_PATH/prodmount";
- $MKDIR $TEST_MOUNT_PATH;
- $MKDIR $PROD_MOUNT_PATH;
-
- echo "mounting $TESTCLUSTER_DEVICE_IP to $TEST_MOUNT_PATH"
- $MOUNT_CMD $TESTCLUSTER_DEVICE_IP:/ $TEST_MOUNT_PATH;
- err_code=$?
-
- if [ $err_code != 0 ] && [ "$PROD" != "true" ]
- then
- echo "could not mount test nfs; cmd exited with code $err_code";
- exit -1;
- elif [ $err_code != 0 ] && [ "$PROD" = "true" ]
- then
- echo "could not mount test nfs, exited with code $err_code but PROD=$PROD, skipping";
- fi
-
- echo "mounting $PRODCLUSTER_DEVICE_IP to $PROD_MOUNT_PATH"
- $MOUNT_CMD $PRODCLUSTER_DEVICE_IP:/ $PROD_MOUNT_PATH;
- err_code=$?
-
- if [ $err_code != 0 ] && [ "$PROD" = "true" ]
- then
- echo "could not mount prod nfs; cmd exited with code $err_code";
- exit -1;
- elif [ $err_code != 0 ] && [ "$PROD" != "true" ]
- then
- echo "could not mount prod nfs, exited with code $err_code but PROD=$PROD, skipping";
- fi
-
- shift 1;
- i=1; # first arg is script
- j=$#;
- while [ $i -le $j ] # iterate through arguments
- do
- DATA_PATH="$TEST_MOUNT_PATH/$1";
- SOURCE_DATA_PATH="$PROD_MOUNT_PATH/$1";
-
- if [ "$PROD" = "true" ]
- then
- DATA_PATH="$PROD_MOUNT_PATH/$1";
- SOURCE_DATA_PATH="$TEST_MOUNT_PATH/$1";
- fi
-
- if [[ "$1" == "--"* ]]
- then
- break;
- fi
-
- echo "$i: $DATA_PATH";
-
- if [ -d "$DATA_PATH" ] # directory exists
- then
-
- if [ -z "$(ls -A $DATA_PATH)" ] # is directory empty
- then
- if [ -d "$SOURCE_DATA_PATH" ] # source path exists
- then
- if [ "$COPY_FILES" = "true" ]
- then
- DESTINATION_DATA_PATH="$(dirname "$DATA_PATH")"
- echo "copying $SOURCE_DATA_PATH to $DESTINATION_DATA_PATH"
- $MKDIR $DATA_PATH;
- $COPY_DIR "$SOURCE_DATA_PATH" $DESTINATION_DATA_PATH;
- echo "copied source $SOURCE_DATA_PATH to $DESTINATION_DATA_PATH"
- else
- echo "COPY_FILES is false; skipping copy"
- fi
- else
- echo "cannot copy, source $SOURCE_DATA_PATH does not exist; skipping";
- fi
- else
- echo "$DATA_PATH is not empty; skipping copy data.";
- fi
-
- else
- if [ -d "$SOURCE_DATA_PATH" ] # source path exists
- then
- if [ "$COPY_FILES" = "true" ]
- then
- DESTINATION_DATA_PATH="$(dirname "$DATA_PATH")"
- echo "copying $SOURCE_DATA_PATH to $DESTINATION_DATA_PATH"
- $MKDIR $DATA_PATH;
- $COPY_DIR "$SOURCE_DATA_PATH" $DESTINATION_DATA_PATH;
- echo "copied source $SOURCE_DATA_PATH to $DESTINATION_DATA_PATH"
- else
- $MKDIR $DATA_PATH
- echo "COPY_FILES is false; created empty dir"
- fi
- else
- $MKDIR $DATA_PATH
- echo "cannot copy, source $SOURCE_DATA_PATH does not exist; empty folder created";
- fi
- fi
-
- i=$((i + 1));
- shift 1;
- done
-
- if [ "$1" = "$REPOCOPY_PARAM" ]
- then
- shift 1;
- i=$((i + 1));
- while [ $i -le $j ] # iterate through arguments
- do
- DATA_PATH="$TEST_MOUNT_PATH";
-
- if [ "$PROD" = "true" ]
- then
- DATA_PATH="$PROD_MOUNT_PATH";
- fi
-
- if [[ "$1" == "--"* ]]
- then
- break;
- fi
-
- IFS=: read SOURCE DESTINATION <<< "$1"
-
- echo "copying $SOURCE from repo to $DESTINATION"
- cp $SOURCE "$DATA_PATH/$DESTINATION"
- echo "copied $SOURCE to $DESTINATION"
-
- i=$((i + 1));
- shift 1;
- done
- fi
-
- if [ "$1" = "$DELETE_FILE_PARAM" ]
- then
- shift 1;
- i=$((i + 1));
- while [ $i -le $j ] # iterate through arguments
- do
- DATA_PATH="$TEST_MOUNT_PATH";
-
- if [ "$PROD" = "true" ]
- then
- DATA_PATH="$PROD_MOUNT_PATH";
- fi
-
- if [[ "$1" == "--"* ]]
- then
- break;
- fi
-
- echo "deleting $1"
- rm -f "$DATA_PATH/$1"
- echo "$1 deleted"
-
- i=$((i + 1));
- shift 1;
- done
- fi
-
- if [ "$1" = "$CHMOD_FILE_PARAM" ]
- then
- shift 1;
- i=$((i + 1));
- while [ $i -le $j ] # iterate through arguments
- do
- DATA_PATH="$TEST_MOUNT_PATH";
-
- if [ "$PROD" = "true" ]
- then
- DATA_PATH="$PROD_MOUNT_PATH";
- fi
-
- if [[ "$1" == "--"* ]]
- then
- break;
- fi
-
- IFS=: read SOURCE LEVEL <<< "$1"
-
- echo "applying permissions $LEVEL to $SOURCE"
- chmod -f $LEVEL "$DATA_PATH/$SOURCE" || true
-
- i=$((i + 1));
- shift 1;
- done
- fi
-fi
-
-
-
diff --git a/deploy/ssh_config/id_rsa b/deploy/ssh_config/id_rsa
deleted file mode 100644
index 6a7540a14ba0b72b818fd39d8290e7094b7f98ec..0000000000000000000000000000000000000000
--- a/deploy/ssh_config/id_rsa
+++ /dev/null
@@ -1,39 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
-NhAAAAAwEAAQAAAYEAxhNtLM+mGmECyy/3qRcgYk+gA68jxsADRfAT4kX1bm5PHMkkg/qj
-2Ms1PQ4rrhX5MzFmkN4aGDX3z2YjUfOW5h00spke00+bAP8WEGCcz4MWnJrYvzJSWJYgUO
-o/ViOricA9W4mpXEPnCavNyJxhbwHzKSmzhih5Y0RTKZWWhNyr6lZ0Y7p9YSVqTPDPZs7R
-0HvZKl9pnAqwuy5rxpIE92pAPOX/4/xxK/Jq3eZXS6zsPHLerVR6BIk+wbhQw/FAkoOJqO
-Ct8nNkj1SpZPXkZZfL5oJj5doYvdAwYxozPifWCdo1eGwg3pGZDgKFtm/0VWj2CtwIWBlb
-TBoDfmpir+E+BBy9HTuVx5+0EWSgTL9WCvCRtwaLaLgX2VkWWcDfJ6b6iiOq3XSJ8+jBWM
-tdGMDRdmOER7naaaGruvXDzySY5sVV7e/iakUbaXuYYQ+07MeVCleFadrr8A575LkGAAQu
-UxG5csMMYUFRpwhji036BciJvJpQ8myYRrO6jDKNAAAFqIsvCmGLLwphAAAAB3NzaC1yc2
-EAAAGBAMYTbSzPphphAssv96kXIGJPoAOvI8bAA0XwE+JF9W5uTxzJJIP6o9jLNT0OK64V
-+TMxZpDeGhg1989mI1HzluYdNLKZHtNPmwD/FhBgnM+DFpya2L8yUliWIFDqP1Yjq4nAPV
-uJqVxD5wmrzcicYW8B8ykps4YoeWNEUymVloTcq+pWdGO6fWElakzwz2bO0dB72SpfaZwK
-sLsua8aSBPdqQDzl/+P8cSvyat3mV0us7Dxy3q1UegSJPsG4UMPxQJKDiajgrfJzZI9UqW
-T15GWXy+aCY+XaGL3QMGMaMz4n1gnaNXhsIN6RmQ4ChbZv9FVo9grcCFgZW0waA35qYq/h
-PgQcvR07lceftBFkoEy/VgrwkbcGi2i4F9lZFlnA3yem+oojqt10ifPowVjLXRjA0XZjhE
-e52mmhq7r1w88kmObFVe3v4mpFG2l7mGEPtOzHlQpXhWna6/AOe+S5BgAELlMRuXLDDGFB
-UacIY4tN+gXIibyaUPJsmEazuowyjQAAAAMBAAEAAAGAKm2C1zRraf8ZsBhIPmn7v9M6fU
-+IpEwA53wzZiaCGfN68rmLHtITQp7Ueo2Mga+nP3X3eFR61nDI8h34ttcsnYHoBdGSrsTA
-eQgq27s2G6UCtOzePKY0yVDu/yYOBw+A8PLCsdbc9ix9Uq8AV1ZX8IVEZq7OC5Cj38WE4s
-VuBmuWT43RRINv091F1dFHO8hVXQkKTW8+mfQYQyAAafphIfYaaHEDzPwH6df1WC68yDL0
-L0aTuCD+OfaEAM7QTghg4eLGoRIXWq6Y36n1FFvQoOC18CcXpB/mNGekbbPz1wANPrYiop
-4pxir5q/MgBh/NG9lEAcPnyGEu57lqNKa7+f87gajztdnb5msJWm4gS3PxFeeivXwKcc6o
-dlo98CfCamFAZicqwqKacuK8PGd1XlJehzShdDQ1ecZsxiOIGpu3Nt4fYKrkdn0L+kQfTR
-rB3CnZJG2yneX46+Wu+PyxHudR4AveLZhLVUOVRAMMAeIqMhaoyMVS9xtz2jvfDLnpAAAA
-wQDHUCtwYeTRVBNJCj9FtXySvuyHzc5AaKhdmG5eMQXmm9JofKUk6U5W1EWah4EumQO4wc
-i9ALh7xabs/foeIrksw8GKLMgYoI8x/5PuwQYfKL0CRteIWZlxsIOM8JFXcDt2HIEZG0L8
-gs5hUSeseFJFSZ9mG0tDYsOMobdtMkVKxBnzXXiBCzzcVcgFUryLo4jNhi5D1BolSium9E
-42HTTjrCBN1V7NscbNRiXh9EFFC/eCza4UskqpQ1I58cqoNAYAAADBAO4UkUuEVJ2hTeQt
-wQck0+8TKGsV8vrxTtA9f2iFqMNIXdf06ND9HgteZ5KVC0Xu+F62OprSNjiOO0XJlw2X2t
-rvquRQrisxiOmuGP6f6eTsj5u3xE5stI3fcH27M9vjexZOzoElFJsYrt2yI0VnKgOpWhM+
-EUIKmA4vUUS2GN2DX6QLeLlxaMsy3RbGu5Oz0JHicxahtT176nFFire0bXY2lKHUAw1ZZD
-TDdp3LGAiMG/U7cBEoM8IXvRnq9fvpzwAAAMEA1PwJQRTa8LRoeLIJVPAC60dG75HK6M1k
-WMSuCVg5T7pfYTY1Cup2i8X2FpEcwWcjpu0XOE9hyG3/JX4D8ixHHcskTf/TAbGb8XnVnw
-0GLa6VrHIpaHouuEAVqyZ3/CNMUlgoZhR9f3+K5KmFi6WGm7dYk2omvj3DSZ0NdVTRPMQq
-4T9P7tOncSlSbpHSBTvQrfwMyv3dF4jcemWvS15/mTkSBsYK1vFamuCA/jgUPPInzqqXLo
-aUch7AAjnYbiDjAAAAMXJvb3RAcnVubmVyLXFtM2FtcXhyLXByb2plY3QtMTItY29uY3Vy
-cmVudC0wZzI5bHIB
------END OPENSSH PRIVATE KEY-----
diff --git a/deploy/ssh_config/id_rsa.pub b/deploy/ssh_config/id_rsa.pub
deleted file mode 100644
index c55d444730f613fa3a078f34ff73d47a3982eea3..0000000000000000000000000000000000000000
--- a/deploy/ssh_config/id_rsa.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGE20sz6YaYQLLL/epFyBiT6ADryPGwANF8BPiRfVubk8cySSD+qPYyzU9DiuuFfkzMWaQ3hoYNffPZiNR85bmHTSymR7TT5sA/xYQYJzPgxacmti/MlJYliBQ6j9WI6uJwD1bialcQ+cJq83InGFvAfMpKbOGKHljRFMplZaE3KvqVnRjun1hJWpM8M9mztHQe9kqX2mcCrC7LmvGkgT3akA85f/j/HEr8mrd5ldLrOw8ct6tVHoEiT7BuFDD8UCSg4mo4K3yc2SPVKlk9eRll8vmgmPl2hi90DBjGjM+J9YJ2jV4bCDekZkOAoW2b/RVaPYK3AhYGVtMGgN+amKv4T4EHL0dO5XHn7QRZKBMv1YK8JG3BotouBfZWRZZwN8npvqKI6rddInz6MFYy10YwNF2Y4RHudppoau69cPPJJjmxVXt7+JqRRtpe5hhD7Tsx5UKV4Vp2uvwDnvkuQYABC5TEblywwxhQVGnCGOLTfoFyIm8mlDybJhGs7qMMo0= root@runner-qm3amqxr-project-12-concurrent-0g29lr
diff --git a/deploy/ssh_config/ssh_config b/deploy/ssh_config/ssh_config
deleted file mode 100644
index 17ea20b2306a9226e136d447c448cc0c3c218cea..0000000000000000000000000000000000000000
--- a/deploy/ssh_config/ssh_config
+++ /dev/null
@@ -1,7 +0,0 @@
-# ssh (secure shell) configuration file
-Host testcluster
- HostName 192.168.1.146
- Port 22
- User root
- IdentityFile deploy/ssh_config/id_rsa
- StrictHostKeyChecking no
diff --git a/deploy/template.yaml b/deploy/template.yaml
deleted file mode 100644
index f9e8d302cf6c9f6a9bb8a216e298d3fee7183a68..0000000000000000000000000000000000000000
--- a/deploy/template.yaml
+++ /dev/null
@@ -1,69 +0,0 @@
-apiVersion: v1
-name: test-back
-namespace: test-back
-type: nginx
-deployments:
-- id: default
- env:
- content:
- TEST: test
- TEST2: test2
- exposedHttpPort: 80
- image: ${IMAGE_SERVER}/custom_image:0.1 # or i.e. nginx:latest
- name: test-back
- privileged: false
- ports:
- clusterIP:
- - name: tcp-5000
- port: 5000
- protocol: TCP
- targetPort: 80
- - port: 5001
- protocol: UDP #udp currently not really supported
- targetPort: 80
- loadBalancer: null
- nodePort:
- - port: 5000
- targetPort: 80
- serviceAccount:
- type: cluster # or namespace
- rules:
- - apiGroups:
- - '*'
- resources:
- - pods
- verbs:
- - list
- - get
- - watch
- - create
- - delete
- uri: test.${BASE_URL}
- maxUploadSize: 50m
- imagePullSecrets:
- - registry-420joos-dev-creds
- volumes:
- test-back-config:
- accessModes:
- - ReadWriteMany
- mountPath: /ext
- nfs:
- path: /test-back
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Mi
- type: pv
- test-back-hostpath:
- accessModes:
- - ReadWriteMany
- mountPath: /ext1
- hostpath:
- path: /test_folder
- deviceHostname: cluster-master
- size: 100Mi
- type: pv
- test-back-configmap:
- content:
- - deploy/bla.html
- mountPath: /test
- subPath: true
- type: configMap
diff --git a/deploy/templates/ddclient/ddclient_middle_template.yaml b/deploy/templates/ddclient/ddclient_middle_template.yaml
deleted file mode 100644
index c62ff793a169b2e690ade2ccd293c4f90e633e0d..0000000000000000000000000000000000000000
--- a/deploy/templates/ddclient/ddclient_middle_template.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: v1
-type: ddclient
-deployments:
-- id: default
- image: linuxserver/ddclient:3.9.1
- name: ddclient
- volumes:
- data:
- content: []
- mountPath: /config
- type: configMap
diff --git a/deploy/templates/docker_registry/docker_registry_middle_template.yaml b/deploy/templates/docker_registry/docker_registry_middle_template.yaml
deleted file mode 100644
index b5deb96018d741d287fd101866c1139a19b711e8..0000000000000000000000000000000000000000
--- a/deploy/templates/docker_registry/docker_registry_middle_template.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: v1
-type: docker-registry
-deployments:
-- id: default
- exposedHttpPort: 5000
- image: registry:2.8.0
- name: docker-registry-server
- maxUploadSize: 2g
- volumes:
- registry-store:
- accessModes:
- - ReadWriteMany
- mountPath: /var/lib/registry
- imagePullSecrets: []
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Gi
- type: pv
diff --git a/deploy/templates/gitlab/gitlab_middle_template.yaml b/deploy/templates/gitlab/gitlab_middle_template.yaml
deleted file mode 100644
index 9e84a11e25b3176e80cd523724b19bba761f9667..0000000000000000000000000000000000000000
--- a/deploy/templates/gitlab/gitlab_middle_template.yaml
+++ /dev/null
@@ -1,54 +0,0 @@
-apiVersion: v1
-deployments:
-# Gitlab
-- id: gitlab
- exposedHttpPort: 80
- image: ${GITLAB_IMAGE}
- name: gitlab
- maxUploadSize: 1024m
- volumes:
- gitlab-config:
- accessModes:
- - ReadWriteMany
- mountPath: /etc/gitlab
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 10Mi
- type: pv
- gitlab-logs:
- accessModes:
- - ReadWriteMany
- mountPath: /var/log/gitlab
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 10Mi
- type: pv
- gitlab-data:
- accessModes:
- - ReadWriteMany
- mountPath: /var/opt/gitlab
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 1Gi
- type: pv
-# Postgres
-- id: postgres
- env:
- content:
- POSTGRES_INITDB_ARGS: "-E utf8"
- image: postgres:13
- name: postgres
- ports:
- clusterIP:
- - port: 5432
- protocol: TCP
- targetPort: 5432
- volumes:
- postgresdb:
- accessModes:
- - ReadWriteMany
- mountPath: /var/lib/postgresql/data
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Mi
- type: pv
diff --git a/deploy/templates/gitlab_runner/gitlab_runner_middle_template.yaml b/deploy/templates/gitlab_runner/gitlab_runner_middle_template.yaml
deleted file mode 100644
index 9b3620af89049457e9058bd019bf08d16ed1093b..0000000000000000000000000000000000000000
--- a/deploy/templates/gitlab_runner/gitlab_runner_middle_template.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v1
-namespace: gitlab-runner
-type: gitlab-runner
-deployments:
-- id: default
- image: gitlab/gitlab-runner:v15.6.0
diff --git a/deploy/templates/nextcloud/nextcloud_middle_template.yaml b/deploy/templates/nextcloud/nextcloud_middle_template.yaml
deleted file mode 100644
index c5f1ef464f7240819af08cfcc02ef6eeaad025c0..0000000000000000000000000000000000000000
--- a/deploy/templates/nextcloud/nextcloud_middle_template.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-# execute as www-data: runuser -u www-data -- command
-apiVersion: v1
-name: nextcloud
-namespace: nextcloud
-type: nextcloud
-deployments:
-- id: default
- env:
- content:
- POSTGRES_HOST: postgres:5432
- exposedHttpPort: 80
- image: nextcloud:25.0.1-apache
- name: nextcloud-server
- maxUploadSize: 5g
- volumes:
- config:
- mountPath: /var/www/html/config
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Mi
- type: pv
- data:
- mountPath: /var/www/html/data
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Gi
- type: pv
- custom-apps:
- mountPath: /var/www/html/custom_apps
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 1Gi
- type: pv
- themes:
- mountPath: /var/www/html/themes/
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 1Gi
- type: pv
-- id: postgres
- env:
- content:
- LC_COLLATE: C
- LC_CTYPE: C
- POSTGRES_INITDB_ARGS: "-E utf8"
- image: postgres:15-alpine
- name: postgres
- ports:
- clusterIP:
- - port: 5432
- protocol: TCP
- targetPort: 5432
- volumes:
- db:
- mountPath: /var/lib/postgresql/data
- nfs:
- path: /nextcloud/db
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 2Gi
- type: pv
diff --git a/deploy/templates/nfs/nfs_middle_template.yaml b/deploy/templates/nfs/nfs_middle_template.yaml
deleted file mode 100644
index e731eeb2d31af92a296830b056d45643922177da..0000000000000000000000000000000000000000
--- a/deploy/templates/nfs/nfs_middle_template.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-apiVersion: v1
-deployments:
-- id: nfs-server
- env:
- content:
- SHARED_DIRECTORY: /nfsshare
- image: andrijoos/nfs-alpine:1.0
- name: nfs-server
- privileged: true
- ports:
- loadBalancer:
- - port: 2049
- targetPort: 2049
- protocol: TCP
- # clusterIP:
- # - port: 111
- # targetPort: 111
- # protocol: UDP
- volumes:
- nfs-data:
- accessModes:
- - ReadWriteMany
- mountPath: /nfsshare
- hostpath:
- path: /cluster_data
- deviceHostname: cluster-node-00
- size: 1Gi
- type: pv
diff --git a/deploy/templates/nginx/nginx_middle_template.yaml b/deploy/templates/nginx/nginx_middle_template.yaml
deleted file mode 100644
index ea05f8b53675c3e484367fae8d7ec324a45dbf82..0000000000000000000000000000000000000000
--- a/deploy/templates/nginx/nginx_middle_template.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v1
-deployments:
-- id: default
- exposedHttpPort: 80
- image: nginx:stable
- maxUploadSize: 5m
diff --git a/deploy/templates/octobot/octobot_middle_template.yaml b/deploy/templates/octobot/octobot_middle_template.yaml
deleted file mode 100644
index 4ccb6154e8e353353d69de63a2ae20bf1ac1385f..0000000000000000000000000000000000000000
--- a/deploy/templates/octobot/octobot_middle_template.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-apiVersion: v1
-type: octobot
-deployments:
-- id: default
- exposedHttpPort: 5001
- image: drakkarsoftware/octobot:stable
- name: octobot
- maxUploadSize: 1m
- volumes:
- user-config:
- accessModes:
- - ReadWriteMany
- mountPath: /octobot/user
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 20Mi
- type: pv
- tentacles:
- accessModes:
- - ReadWriteMany
- mountPath: /octobot/tentacles
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 20Mi
- type: pv
diff --git a/deploy/templates/synapse/bridges/mautrix_bridge_middle_template.yaml b/deploy/templates/synapse/bridges/mautrix_bridge_middle_template.yaml
deleted file mode 100644
index e0f8d053bce51efc6f3b9865541ed0179b63e44c..0000000000000000000000000000000000000000
--- a/deploy/templates/synapse/bridges/mautrix_bridge_middle_template.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-apiVersion: v1
-namespace: synapse
-type: mautrix-bridge
-deployments:
-- id: default
- imagePullSecrets: []
- ports:
- clusterIP:
- - port: 29317
- protocol: TCP
- targetPort: 29317
- volumes:
- synapse-bridges:
- mountPath: /data
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Mi
- type: pv
-- id: postgres
- image: postgres:15
- ports:
- clusterIP:
- - port: 5432
- protocol: TCP
- targetPort: 5432
- imagePullSecrets: []
- volumes:
- mautrix-db:
- accessModes:
- - ReadWriteMany
- mountPath: /var/lib/postgresql/data
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 1Gi
- type: pv
diff --git a/deploy/templates/synapse/default.log.config b/deploy/templates/synapse/default.log.config
deleted file mode 100644
index 23e99247dd45a7806f61249eb78204495064ff81..0000000000000000000000000000000000000000
--- a/deploy/templates/synapse/default.log.config
+++ /dev/null
@@ -1,22 +0,0 @@
-version: 1
-
-formatters:
- precise:
- format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
-
-handlers:
- console:
- class: logging.StreamHandler
- formatter: precise
-
-loggers:
- synapse.storage.SQL:
- # beware: increasing this to DEBUG will make synapse log sensitive
- # information such as access tokens.
- level: INFO
-
-root:
- level: DEBUG
- handlers: [console]
-
-disable_existing_loggers: false
\ No newline at end of file
diff --git a/deploy/templates/synapse/synapse_middle_template.yaml b/deploy/templates/synapse/synapse_middle_template.yaml
deleted file mode 100644
index d594c7d325268f69813ff287697a6d5ba45acad7..0000000000000000000000000000000000000000
--- a/deploy/templates/synapse/synapse_middle_template.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-apiVersion: v1
-type: matrix
-deployments:
-- id: synapse
- exposedHttpPort: 8008
- image: matrixdotorg/synapse:v1.86.0
- name: synapse
- privileged: false
- maxUploadSize: 50m
- volumes:
- synapse-media-store:
- accessModes:
- - ReadWriteMany
- mountPath: /var/lib/media_store
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Gi
- type: pv
- synapse-uploads:
- accessModes:
- - ReadWriteMany
- mountPath: /var/lib/uploads
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 2Gi
- type: pv
- synapse-config:
- content: []
- mountPath: /data
- type: configMap
-- id: postgres
- image: postgres:15-alpine
- name: postgres
- env:
- content:
- LC_COLLATE: C
- LC_CTYPE: C
- POSTGRES_INITDB_ARGS: "-E utf8"
- ports:
- clusterIP:
- - port: 5432
- protocol: TCP
- targetPort: 5432
- privileged: false
- volumes:
- postgresdb:
- accessModes:
- - ReadWriteMany
- mountPath: /var/lib/postgresql/data
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 2Gi
- type: pv
diff --git a/deploy/templates/synapse_admin/synapse_admin_middle_template.yaml b/deploy/templates/synapse_admin/synapse_admin_middle_template.yaml
deleted file mode 100644
index df4d3a12e3df719f76bd250a69ae66e0a1c6ba1d..0000000000000000000000000000000000000000
--- a/deploy/templates/synapse_admin/synapse_admin_middle_template.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: v1
-# name: test-back
-# namespace: test-back
-type: synapse-admin
-deployments:
-- id: default
- exposedHttpPort: 80
- image: dotwee/synapse-admin:latest
- name: synapse-admin
- maxUploadSize: 50m
diff --git a/deploy/templates/turn/turn_middle_template.yaml b/deploy/templates/turn/turn_middle_template.yaml
deleted file mode 100644
index e3e332091496cd9b8661a3b4b9160d4cfa587802..0000000000000000000000000000000000000000
--- a/deploy/templates/turn/turn_middle_template.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: v1
-type: turn
-deployments:
-- id: turn_server
- image: coturn/coturn:4.6-alpine
- name: turn-server
- privileged: false
- # exposedHttpPort: 3478
- ports:
- loadBalancer:
- - port: 3478
- protocol: TCP
- targetPort: 3478
- - port: 3478
- protocol: UDP
- targetPort: 3478
- volumes:
- turn-config:
- content: []
- mountPath: /etc/coturn
- type: configMap
diff --git a/deploy/templates/turn/turnserver.conf b/deploy/templates/turn/turnserver.conf
deleted file mode 100644
index 217b00b1b2b0a0ae6986fda6703bf19520f0bfcd..0000000000000000000000000000000000000000
--- a/deploy/templates/turn/turnserver.conf
+++ /dev/null
@@ -1,764 +0,0 @@
-# Coturn TURN SERVER configuration file
-#
-# Boolean values note: where a boolean value is supposed to be used,
-# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
-# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
-# If the value is missing, then it means 'true' by default.
-#
-
-# Listener interface device (optional, Linux only).
-# NOT RECOMMENDED.
-#
-#listening-device=eth0
-
-# TURN listener port for UDP and TCP (Default: 3478).
-# Note: actually, TLS & DTLS sessions can connect to the
-# "plain" TCP & UDP port(s), too - if allowed by configuration.
-#
-listening-port=3478
-
-# TURN listener port for TLS (Default: 5349).
-# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
-# port(s), too - if allowed by configuration. The TURN server
-# "automatically" recognizes the type of traffic. Actually, two listening
-# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
-# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
-# For secure TCP connections, Coturn currently supports
-# TLS version 1.0, 1.1 and 1.2.
-# For secure UDP connections, Coturn supports DTLS version 1.
-#
-#tls-listening-port=5349
-
-# Alternative listening port for UDP and TCP listeners;
-# default (or zero) value means "listening port plus one".
-# This is needed for RFC 5780 support
-# (STUN extension specs, NAT behavior discovery). The TURN Server
-# supports RFC 5780 only if it is started with more than one
-# listening IP address of the same family (IPv4 or IPv6).
-# RFC 5780 is supported only by UDP protocol, other protocols
-# are listening to that endpoint only for "symmetry".
-#
-#alt-listening-port=0
-
-# Alternative listening port for TLS and DTLS protocols.
-# Default (or zero) value means "TLS listening port plus one".
-#
-#alt-tls-listening-port=0
-
-# Some network setups will require using a TCP reverse proxy in front
-# of the STUN server. If the proxy port option is set a single listener
-# is started on the given port that accepts connections using the
-# haproxy proxy protocol v2.
-# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
-
-#tcp-proxy-port=3478
-
-# Listener IP address of relay server. Multiple listeners can be specified.
-# If no IP(s) specified in the config file or in the command line options,
-# then all IPv4 and IPv6 system IPs will be used for listening.
-#
-#listening-ip=172.17.19.101
-#listening-ip=10.207.21.238
-#listening-ip=2607:f0d0:1002:51::4
-#listening-ip=192.168.0.100
-
-# Auxiliary STUN/TURN server listening endpoint.
-# Aux servers have almost full TURN and STUN functionality.
-# The (minor) limitations are:
-#
-# 1) Auxiliary servers do not have alternative ports and
-# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
-#
-# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
-#
-# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
-#
-# There may be multiple aux-server options, each will be used for listening
-# to client requests.
-#
-#aux-server=172.17.19.110:33478
-#aux-server=[2607:f0d0:1002:51::4]:33478
-
-# (recommended for older Linuxes only)
-# Automatically balance UDP traffic over auxiliary servers (if configured).
-# The load balancing is using the ALTERNATE-SERVER mechanism.
-# The TURN client must support 300 ALTERNATE-SERVER response for this
-# functionality.
-#
-#udp-self-balance
-
-# Relay interface device for relay sockets (optional, Linux only).
-# NOT RECOMMENDED.
-#
-#relay-device=eth1
-
-# Relay address (the local IP address that will be used to relay the
-# packets to the peer).
-# Multiple relay addresses may be used.
-# The same IP(s) can be used as both listening IP(s) and relay IP(s).
-#
-# If no relay IP(s) specified, then the turnserver will apply the default
-# policy: it will decide itself which relay addresses to be used, and it
-# will always be using the client socket IP address as the relay IP address
-# of the TURN session (if the requested relay address family is the same
-# as the family of the client socket).
-#
-#relay-ip=172.17.19.105
-#relay-ip=2607:f0d0:1002:51::5
-#relay-ip=192.168.0.100
-
-# For Amazon EC2 users:
-#
-# TURN Server public/private address mapping, if the server is behind NAT.
-# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
-# as relay IP address of all allocations. This scenario works only in a simple case
-# when one single relay address is be used, and no RFC5780 functionality is required.
-# That single relay address must be mapped by NAT to the 'external' IP.
-# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
-# For that 'external' IP, NAT must forward ports directly (relayed port 12345
-# must be always mapped to the same 'external' port 12345).
-#
-# In more complex case when more than one IP address is involved,
-# that option must be used several times, each entry must
-# have form "-X <public-ip/private-ip>", to map all involved addresses.
-# RFC5780 NAT discovery STUN functionality will work correctly,
-# if the addresses are mapped properly, even when the TURN server itself
-# is behind A NAT.
-#
-# By default, this value is empty, and no address mapping is used.
-#
-#external-ip=60.70.80.91
-external-ip=${PRODCLUSTER_DEVICE_IP}
-#
-#OR:
-#
-#external-ip=60.70.80.91/172.17.19.101
-#external-ip=60.70.80.92/172.17.19.102
-
-
-# Number of the relay threads to handle the established connections
-# (in addition to authentication thread and the listener thread).
-# If explicitly set to 0 then application runs relay process in a
-# single thread, in the same thread with the listener process
-# (the authentication thread will still be a separate thread).
-#
-# If this parameter is not set, then the default OS-dependent
-# thread pattern algorithm will be employed. Usually the default
-# algorithm is optimal, so you have to change this option
-# if you want to make some fine tweaks.
-#
-# In the older systems (Linux kernel before 3.9),
-# the number of UDP threads is always one thread per network listening
-# endpoint - including the auxiliary endpoints - unless 0 (zero) or
-# 1 (one) value is set.
-#
-#relay-threads=0
-
-# Lower and upper bounds of the UDP relay endpoints:
-# (default values are 49152 and 65535)
-#
-# min-port=3479
-# max-port=3479
-
-# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
-# By default the verbose mode is off.
-#verbose
-
-# Uncomment to run TURN server in 'extra' verbose mode.
-# This mode is very annoying and produces lots of output.
-# Not recommended under normal circumstances.
-#
-#Verbose
-
-# Uncomment to use fingerprints in the TURN messages.
-# By default the fingerprints are off.
-#
-#fingerprint
-
-# Uncomment to use long-term credential mechanism.
-# By default no credentials mechanism is used (any user allowed).
-#
-#lt-cred-mech
-
-# This option is the opposite of lt-cred-mech.
-# (TURN Server with no-auth option allows anonymous access).
-# If neither option is defined, and no users are defined,
-# then no-auth is default. If at least one user is defined,
-# in this file, in command line or in usersdb file, then
-# lt-cred-mech is default.
-#
-#no-auth
-
-# Enable prometheus exporter
-# If enabled the turnserver will expose an endpoint with stats on a prometheus format
-# this endpoint is listening on a different port to not conflict with other configurations.
-#
-# You can simply run the turnserver and access the port 9641 and path /metrics
-#
-# For more info on the prometheus exporter and metrics
-# https://prometheus.io/docs/introduction/overview/
-# https://prometheus.io/docs/concepts/data_model/
-#
-#prometheus
-
-# TURN REST API flag.
-# (Time Limited Long Term Credential)
-# Flag that sets a special authorization option that is based upon authentication secret.
-#
-# This feature's purpose is to support "TURN Server REST API", see
-# "TURN REST API" link in the project's page
-# https://github.com/coturn/coturn/
-#
-# This option is used with timestamp:
-#
-usercombo -> "timestamp:userid"
-turn user -> usercombo
-turn password -> base64(hmac(secret key, usercombo))
-#
-# This allows TURN credentials to be accounted for a specific user id.
-# If you don't have a suitable id, then the timestamp alone can be used.
-# This option is enabled by turning on secret-based authentication.
-# The actual value of the secret is defined either by the option static-auth-secret,
-# or can be found in the turn_secret table in the database (see below).
-#
-# Read more about it:
-# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
-# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
-#
-# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
-# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
-# this option then it automatically enables lt-cred-mech internally
-# as if you had enabled both.
-#
-# Note that you can use only one auth mechanism at the same time! This is because,
-# both mechanisms conduct username and password validation in different ways.
-#
-# Use either lt-cred-mech or use-auth-secret in the conf
-# to avoid any confusion.
-#
-use-auth-secret
-
-# 'Static' authentication secret value (a string) for TURN REST API only.
-# If not set, then the turn server
-# will try to use the 'dynamic' value in the turn_secret table
-# in the user database (if present). The database-stored value can be changed on-the-fly
-# by a separate program, so this is why that mode is considered 'dynamic'.
-#
-static-auth-secret=rjALsyzwcAD8Un27SWBh39eWzaM2eKXj2FV4pXlNA1ihEKN6eV1zsESThZ968viZ
-
-# Server name used for
-# the oAuth authentication purposes.
-# The default value is the realm name.
-#
-#server-name=blackdow.carleon.gov
-
-# Flag that allows oAuth authentication.
-#
-#oauth
-
-# 'Static' user accounts for the long term credentials mechanism, only.
-# This option cannot be used with TURN REST API.
-# 'Static' user accounts are NOT dynamically checked by the turnserver process,
-# so they can NOT be changed while the turnserver is running.
-#
-#user=username1:key1
-#user=username2:key2
-# OR:
-#user=username1:password1
-#user=username2:password2
-#
-# Keys must be generated by turnadmin utility. The key value depends
-# on user name, realm, and password:
-#
-# Example:
-# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
-# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
-# ('0x' in the beginning of the key is what differentiates the key from
-# password. If it has 0x then it is a key, otherwise it is a password).
-#
-# The corresponding user account entry in the config file will be:
-#
-#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
-# Or, equivalently, with open clear password (less secure):
-#user=ninefingers:youhavetoberealistic
-#
-
-# SQLite database file name.
-#
-# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
-# /var/lib/turn/turndb.
-#
-#userdb=/var/db/turndb
-
-# PostgreSQL database connection string in the case that you are using PostgreSQL
-# as the user database.
-# This database can be used for the long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
-# versions connection string format, see
-# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
-# for 9.x and newer connection string formats.
-#
-#psql-userdb="host=postgres port=30501 dbname=turn_production user=LkyoP8okucYyNVsdGD2YqTkFYtcdSeuH password=K01XxNO4DdpGhJfdIWvRYvYTLHKafdxg connect_timeout=30"
-
-# MySQL database connection string in the case that you are using MySQL
-# as the user database.
-# This database can be used for the long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-#
-# Optional connection string parameters for the secure communications (SSL):
-# ca, capath, cert, key, cipher
-# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
-# command options description).
-#
-# Use the string format below (space separated parameters, all optional):
-#
-#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
-
-# If you want to use an encrypted password in the MySQL connection string,
-# then set the MySQL password encryption secret key file with this option.
-#
-# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
-# If you want to use a cleartext password then do not set this option!
-#
-# This is the file path for the aes encrypted secret key used for password encryption.
-#
-#secret-key-file=/path/
-
-# MongoDB database connection string in the case that you are using MongoDB
-# as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
-#
-#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
-
-# Redis database connection string in the case that you are using Redis
-# as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# Use the string format below (space separated parameters, all optional):
-#
-#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
-
-# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
-# This database keeps allocations status information, and it can be also used for publishing
-# and delivering traffic and allocation event notifications.
-# The connection string has the same parameters as redis-userdb connection string.
-# Use the string format below (space separated parameters, all optional):
-#
-#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
-
-# The default realm to be used for the users when no explicit
-# origin/realm relationship is found in the database, or if the TURN
-# server is not using any database (just the commands-line settings
-# and the userdb file). Must be used with long-term credentials
-# mechanism or with TURN REST API.
-#
-# Note: If the default realm is not specified, then realm falls back to the host domain name.
-# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
-#
-realm=matrix.420joos.dev
-
-# This flag sets the origin consistency
-# check. Across the session, all requests must have the same
-# main ORIGIN attribute value (if the ORIGIN was
-# initially used by the session).
-#
-#check-origin-consistency
-
-# Per-user allocation quota.
-# default value is 0 (no quota, unlimited number of sessions per user).
-# This option can also be set through the database, for a particular realm.
-#
-#user-quota=0
-
-# Total allocation quota.
-# default value is 0 (no quota).
-# This option can also be set through the database, for a particular realm.
-#
-#total-quota=0
-
-# Max bytes-per-second bandwidth a TURN session is allowed to handle
-# (input and output network streams are treated separately). Anything above
-# that limit will be dropped or temporarily suppressed (within
-# the available buffer limits).
-# This option can also be set through the database, for a particular realm.
-#
-#max-bps=0
-
-#
-# Maximum server capacity.
-# Total bytes-per-second bandwidth the TURN server is allowed to allocate
-# for the sessions, combined (input and output network streams are treated separately).
-#
-# bps-capacity=0
-
-# Uncomment if no UDP client listener is desired.
-# By default UDP client listener is always started.
-#
-#no-udp
-
-# Uncomment if no TCP client listener is desired.
-# By default TCP client listener is always started.
-#
-#no-tcp
-
-# Uncomment if no TLS client listener is desired.
-# By default TLS client listener is always started.
-#
-# no-tls
-
-# Uncomment if no DTLS client listener is desired.
-# By default DTLS client listener is always started.
-#
-# no-dtls
-
-# Uncomment if no UDP relay endpoints are allowed.
-# By default UDP relay endpoints are enabled (like in RFC 5766).
-#
-#no-udp-relay
-
-# Uncomment if no TCP relay endpoints are allowed.
-# By default TCP relay endpoints are enabled (like in RFC 6062).
-#
-#no-tcp-relay
-
-# Uncomment if extra security is desired,
-# with nonce value having a limited lifetime.
-# The nonce value is unique for a session.
-# Set this option to limit the nonce lifetime.
-# Set it to 0 for unlimited lifetime.
-# It defaults to 600 secs (10 min) if no value is provided. After that delay,
-# the client will get 438 error and will have to re-authenticate itself.
-#
-#stale-nonce=600
-
-# Uncomment if you want to set the maximum allocation
-# time before it has to be refreshed.
-# Default is 3600s.
-#
-#max-allocate-lifetime=3600
-
-
-# Uncomment to set the lifetime for the channel.
-# Default value is 600 secs (10 minutes).
-# This value MUST not be changed for production purposes.
-#
-#channel-lifetime=600
-
-# Uncomment to set the permission lifetime.
-# Default to 300 secs (5 minutes).
-# In production this value MUST not be changed,
-# however it can be useful for test purposes.
-#
-#permission-lifetime=300
-
-# Certificate file.
-# Use an absolute path or path relative to the
-# configuration file.
-# Use PEM file format.
-#
-#cert=/usr/local/etc/turn_server_cert.pem
-
-# Private key file.
-# Use an absolute path or path relative to the
-# configuration file.
-# Use PEM file format.
-#
-#pkey=/usr/local/etc/turn_server_pkey.pem
-
-# Private key file password, if it is in encoded format.
-# This option has no default value.
-#
-#pkey-pwd=...
-
-# Allowed OpenSSL cipher list for TLS/DTLS connections.
-# Default value is "DEFAULT".
-#
-#cipher-list="DEFAULT"
-
-# CA file in OpenSSL format.
-# Forces TURN server to verify the client SSL certificates.
-# By default this is not set: there is no default value and the client
-# certificate is not checked.
-#
-# Example:
-#CA-file=/etc/ssh/id_rsa.cert
-
-# Curve name for EC ciphers, if supported by OpenSSL
-# library (TLS and DTLS). The default value is prime256v1,
-# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
-# an optimal curve will be automatically calculated, if not defined
-# by this option.
-#
-#ec-curve-name=prime256v1
-
-# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
-#
-#dh566
-
-# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
-#
-#dh1066
-
-# Use custom DH TLS key, stored in PEM format in the file.
-# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
-#
-#dh-file=<DH-PEM-file-name>
-
-# Flag to prevent stdout log messages.
-# By default, all log messages go to both stdout and to
-# the configured log file. With this option everything will
-# go to the configured log only (unless the log file itself is stdout).
-#
-#no-stdout-log
-
-# Option to set the log file name.
-# By default, the turnserver tries to open a log file in
-# /var/log, /var/tmp, /tmp and the current directory
-# (Whichever file open operation succeeds first will be used).
-# With this option you can set the definite log file name.
-# The special names are "stdout" and "-" - they will force everything
-# to the stdout. Also, the "syslog" name will force everything to
-# the system log (syslog).
-# In the runtime, the logfile can be reset with the SIGHUP signal
-# to the turnserver process.
-#
-#log-file=/var/tmp/turn.log
-
-# Option to redirect all log output into system log (syslog).
-#
-#syslog
-
-# This flag means that no log file rollover will be used, and the log file
-# name will be constructed as-is, without PID and date appendage.
-# This option can be used, for example, together with the logrotate tool.
-#
-#simple-log
-
-# Enable full ISO-8601 timestamp in all logs.
-#new-log-timestamp
-
-# Set timestamp format (in strftime(1) format)
-#new-log-timestamp-format "%FT%T%z"
-
-# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
-# Enable binding logging and UDP endpoint logs in verbose log mode.
-#log-binding
-
-# Option to set the "redirection" mode. The value of this option
-# will be the address of the alternate server for UDP & TCP service in the form of
-# <ip>[:<port>]. The server will send this value in the attribute
-# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
-# Client will receive only values with the same address family
-# as the client network endpoint address family.
-# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
-# The client must use the obtained value for subsequent TURN communications.
-# If more than one --alternate-server option is provided, then the functionality
-# can be more accurately described as "load-balancing" than a mere "redirection".
-# If the port number is omitted, then the default port
-# number 3478 for the UDP/TCP protocols will be used.
-# Colon (:) characters in IPv6 addresses may conflict with the syntax of
-# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
-# in square brackets in such resource identifiers, for example:
-# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
-# Multiple alternate servers can be set. They will be used in the
-# round-robin manner. All servers in the pool are considered of equal weight and
-# the load will be distributed equally. For example, if you have 4 alternate servers,
-# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
-# address can be used more than one time with the alternate-server option, so this
-# can emulate "weighting" of the servers.
-#
-# Examples:
-#alternate-server=1.2.3.4:5678
-#alternate-server=11.22.33.44:56789
-#alternate-server=5.6.7.8
-#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-
-# Option to set alternative server for TLS & DTLS services in form of
-# <ip>:<port>. If the port number is omitted, then the default port
-# number 5349 for the TLS/DTLS protocols will be used. See the previous
-# option for the functionality description.
-#
-# Examples:
-#tls-alternate-server=1.2.3.4:5678
-#tls-alternate-server=11.22.33.44:56789
-#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-
-# Option to suppress TURN functionality, only STUN requests will be processed.
-# Run as STUN server only, all TURN requests will be ignored.
-# By default, this option is NOT set.
-#
-#stun-only
-
-# Option to hide software version. Enhance security when used in production.
-# Revealing the specific software version of the agent through the
-# SOFTWARE attribute might allow them to become more vulnerable to
-# attacks against software that is known to contain security holes.
-# Implementers SHOULD make usage of the SOFTWARE attribute a
-# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
-#
-#no-software-attribute
-
-# Option to suppress STUN functionality, only TURN requests will be processed.
-# Run as TURN server only, all STUN requests will be ignored.
-# By default, this option is NOT set.
-#
-#no-stun
-
-# This is the timestamp/username separator symbol (character) in TURN REST API.
-# The default value is ':'.
-# rest-api-separator=:
-
-# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
-# This is an extra security measure.
-#
-# (To avoid any security issue that allowing loopback access may raise,
-# the no-loopback-peers option is replaced by allow-loopback-peers.)
-#
-# Allow it only for testing in a development environment!
-# In production it adds a possible security vulnerability, so for security reasons
-# it is not allowed using it together with empty cli-password.
-#
-#allow-loopback-peers
-
-# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
-# This is an extra security measure.
-#
-#no-multicast-peers
-
-# Option to set the max time, in seconds, allowed for full allocation establishment.
-# Default is 60 seconds.
-#
-#max-allocate-timeout=60
-
-# Option to allow or ban specific ip addresses or ranges of ip addresses.
-# If an ip address is specified as both allowed and denied, then the ip address is
-# considered to be allowed. This is useful when you wish to ban a range of ip
-# addresses, except for a few specific ips within that range.
-#
-# This can be used when you do not want users of the turn server to be able to access
-# machines reachable by the turn server, but would otherwise be unreachable from the
-# internet (e.g. when the turn server is sitting behind a NAT)
-#
-# Examples:
-# denied-peer-ip=83.166.64.0-83.166.95.255
-# allowed-peer-ip=83.166.68.45
-
-# File name to store the pid of the process.
-# Default is /var/run/turnserver.pid (if superuser account is used) or
-# /var/tmp/turnserver.pid .
-#
-#pidfile="/var/run/turnserver.pid"
-
-# Require authentication of the STUN Binding request.
-# By default, the clients are allowed anonymous access to the STUN Binding functionality.
-#
-#secure-stun
-
-# Mobility with ICE (MICE) specs support.
-#
-#mobility
-
-# Allocate Address Family according (DEPRECATED and will be removed in favour of allocation-default-address-family)
-# If enabled then TURN server allocates address family according the TURN
-# Client <=> Server communication address family.
-# (By default Coturn works according RFC 6156.)
-# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
-#
-#keep-address-family
-
-# TURN server allocates address family according TURN client requested address family.
-# If address family not requested explicitly by the client, then it falls back to this default.
-# The standard RFC explicitly define that this default must be IPv4,
-# so use other option values with care!
-# Possible values: "ipv4" or "ipv6" or "keep"
-# "keep" sets the allocation default address family according to
-# the TURN client allocation request connection address family.
-#allocation-default-address-family="ipv4"
-#allocation-default-address-family="ipv4"
-
-
-# User name to run the process. After the initialization, the turnserver process
-# will attempt to change the current user ID to that user.
-#
-#proc-user=<user-name>
-
-# Group name to run the process. After the initialization, the turnserver process
-# will attempt to change the current group ID to that group.
-#
-#proc-group=<group-name>
-
-# Turn OFF the CLI support.
-# By default it is always ON.
-# See also options cli-ip and cli-port.
-#
-#no-cli
-
-#Local system IP address to be used for CLI server endpoint. Default value
-# is 127.0.0.1.
-#
-#cli-ip=127.0.0.1
-
-# CLI server port. Default is 5766.
-#
-#cli-port=5766
-
-# CLI access password. Default is empty (no password).
-# For the security reasons, it is recommended that you use the encrypted
-# form of the password (see the -P command in the turnadmin utility).
-#
-# Secure form for password 'qwerty':
-#
-#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
-#
-# Or unsecure form for the same password:
-#
-#cli-password=qwerty
-
-# Enable Web-admin support on https. By default it is Disabled.
-# If it is enabled it also enables a http a simple static banner page
-# with a small reminder that the admin page is available only on https.
-#
-#web-admin
-
-# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
-#
-#web-admin-ip=127.0.0.1
-
-# Web-admin server port. Default is 8080.
-#
-#web-admin-port=8080
-
-# Web-admin server listen on STUN/TURN worker threads
-# By default it is disabled for security resons! (Not recommended in any production environment!)
-#
-#web-admin-listen-on-workers
-
-#acme-redirect=http://redirectserver/.well-known/acme-challenge/
-# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
-# Default is '', i.e. no special handling for such requests.
-
-# Server relay. NON-STANDARD AND DANGEROUS OPTION.
-# Only for those applications when you want to run
-# server applications on the relay endpoints.
-# This option eliminates the IP permissions check on
-# the packets incoming to the relay endpoints.
-#
-#server-relay
-
-# Maximum number of output sessions in ps CLI command.
-# This value can be changed on-the-fly in CLI. The default value is 256.
-#
-#cli-max-output-sessions
-
-# Set network engine type for the process (for internal purposes).
-#
-#ne=[1|2|3]
-
-# Do not allow an TLS/DTLS version of protocol
-#
-#no-tlsv1
-#no-tlsv1_1
-#no-tlsv1_2
\ No newline at end of file
diff --git a/deploy/templates/wordpress/.htaccess b/deploy/templates/wordpress/.htaccess
deleted file mode 100644
index 6a8aa4b00d5bd0463d84faf54052b63b7dc0bb34..0000000000000000000000000000000000000000
--- a/deploy/templates/wordpress/.htaccess
+++ /dev/null
@@ -1,17 +0,0 @@
-# BEGIN WordPress
-
-RewriteEngine On
-RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-RewriteBase /
-RewriteRule ^index\.php$ - [L]
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteCond %{REQUEST_FILENAME} !-d
-RewriteRule . /index.php [L]
-
-# END WordPress
-
-php_value file_uploads On
-php_value memory_limit 100M
-php_value upload_max_filesize 50M
-php_value post_max_size 50M
-php_value max_execution_time 600
\ No newline at end of file
diff --git a/deploy/templates/wordpress/wordpress_middle_template.yaml b/deploy/templates/wordpress/wordpress_middle_template.yaml
deleted file mode 100644
index 964abe2fa3618795e7c207633235139e23bdeb14..0000000000000000000000000000000000000000
--- a/deploy/templates/wordpress/wordpress_middle_template.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: v1
-type: wordpress
-deployments:
-- id: wordpress-server
- exposedHttpPort: 80
- image: wordpress:6.1.1-apache # updates automatically
- name: wordpress-server
- maxUploadSize: 50m
- volumes:
- wordpress-html:
- mountPath: /var/www/html
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 2Gi
- type: pv
- wordpress-htaccess-config:
- content: []
- mountPath: /var/www/html
- subPath: true
- type: configMap
-- id: mysql
- image: mysql/mysql-server:8.0
- name: mysql
- env:
- content:
- MYSQL_TCP_PORT: "3306"
- ports:
- clusterIP:
- - port: 3306
- protocol: TCP
- targetPort: 3306
- volumes:
- mysql-db:
- mountPath: /var/lib/mysql
- nfs:
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 500Mi
- type: pv
diff --git a/docker_registry/docker_registry_creds_secret.yaml b/docker_registry/docker_registry_creds_secret.yaml
deleted file mode 100644
index 45d62d64b2700606608dbe5ff37467788e295e1c..0000000000000000000000000000000000000000
--- a/docker_registry/docker_registry_creds_secret.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: v1
-data:
- .dockerconfigjson: eyJhdXRocyI6eyJyZWdpc3RyeS40MjBqb29zLmRldiI6eyJ1c2VybmFtZSI6Imt1YmVybmV0ZXMiLCJwYXNzd29yZCI6Im5zTHZ4aVZBcnhIV1N0VnRLM1hnTmhTVGtQUkxRZFlTIiwiYXV0aCI6ImEzVmlaWEp1WlhSbGN6cHVjMHgyZUdsV1FYSjRTRmRUZEZaMFN6TllaMDVvVTFSclVGSk1VV1JaVXc9PSJ9fX0=
-kind: Secret
-metadata:
- # namespace: docker-registry
- name: registry-420joos-dev-creds
-type: kubernetes.io/dockerconfigjson
diff --git a/docker_registry/docker_registry_small.yaml b/docker_registry/docker_registry_small.yaml
deleted file mode 100644
index fb724083c6711ddc008be0eee7212e63bf70858c..0000000000000000000000000000000000000000
--- a/docker_registry/docker_registry_small.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-apiVersion: v1
-name: docker-registry
-namespace: docker-registry
-type: docker-registry
-deployments:
-- id: default
- env:
- content:
- REGISTRY_AUTH: htpasswd
- REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
- REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
- uri: registry.${BASE_URL}
- volumes:
- registry-store:
- nfs:
- path: /docker_registry/registry
- # generate creds: apk add --no-cache apache2-utils
- # htpasswd -Bbn {username} {password}
- htpasswd:
- content:
- - docker_registry/htpasswd
- mountPath: /auth
- type: configMap
diff --git a/docker_registry/htpasswd b/docker_registry/htpasswd
deleted file mode 100644
index 1527ab653aeeabb5ed786c5fda8a3bcfb290c884..0000000000000000000000000000000000000000
--- a/docker_registry/htpasswd
+++ /dev/null
@@ -1,5 +0,0 @@
-docker:$2a$10$NnIZBTk1o45G8G1q3CEzN.QwzS0Pw27RUmzBS3cpXI1zIp2HKzP6G
-andrijoos:$2y$05$id.NeivFq8cCD4xOFSKWa.Fk7aIbJ5M4mDh4fFlm9LnlzvRKdfpEq
-gitlabci:$2y$05$CIAGGI1jtgIOa0b4Oi39SeBCzLd9Wen7/2UMhsJV3DROgUOVA3pTK
-kubernetes:$2y$05$zE9Qzhy6R3WfocR9XxYfv.0ImYP67tueZIC3En2xDsFuCK5KjVQtq
-jjoos:$2y$05$TEPX5lVj6kvmndpQRMR.DerbJLF4RIVmnH3vjP7o2O/U9U0sNYD0K
diff --git a/element/config.json b/element/config.json
deleted file mode 100644
index be794206544794158a33b2d4ec046c02fecd7c28..0000000000000000000000000000000000000000
--- a/element/config.json
+++ /dev/null
@@ -1,54 +0,0 @@
-{
- "default_server_config": {
- "m.homeserver": {
- "base_url": "https://matrix.420joos.dev",
- "server_name": "https://matrix.420joos.dev"
- },
- "m.identity_server": {
- "base_url": "https://vector.im"
- }
- },
- "disable_custom_urls": false,
- "disable_guests": true,
- "disable_login_language_selector": false,
- "disable_3pid_login": false,
- "brand": "Element on 420joos.dev & joos.io",
- "integrations_ui_url": "https://scalar.vector.im/",
- "integrations_rest_url": "https://scalar.vector.im/api",
- "integrations_widgets_urls": [
- "https://scalar.vector.im/_matrix/integrations/v1",
- "https://scalar.vector.im/api",
- "https://scalar-staging.vector.im/_matrix/integrations/v1",
- "https://scalar-staging.vector.im/api",
- "https://scalar-staging.riot.im/scalar/api"
- ],
- "bug_report_endpoint_url": "https://element.io/bugreports/submit",
- "uisi_autorageshake_app": "element-auto-uisi",
- "default_country_code": "US",
- "show_labs_settings": false,
- "features": { },
- "default_federate": true,
- "default_theme": "dark",
- "room_directory": {
- "servers": [
- "matrix.org"
- ]
- },
- "piwik": {
- "url": "https://piwik.riot.im/",
- "whitelisted_hs_urls": ["https://matrix.org"],
- "whitelisted_is_urls": ["https://vector.im", "https://matrix.org"],
- "siteId": 1
- },
- "enable_presence_by_hs_url": {
- "https://matrix.org": false,
- "https://matrix-client.matrix.org": false
- },
- "setting_defaults": {
- "breadcrumbs": true
- },
- "jitsi": {
- "preferred_domain": "meet.element.io"
- },
- "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
-}
diff --git a/element/element.yaml b/element/element.yaml
deleted file mode 100644
index 39c87e4229cd898ac5e84a69bb4d2d4a90087582..0000000000000000000000000000000000000000
--- a/element/element.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-apiVersion: v1
-name: element
-namespace: element
-type: none
-deployments:
-- id: default
- exposedHttpPort: 80
- image: ${ELEMENT_IMAGE}
- name: element
- privileged: false
- uri:
- - element.${BASE_URL}
- - element.${JOOS_IO_BASE_URL}
- maxUploadSize: 50m
- imagePullSecrets:
- - registry-420joos-dev-creds
- volumes:
- test-back-configmap:
- content:
- - element/config.json
- mountPath: /app
- subPath: true
- type: configMap
diff --git a/images/nfs/exports b/exports
similarity index 100%
rename from images/nfs/exports
rename to exports
diff --git a/gitlab/gitlab.rb b/gitlab/gitlab.rb
deleted file mode 100755
index fffbd2c7c4e3c976b39fb4f42538eafdac6a7031..0000000000000000000000000000000000000000
--- a/gitlab/gitlab.rb
+++ /dev/null
@@ -1,2534 +0,0 @@
-## GitLab configuration settings
-##! This file is generated during initial installation and **is not** modified
-##! during upgrades.
-##! Check out the latest version of this file to know about the different
-##! settings that can be configured by this file, which may be found at:
-##! https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/files/gitlab-config-template/gitlab.rb.template
-
-##! You can run `gitlab-ctl diff-config` to compare the contents of the current gitlab.rb with
-##! the gitlab.rb.template from the currently running version.
-
-##! You can run `gitlab-ctl show-config` to display the configuration that will be generated by
-##! running `gitlab-ctl reconfigure`
-
-##! In general, the values specified here should reflect what the default value of the attribute will be.
-##! There are instances where this behavior is not possible or desired. For example, when providing passwords,
-##! or connecting to third party services.
-##! In those instances, we endeavour to provide an example configuration.
-
-## GitLab URL
-##! URL on which GitLab will be reachable.
-##! For more details on configuring external_url see:
-##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
-##!
-##! Note: During installation/upgrades, the value of the environment variable
-##! EXTERNAL_URL will be used to populate/replace this value.
-##! On AWS EC2 instances, we also attempt to fetch the public hostname/IP
-##! address from AWS. For more details, see:
-##! https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
-external_url 'https://git.420joos.dev'
-
-## Roles for multi-instance GitLab
-##! The default is to have no roles enabled, which results in GitLab running as an all-in-one instance.
-##! Options:
-##! redis_sentinel_role redis_master_role redis_replica_role geo_primary_role geo_secondary_role
-##! postgres_role consul_role application_role monitoring_role
-##! For more details on each role, see:
-##! https://docs.gitlab.com/omnibus/roles/README.html#roles
-##!
-# roles ['redis_sentinel_role', 'redis_master_role']
-
-## Legend
-##! The following notations at the beginning of each line may be used to
-##! differentiate between components of this file and to easily select them using
-##! a regex.
-##! ## Titles, subtitles etc
-##! ##! More information - Description, Docs, Links, Issues etc.
-##! Configuration settings have a single # followed by a single space at the
-##! beginning; Remove them to enable the setting.
-
-##! **Configuration settings below are optional.**
-
-
-################################################################################
-################################################################################
-## Configuration Settings for GitLab CE and EE ##
-################################################################################
-################################################################################
-
-################################################################################
-## gitlab.yml configuration
-##! Docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md
-################################################################################
-# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com'
-# gitlab_rails['gitlab_ssh_user'] = ''
-# gitlab_rails['time_zone'] = 'UTC'
-
-### Request duration
-###! Tells the rails application how long it has to complete a request
-###! This value needs to be lower than the worker timeout set in unicorn/puma.
-###! By default, we'll allow 95% of the the worker timeout
-# gitlab_rails['max_request_duration_seconds'] = 57
-
-### Email Settings
-# gitlab_rails['gitlab_email_enabled'] = true
-# gitlab_rails['gitlab_email_from'] = 'example@example.com'
-# gitlab_rails['gitlab_email_display_name'] = 'Example'
-# gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com'
-# gitlab_rails['gitlab_email_subject_suffix'] = ''
-# gitlab_rails['gitlab_email_smime_enabled'] = false
-# gitlab_rails['gitlab_email_smime_key_file'] = '/etc/gitlab/ssl/gitlab_smime.key'
-# gitlab_rails['gitlab_email_smime_cert_file'] = '/etc/gitlab/ssl/gitlab_smime.crt'
-# gitlab_rails['gitlab_email_smime_ca_certs_file'] = '/etc/gitlab/ssl/gitlab_smime_cas.crt'
-
-### GitLab user privileges
-# gitlab_rails['gitlab_default_can_create_group'] = true
-# gitlab_rails['gitlab_username_changing_enabled'] = true
-
-### Default Theme
-### Available values:
-##! `1` for Indigo
-##! `2` for Dark
-##! `3` for Light
-##! `4` for Blue
-##! `5` for Green
-##! `6` for Light Indigo
-##! `7` for Light Blue
-##! `8` for Light Green
-##! `9` for Red
-##! `10` for Light Red
-# gitlab_rails['gitlab_default_theme'] = 2
-
-### Default project feature settings
-# gitlab_rails['gitlab_default_projects_features_issues'] = true
-# gitlab_rails['gitlab_default_projects_features_merge_requests'] = true
-# gitlab_rails['gitlab_default_projects_features_wiki'] = true
-# gitlab_rails['gitlab_default_projects_features_snippets'] = true
-# gitlab_rails['gitlab_default_projects_features_builds'] = true
-# gitlab_rails['gitlab_default_projects_features_container_registry'] = true
-
-### Automatic issue closing
-###! See https://docs.gitlab.com/ee/customization/issue_closing.html for more
-###! information about this pattern.
-# gitlab_rails['gitlab_issue_closing_pattern'] = "\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)"
-
-### Download location
-###! When a user clicks e.g. 'Download zip' on a project, a temporary zip file
-###! is created in the following directory.
-###! Should not be the same path, or a sub directory of any of the `git_data_dirs`
-# gitlab_rails['gitlab_repository_downloads_path'] = 'tmp/repositories'
-
-### Gravatar Settings
-# gitlab_rails['gravatar_plain_url'] = 'http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'
-# gitlab_rails['gravatar_ssl_url'] = 'https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'
-
-### Auxiliary jobs
-###! Periodically executed jobs, to self-heal Gitlab, do external
-###! synchronizations, etc.
-###! Docs: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
-###! https://docs.gitlab.com/ee/ci/yaml/README.html#artifactsexpire_in
-# gitlab_rails['stuck_ci_jobs_worker_cron'] = "0 0 * * *"
-# gitlab_rails['expire_build_artifacts_worker_cron'] = "50 * * * *"
-# gitlab_rails['environments_auto_stop_cron_worker_cron'] = "24 * * * *"
-# gitlab_rails['pipeline_schedule_worker_cron'] = "19 * * * *"
-# gitlab_rails['ci_archive_traces_cron_worker_cron'] = "17 * * * *"
-# gitlab_rails['repository_check_worker_cron'] = "20 * * * *"
-# gitlab_rails['admin_email_worker_cron'] = "0 0 * * 0"
-# gitlab_rails['personal_access_tokens_expiring_worker_cron'] = "0 1 * * *"
-# gitlab_rails['repository_archive_cache_worker_cron'] = "0 * * * *"
-# gitlab_rails['pages_domain_verification_cron_worker'] = "*/15 * * * *"
-# gitlab_rails['pages_domain_ssl_renewal_cron_worker'] = "*/10 * * * *"
-# gitlab_rails['pages_domain_removal_cron_worker'] = "47 0 * * *"
-# gitlab_rails['schedule_migrate_external_diffs_worker_cron'] = "15 * * * *"
-
-### Webhook Settings
-###! Number of seconds to wait for HTTP response after sending webhook HTTP POST
-###! request (default: 10)
-# gitlab_rails['webhook_timeout'] = 10
-
-### GraphQL Settings
-###! Tells the rails application how long it has to complete a GraphQL request.
-###! We suggest this value to be higher than the database timeout value
-###! and lower than the worker timeout set in unicorn/puma. (default: 30)
-# gitlab_rails['graphql_timeout'] = 30
-
-### Trusted proxies
-###! Customize if you have GitLab behind a reverse proxy which is running on a
-###! different machine.
-###! **Add the IP address for your reverse proxy to the list, otherwise users
-###! will appear signed in from that address.**
-# gitlab_rails['trusted_proxies'] = []
-
-### Content Security Policy
-####! Customize if you want to enable the Content-Security-Policy header, which
-####! can help thwart JavaScript cross-site scripting (XSS) attacks.
-####! See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
-# gitlab_rails['content_security_policy'] = {
-# 'enabled' => false,
-# 'report_only' => false,
-# # Each directive is a String (e.g. "'self'").
-# 'directives' => {
-# 'base_uri' => nil,
-# 'child_src' => nil,
-# 'connect_src' => nil,
-# 'default_src' => nil,
-# 'font_src' => nil,
-# 'form_action' => nil,
-# 'frame_ancestors' => nil,
-# 'frame_src' => nil,
-# 'img_src' => nil,
-# 'manifest_src' => nil,
-# 'media_src' => nil,
-# 'object_src' => nil,
-# 'script_src' => nil,
-# 'style_src' => nil,
-# 'worker_src' => nil,
-# 'report_uri' => nil,
-# }
-# }
-
-### Monitoring settings
-###! IP whitelist controlling access to monitoring endpoints
-# gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128']
-###! Time between sampling of unicorn socket metrics, in seconds
-# gitlab_rails['monitoring_unicorn_sampler_interval'] = 10
-
-### Shutdown settings
-###! Defines an interval to block healthcheck,
-###! but continue accepting application requests.
-# gitlab_rails['shutdown_blackout_seconds'] = 10
-
-### Reply by email
-###! Allow users to comment on issues and merge requests by replying to
-###! notification emails.
-###! Docs: https://docs.gitlab.com/ee/administration/reply_by_email.html
-# gitlab_rails['incoming_email_enabled'] = true
-
-#### Incoming Email Address
-####! The email address including the `%{key}` placeholder that will be replaced
-####! to reference the item being replied to.
-####! **The placeholder can be omitted but if present, it must appear in the
-####! "user" part of the address (before the `@`).**
-# gitlab_rails['incoming_email_address'] = "gitlab-incoming+%{key}@gmail.com"
-
-#### Email account username
-####! **With third party providers, this is usually the full email address.**
-####! **With self-hosted email servers, this is usually the user part of the
-####! email address.**
-# gitlab_rails['incoming_email_email'] = "gitlab-incoming@gmail.com"
-
-#### Email account password
-# gitlab_rails['incoming_email_password'] = "[REDACTED]"
-
-#### IMAP Settings
-# gitlab_rails['incoming_email_host'] = "imap.gmail.com"
-# gitlab_rails['incoming_email_port'] = 993
-# gitlab_rails['incoming_email_ssl'] = true
-# gitlab_rails['incoming_email_start_tls'] = false
-
-#### Incoming Mailbox Settings (via `mail_room`)
-####! The mailbox where incoming mail will end up. Usually "inbox".
-# gitlab_rails['incoming_email_mailbox_name'] = "inbox"
-####! The IDLE command timeout.
-# gitlab_rails['incoming_email_idle_timeout'] = 60
-####! The file name for internal `mail_room` JSON logfile
-# gitlab_rails['incoming_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log"
-####! Permanently remove messages from the mailbox when they are deleted after delivery
-# gitlab_rails['incoming_email_expunge_deleted'] = false
-
-####! The format of mail_room crash logs
-# mailroom['exit_log_format'] = "plain"
-
-### Consolidated (simplified) object storage configuration
-###! This uses a single credential for object storage with multiple buckets.
-###! It also enables Workhorse to upload files directly with its own S3 client
-###! instead of using pre-signed URLs.
-###!
-###! This configuration will only take effect if the object_store
-###! sections are not defined within the types. For example, enabling
-###! gitlab_rails['artifacts_object_store_enabled'] or
-###! gitlab_rails['lfs_object_store_enabled'] will prevent the
-###! consolidated settings from being used.
-###!
-###! Be sure to use different buckets for each type of object.
-###! Docs: https://docs.gitlab.com/ee/administration/object_storage.html
-gitlab_rails['object_store']['enabled'] = false
-gitlab_rails['object_store']['connection'] = {}
-gitlab_rails['object_store']['proxy_download'] = false
-gitlab_rails['object_store']['objects']['artifacts']['bucket'] = nil
-gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = nil
-gitlab_rails['object_store']['objects']['lfs']['bucket'] = nil
-gitlab_rails['object_store']['objects']['uploads']['bucket'] = nil
-gitlab_rails['object_store']['objects']['packages']['bucket'] = nil
-gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = nil
-gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
-
-### Job Artifacts
-# gitlab_rails['artifacts_enabled'] = true
-# gitlab_rails['artifacts_path'] = "/var/opt/gitlab/gitlab-rails/shared/artifacts"
-####! Job artifacts Object Store
-####! Docs: https://docs.gitlab.com/ee/administration/job_artifacts.html#using-object-storage
-# gitlab_rails['artifacts_object_store_enabled'] = false
-# gitlab_rails['artifacts_object_store_direct_upload'] = false
-# gitlab_rails['artifacts_object_store_background_upload'] = true
-# gitlab_rails['artifacts_object_store_proxy_download'] = false
-# gitlab_rails['artifacts_object_store_remote_directory'] = "artifacts"
-# gitlab_rails['artifacts_object_store_connection'] = {
-# 'provider' => 'AWS',
-# 'region' => 'eu-west-1',
-# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
-# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
-# # # The below options configure an S3 compatible host instead of AWS
-# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
-# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
-# # 'host' => 's3.amazonaws.com',
-# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
-# }
-
-### External merge request diffs
-# gitlab_rails['external_diffs_enabled'] = false
-# gitlab_rails['external_diffs_when'] = nil
-# gitlab_rails['external_diffs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/external-diffs"
-# gitlab_rails['external_diffs_object_store_enabled'] = false
-# gitlab_rails['external_diffs_object_store_direct_upload'] = false
-# gitlab_rails['external_diffs_object_store_background_upload'] = false
-# gitlab_rails['external_diffs_object_store_proxy_download'] = false
-# gitlab_rails['external_diffs_object_store_remote_directory'] = "external-diffs"
-# gitlab_rails['external_diffs_object_store_connection'] = {
-# 'provider' => 'AWS',
-# 'region' => 'eu-west-1',
-# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
-# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
-# # # The below options configure an S3 compatible host instead of AWS
-# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
-# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
-# # 'host' => 's3.amazonaws.com',
-# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
-# }
-
-### Git LFS
-# gitlab_rails['lfs_enabled'] = true
-# gitlab_rails['lfs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/lfs-objects"
-# gitlab_rails['lfs_object_store_enabled'] = false
-# gitlab_rails['lfs_object_store_direct_upload'] = false
-# gitlab_rails['lfs_object_store_background_upload'] = true
-# gitlab_rails['lfs_object_store_proxy_download'] = false
-# gitlab_rails['lfs_object_store_remote_directory'] = "lfs-objects"
-# gitlab_rails['lfs_object_store_connection'] = {
-# 'provider' => 'AWS',
-# 'region' => 'eu-west-1',
-# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
-# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
-# # # The below options configure an S3 compatible host instead of AWS
-# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
-# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
-# # 'host' => 's3.amazonaws.com',
-# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
-# }
-
-### GitLab uploads
-###! Docs: https://docs.gitlab.com/ee/administration/uploads.html
-# gitlab_rails['uploads_storage_path'] = "/opt/gitlab/embedded/service/gitlab-rails/public"
-# gitlab_rails['uploads_base_dir'] = "uploads/-/system"
-# gitlab_rails['uploads_object_store_enabled'] = false
-# gitlab_rails['uploads_object_store_direct_upload'] = false
-# gitlab_rails['uploads_object_store_background_upload'] = true
-# gitlab_rails['uploads_object_store_proxy_download'] = false
-# gitlab_rails['uploads_object_store_remote_directory'] = "uploads"
-# gitlab_rails['uploads_object_store_connection'] = {
-# 'provider' => 'AWS',
-# 'region' => 'eu-west-1',
-# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
-# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
-# # # The below options configure an S3 compatible host instead of AWS
-# # 'host' => 's3.amazonaws.com',
-# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
-# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
-# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
-# }
-
-### Terraform state
-###! Docs: https://docs.gitlab.com/ee/administration/terraform_state
-# gitlab_rails['terraform_state_enabled'] = true
-# gitlab_rails['terraform_state_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/terraform_state"
-# gitlab_rails['terraform_state_object_store_enabled'] = false
-# gitlab_rails['terraform_state_object_store_remote_directory'] = "terraform_state"
-# gitlab_rails['terraform_state_object_store_connection'] = {
-# 'provider' => 'AWS',
-# 'region' => 'eu-west-1',
-# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
-# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
-# # # The below options configure an S3 compatible host instead of AWS
-# # 'host' => 's3.amazonaws.com',
-# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
-# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
-# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
-# }
-
-### Impersonation settings
-# gitlab_rails['impersonation_enabled'] = true
-
-### Usage Statistics
-# gitlab_rails['usage_ping_enabled'] = true
-
-### Seat Link setting
-###! Docs: https://docs.gitlab.com/ee/subscriptions/index.html#seat-link
-# gitlab_rails['seat_link_enabled'] = true
-
-### GitLab Mattermost
-###! These settings are void if Mattermost is installed on the same omnibus
-###! install
-# gitlab_rails['mattermost_host'] = "https://mattermost.example.com"
-
-### LDAP Settings
-###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html
-###! **Be careful not to break the indentation in the ldap_servers block. It is
-###! in yaml format and the spaces must be retained. Using tabs will not work.**
-
-# gitlab_rails['ldap_enabled'] = false
-# gitlab_rails['prevent_ldap_sign_in'] = false
-
-###! **remember to close this block with 'EOS' below**
-# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
-# main: # 'main' is the GitLab 'provider ID' of this LDAP server
-# label: 'LDAP'
-# host: '_your_ldap_server'
-# port: 389
-# uid: 'sAMAccountName'
-# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
-# password: '_the_password_of_the_bind_user'
-# encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
-# verify_certificates: true
-# smartcard_auth: false
-# active_directory: true
-# allow_username_or_email_login: false
-# lowercase_usernames: false
-# block_auto_created_users: false
-# base: ''
-# user_filter: ''
-# ## EE only
-# group_base: ''
-# admin_group: ''
-# sync_ssh_keys: false
-#
-# secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server
-# label: 'LDAP'
-# host: '_your_ldap_server'
-# port: 389
-# uid: 'sAMAccountName'
-# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
-# password: '_the_password_of_the_bind_user'
-# encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
-# verify_certificates: true
-# smartcard_auth: false
-# active_directory: true
-# allow_username_or_email_login: false
-# lowercase_usernames: false
-# block_auto_created_users: false
-# base: ''
-# user_filter: ''
-# ## EE only
-# group_base: ''
-# admin_group: ''
-# sync_ssh_keys: false
-# EOS
-
-### Smartcard authentication settings
-###! Docs: https://docs.gitlab.com/ee/administration/auth/smartcard.html
-# gitlab_rails['smartcard_enabled'] = false
-# gitlab_rails['smartcard_ca_file'] = "/etc/gitlab/ssl/CA.pem"
-# gitlab_rails['smartcard_client_certificate_required_host'] = 'smartcard.gitlab.example.com'
-# gitlab_rails['smartcard_client_certificate_required_port'] = 3444
-# gitlab_rails['smartcard_required_for_git_access'] = false
-# gitlab_rails['smartcard_san_extensions'] = false
-
-### OmniAuth Settings
-###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
-# gitlab_rails['omniauth_enabled'] = nil
-# gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
-# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
-# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
-# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
-# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
-# gitlab_rails['omniauth_block_auto_created_users'] = true
-# gitlab_rails['omniauth_auto_link_ldap_user'] = false
-# gitlab_rails['omniauth_auto_link_saml_user'] = false
-# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
-# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
-# gitlab_rails['omniauth_providers'] = [
-# {
-# "name" => "google_oauth2",
-# "app_id" => "YOUR APP ID",
-# "app_secret" => "YOUR APP SECRET",
-# "args" => { "access_type" => "offline", "approval_prompt" => "" }
-# }
-# ]
-
-### Backup Settings
-###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html
-
-# gitlab_rails['manage_backup_path'] = true
-# gitlab_rails['backup_path'] = "/var/opt/gitlab/backups"
-
-###! Docs: https://docs.gitlab.com/ee/raketasks/backup_restore.html#backup-archive-permissions
-# gitlab_rails['backup_archive_permissions'] = 0644
-
-# gitlab_rails['backup_pg_schema'] = 'public'
-
-###! The duration in seconds to keep backups before they are allowed to be deleted
-# gitlab_rails['backup_keep_time'] = 604800
-
-# gitlab_rails['backup_upload_connection'] = {
-# 'provider' => 'AWS',
-# 'region' => 'eu-west-1',
-# 'aws_access_key_id' => 'AKIAKIAKI',
-# 'aws_secret_access_key' => 'secret123',
-# # # If IAM profile use is enabled, remove aws_access_key_id and aws_secret_access_key
-# 'use_iam_profile' => false
-# }
-# gitlab_rails['backup_upload_remote_directory'] = 'my.s3.bucket'
-# gitlab_rails['backup_multipart_chunk_size'] = 104857600
-
-###! **Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for
-###! backups**
-# gitlab_rails['backup_encryption'] = 'AES256'
-###! The encryption key to use with AWS Server-Side Encryption.
-###! Setting this value will enable Server-Side Encryption with customer provided keys;
-###! otherwise S3-managed keys are used.
-# gitlab_rails['backup_encryption_key'] = '<base64-encoded encryption key>'
-
-###! **Specifies Amazon S3 storage class to use for backups. Valid values
-###! include 'STANDARD', 'STANDARD_IA', and 'REDUCED_REDUNDANCY'**
-# gitlab_rails['backup_storage_class'] = 'STANDARD'
-
-###! Skip parts of the backup. Comma separated.
-###! Docs: https://docs.gitlab.com/ee/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup
-#gitlab_rails['env'] = {
-# "SKIP" => "db,uploads,repositories,builds,artifacts,lfs,registry,pages"
-#}
-
-### Pseudonymizer Settings
-# gitlab_rails['pseudonymizer_manifest'] = 'config/pseudonymizer.yml'
-# gitlab_rails['pseudonymizer_upload_remote_directory'] = 'gitlab-elt'
-# gitlab_rails['pseudonymizer_upload_connection'] = {
-# 'provider' => 'AWS',
-# 'region' => 'eu-west-1',
-# 'aws_access_key_id' => 'AKIAKIAKI',
-# 'aws_secret_access_key' => 'secret123'
-# }
-
-
-### For setting up different data storing directory
-###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#storing-git-data-in-an-alternative-directory
-###! **If you want to use a single non-default directory to store git data use a
-###! path that doesn't contain symlinks.**
-# git_data_dirs({
-# "default" => {
-# "path" => "/mnt/nfs-01/git-data"
-# }
-# })
-
-### Gitaly settings
-# gitlab_rails['gitaly_token'] = 'secret token'
-
-### For storing GitLab application uploads, eg. LFS objects, build artifacts
-###! Docs: https://docs.gitlab.com/ee/development/shared_files.html
-# gitlab_rails['shared_path'] = '/var/opt/gitlab/gitlab-rails/shared'
-
-### Wait for file system to be mounted
-###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#only-start-omnibus-gitlab-services-after-a-given-filesystem-is-mounted
-# high_availability['mountpoint'] = ["/var/opt/gitlab/git-data", "/var/opt/gitlab/gitlab-rails/shared"]
-
-### GitLab Shell settings for GitLab
-# gitlab_rails['gitlab_shell_ssh_port'] = 22
-# gitlab_rails['gitlab_shell_git_timeout'] = 800
-
-### Extra customization
-# gitlab_rails['extra_google_analytics_id'] = '_your_tracking_id'
-# gitlab_rails['extra_piwik_url'] = '_your_piwik_url'
-# gitlab_rails['extra_piwik_site_id'] = '_your_piwik_site_id'
-
-##! Docs: https://docs.gitlab.com/omnibus/settings/environment-variables.html
-# gitlab_rails['env'] = {
-# 'BUNDLE_GEMFILE' => "/opt/gitlab/embedded/service/gitlab-rails/Gemfile",
-# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin"
-# }
-
-# gitlab_rails['rack_attack_git_basic_auth'] = {
-# 'enabled' => false,
-# 'ip_whitelist' => ["127.0.0.1"],
-# 'maxretry' => 10,
-# 'findtime' => 60,
-# 'bantime' => 3600
-# }
-
-###! **We do not recommend changing these directories.**
-# gitlab_rails['dir'] = "/var/opt/gitlab/gitlab-rails"
-# gitlab_rails['log_directory'] = "/var/log/gitlab/gitlab-rails"
-
-### GitLab application settings
-# gitlab_rails['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads"
-
-#### Change the initial default admin password and shared runner registration tokens.
-####! **Only applicable on initial setup, changing these settings after database
-####! is created and seeded won't yield any change.**
-# gitlab_rails['initial_root_password'] = "0ZnJ7V8B9f01_4Kj3+JZRPJ|f`*m^#L|"
-# gitlab_rails['initial_shared_runners_registration_token'] = "token"
-
-#### Set path to an initial license to be used while bootstrapping GitLab.
-####! **Only applicable on initial setup, future license updations need to be done via UI.
-####! Updating the file specified in this path won't yield any change after the first reconfigure run.
-# gitlab_rails['initial_license_file'] = '/etc/gitlab/company.gitlab-license'
-
-#### Enable or disable automatic database migrations
-# gitlab_rails['auto_migrate'] = true
-
-#### This is advanced feature used by large gitlab deployments where loading
-#### whole RAILS env takes a lot of time.
-# gitlab_rails['rake_cache_clear'] = true
-
-### GitLab database settings
-###! Docs: https://docs.gitlab.com/omnibus/settings/database.html
-###! **Only needed if you use an external database.**
-gitlab_rails['db_adapter'] = "postgresql"
-gitlab_rails['db_encoding'] = "utf8"
-#gitlab_rails['db_collation'] = "C"
-gitlab_rails['db_database'] = "gitlab_production"
-# gitlab_rails['db_pool'] = 1
-gitlab_rails['db_username'] = "5450298f7b96"
-gitlab_rails['db_password'] = "b4f301d36179"
-gitlab_rails['db_host'] = "postgres"
-gitlab_rails['db_port'] = 5432
-# gitlab_rails['db_socket'] = "postgres"
-# gitlab_rails['db_sslmode'] = nil
-# gitlab_rails['db_sslcompression'] = 0
-# gitlab_rails['db_sslrootcert'] = nil
-# gitlab_rails['db_sslcert'] = nil
-# gitlab_rails['db_sslkey'] = nil
-# gitlab_rails['db_prepared_statements'] = false
-# gitlab_rails['db_statements_limit'] = 1000
-
-
-### GitLab Redis settings
-###! Connect to your own Redis instance
-###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html
-
-#### Redis TCP connection
-# gitlab_rails['redis_host'] = "127.0.0.1"
-# gitlab_rails['redis_port'] = 6379
-# gitlab_rails['redis_ssl'] = false
-# gitlab_rails['redis_password'] = nil
-# gitlab_rails['redis_database'] = 0
-# gitlab_rails['redis_enable_client'] = true
-
-#### Redis local UNIX socket (will be disabled if TCP method is used)
-# gitlab_rails['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"
-
-#### Sentinel support
-####! To have Sentinel working, you must enable Redis TCP connection support
-####! above and define a few Sentinel hosts below (to get a reliable setup
-####! at least 3 hosts).
-####! **You don't need to list every sentinel host, but the ones not listed will
-####! not be used in a fail-over situation to query for the new master.**
-# gitlab_rails['redis_sentinels'] = [
-# {'host' => '127.0.0.1', 'port' => 26379},
-# ]
-
-#### Separate instances support
-###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html#running-with-multiple-redis-instances
-# gitlab_rails['redis_cache_instance'] = nil
-# gitlab_rails['redis_cache_sentinels'] = nil
-# gitlab_rails['redis_queues_instance'] = nil
-# gitlab_rails['redis_queues_sentinels'] = nil
-# gitlab_rails['redis_shared_state_instance'] = nil
-# gitlab_rails['redis_shared_sentinels'] = nil
-# gitlab_rails['redis_actioncable_instance'] = nil
-# gitlab_rails['redis_actioncable_sentinels'] = nil
-
-### GitLab email server settings
-###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html
-###! **Use smtp instead of sendmail/postfix.**
-
-gitlab_rails['smtp_enable'] = true
-gitlab_rails['smtp_address'] = "mail.privateemail.com"
-gitlab_rails['smtp_port'] = 587
-gitlab_rails['smtp_user_name'] = "no-reply@420joos.dev"
-gitlab_rails['smtp_password'] = "GOvcPSzmgo3kfCzs4dGvCRwM93cnw1aw"
-gitlab_rails['smtp_domain'] = "mail.privateemail.com"
-gitlab_rails['smtp_authentication'] = "login"
-gitlab_rails['smtp_enable_starttls_auto'] = true
-# gitlab_rails['smtp_tls'] = true
-gitlab_rails['gitlab_email_from'] = 'no-reply@420joos.dev'
-gitlab_rails['gitlab_email_reply_to'] = 'no-reply@420joos.dev'
-
-###! **Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**
-###! Docs: http://api.rubyonrails.org/classes/ActionMailer/Base.html
-# gitlab_rails['smtp_openssl_verify_mode'] = 'none'
-
-# gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"
-# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"
-
-################################################################################
-## Container Registry settings
-##! Docs: https://docs.gitlab.com/ee/administration/container_registry.html
-################################################################################
-
-# registry_external_url 'https://registry.example.com'
-
-### Settings used by GitLab application
-# gitlab_rails['registry_enabled'] = true
-# gitlab_rails['registry_host'] = "registry.gitlab.example.com"
-# gitlab_rails['registry_port'] = "5005"
-# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
-
-# Notification secret, it's used to authenticate notification requests to GitLab application
-# You only need to change this when you use external Registry service, otherwise
-# it will be taken directly from notification settings of your Registry
-# gitlab_rails['registry_notification_secret'] = nil
-
-###! **Do not change the following 3 settings unless you know what you are
-###! doing**
-# gitlab_rails['registry_api_url'] = "http://localhost:5000"
-# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
-# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
-
-### Settings used by Registry application
-# registry['enable'] = true
-# registry['username'] = "registry"
-# registry['group'] = "registry"
-# registry['uid'] = nil
-# registry['gid'] = nil
-# registry['dir'] = "/var/opt/gitlab/registry"
-# registry['registry_http_addr'] = "localhost:5000"
-# registry['debug_addr'] = "localhost:5001"
-# registry['log_directory'] = "/var/log/gitlab/registry"
-# registry['env_directory'] = "/opt/gitlab/etc/registry/env"
-# registry['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-# registry['log_level'] = "info"
-# registry['log_formatter'] = "text"
-# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
-# registry['health_storagedriver_enabled'] = true
-# registry['storage_delete_enabled'] = true
-# registry['validation_enabled'] = false
-# registry['autoredirect'] = false
-# registry['compatibility_schema1_enabled'] = false
-
-### Registry backend storage
-###! Docs: https://docs.gitlab.com/ee/administration/container_registry.html#container-registry-storage-driver
-# registry['storage'] = {
-# 's3' => {
-# 'accesskey' => 'AKIAKIAKI',
-# 'secretkey' => 'secret123',
-# 'region' => 'us-east-1',
-# 'bucket' => 'gitlab-registry-bucket-AKIAKIAKI'
-# }
-# }
-
-### Registry notifications endpoints
-# registry['notifications'] = [
-# {
-# 'name' => 'test_endpoint',
-# 'url' => 'https://gitlab.example.com/notify2',
-# 'timeout' => '500ms',
-# 'threshold' => 5,
-# 'backoff' => '1s',
-# 'headers' => {
-# "Authorization" => ["AUTHORIZATION_EXAMPLE_TOKEN"]
-# }
-# }
-# ]
-### Default registry notifications
-# registry['default_notifications_timeout'] = "500ms"
-# registry['default_notifications_threshold'] = 5
-# registry['default_notifications_backoff'] = "1s"
-# registry['default_notifications_headers'] = {}
-
-################################################################################
-## Error Reporting and Logging with Sentry
-################################################################################
-# gitlab_rails['sentry_enabled'] = false
-# gitlab_rails['sentry_dsn'] = 'https://<key>@sentry.io/<project>'
-# gitlab_rails['sentry_clientside_dsn'] = 'https://<key>@sentry.io/<project>'
-# gitlab_rails['sentry_environment'] = 'production'
-
-################################################################################
-## CI_JOB_JWT
-################################################################################
-##! RSA private key used to sign CI_JOB_JWT
-# gitlab_rails['ci_jwt_signing_key'] = nil # Will be generated if not set.
-
-################################################################################
-## GitLab Workhorse
-##! Docs: https://gitlab.com/gitlab-org/gitlab-workhorse/blob/master/README.md
-################################################################################
-
-# gitlab_workhorse['enable'] = true
-# gitlab_workhorse['ha'] = false
-# gitlab_workhorse['listen_network'] = "unix"
-# gitlab_workhorse['listen_umask'] = 000
-# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/socket"
-# gitlab_workhorse['auth_backend'] = "http://localhost:8080"
-
-##! the empty string is the default in gitlab-workhorse option parser
-# gitlab_workhorse['auth_socket'] = "''"
-
-##! put an empty string on the command line
-# gitlab_workhorse['pprof_listen_addr'] = "''"
-
-# gitlab_workhorse['prometheus_listen_addr'] = "localhost:9229"
-
-# gitlab_workhorse['dir'] = "/var/opt/gitlab/gitlab-workhorse"
-# gitlab_workhorse['log_directory'] = "/var/log/gitlab/gitlab-workhorse"
-# gitlab_workhorse['proxy_headers_timeout'] = "1m0s"
-
-##! limit number of concurrent API requests, defaults to 0 which is unlimited
-# gitlab_workhorse['api_limit'] = 0
-
-##! limit number of API requests allowed to be queued, defaults to 0 which
-##! disables queuing
-# gitlab_workhorse['api_queue_limit'] = 0
-
-##! duration after which we timeout requests if they sit too long in the queue
-# gitlab_workhorse['api_queue_duration'] = "30s"
-
-##! Long polling duration for job requesting for runners
-# gitlab_workhorse['api_ci_long_polling_duration'] = "60s"
-
-##! Log format: default is json, can also be text or none.
-# gitlab_workhorse['log_format'] = "json"
-
-# gitlab_workhorse['env_directory'] = "/opt/gitlab/etc/gitlab-workhorse/env"
-# gitlab_workhorse['env'] = {
-# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin",
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-
-################################################################################
-## GitLab User Settings
-##! Modify default git user.
-##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#changing-the-name-of-the-git-user-group
-################################################################################
-
-# user['username'] = "git"
-# user['group'] = "git"
-# user['uid'] = nil
-# user['gid'] = nil
-
-##! The shell for the git user
-# user['shell'] = "/bin/sh"
-
-##! The home directory for the git user
-# user['home'] = "/var/opt/gitlab"
-
-# user['git_user_name'] = "GitLab"
-# user['git_user_email'] = "gitlab@#{node['fqdn']}"
-
-################################################################################
-## GitLab Unicorn
-##! Tweak unicorn settings.
-##! Docs: https://docs.gitlab.com/omnibus/settings/unicorn.html
-################################################################################
-
-# unicorn['enable'] = false
-# unicorn['worker_timeout'] = 60
-###! Minimum worker_processes is 2 at this moment
-###! See https://gitlab.com/gitlab-org/gitlab-foss/issues/18771
-# unicorn['worker_processes'] = 2
-
-### Advanced settings
-# unicorn['listen'] = 'localhost'
-# unicorn['port'] = 8080
-# unicorn['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'
-# unicorn['pidfile'] = '/opt/gitlab/var/unicorn/unicorn.pid'
-# unicorn['tcp_nopush'] = true
-# unicorn['backlog_socket'] = 1024
-
-###! **Make sure somaxconn is equal or higher then backlog_socket**
-# unicorn['somaxconn'] = 1024
-
-###! **We do not recommend changing this setting**
-# unicorn['log_directory'] = "/var/log/gitlab/unicorn"
-
-### **Only change these settings if you understand well what they mean**
-###! Docs: https://docs.gitlab.com/ee/administration/operations/unicorn.html#unicorn-worker-killer
-###! https://github.com/kzk/unicorn-worker-killer
-# unicorn['worker_memory_limit_min'] = "1024 * 1 << 20"
-# unicorn['worker_memory_limit_max'] = "1280 * 1 << 20"
-
-# unicorn['exporter_enabled'] = false
-# unicorn['exporter_address'] = "127.0.0.1"
-# unicorn['exporter_port'] = 8083
-
-################################################################################
-## GitLab Puma
-##! Tweak puma settings. You should only use Unicorn or Puma, not both.
-##! Docs: https://docs.gitlab.com/omnibus/settings/puma.html
-################################################################################
-
-# puma['enable'] = true
-# puma['ha'] = false
-# puma['worker_timeout'] = 60
-# puma['worker_processes'] = 2
-# puma['min_threads'] = 4
-# puma['max_threads'] = 4
-
-### Advanced settings
-# puma['listen'] = '127.0.0.1'
-# puma['port'] = 8080
-# puma['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'
-# puma['pidfile'] = '/opt/gitlab/var/puma/puma.pid'
-# puma['state_path'] = '/opt/gitlab/var/puma/puma.state'
-
-###! **We do not recommend changing this setting**
-# puma['log_directory'] = "/var/log/gitlab/puma"
-
-### **Only change these settings if you understand well what they mean**
-###! Docs: https://github.com/schneems/puma_worker_killer
-# puma['per_worker_max_memory_mb'] = 850
-
-# puma['exporter_enabled'] = false
-# puma['exporter_address'] = "127.0.0.1"
-# puma['exporter_port'] = 8083
-
-################################################################################
-## GitLab Sidekiq
-################################################################################
-
-##! GitLab allows one to start multiple sidekiq processes. These
-##! processes can be used to consume a dedicated set of queues. This
-##! can be used to ensure certain queues are able to handle additional workload.
-##! https://docs.gitlab.com/ee/administration/operations/extra_sidekiq_processes.html
-
-# sidekiq['log_directory'] = "/var/log/gitlab/sidekiq"
-# sidekiq['log_format'] = "json"
-# sidekiq['shutdown_timeout'] = 4
-# sidekiq['cluster'] = true
-# sidekiq['experimental_queue_selector'] = false
-# sidekiq['interval'] = nil
-# sidekiq['max_concurrency'] = 50
-# sidekiq['min_concurrency'] = nil
-
-##! Each entry in the queue_groups array denotes a group of queues that have to be processed by a
-##! Sidekiq process. Multiple queues can be processed by the same process by
-##! separating them with a comma within the group entry, a `*` will process all queues
-
-# sidekiq['queue_groups'] = ['*']
-
-##! If negate is enabled then sidekiq-cluster will process all the queues that
-##! don't match those in queue_groups.
-
-# sidekiq['negate'] = false
-
-# sidekiq['metrics_enabled'] = true
-# sidekiq['listen_address'] = "localhost"
-# sidekiq['listen_port'] = 8082
-
-################################################################################
-## gitlab-shell
-################################################################################
-
-# gitlab_shell['audit_usernames'] = false
-# gitlab_shell['log_level'] = 'INFO'
-# gitlab_shell['log_format'] = 'json'
-# gitlab_shell['http_settings'] = { user: 'username', password: 'password', ca_file: '/etc/ssl/cert.pem', ca_path: '/etc/pki/tls/certs', self_signed_cert: false}
-# gitlab_shell['log_directory'] = "/var/log/gitlab/gitlab-shell/"
-# gitlab_shell['custom_hooks_dir'] = "/opt/gitlab/embedded/service/gitlab-shell/hooks"
-
-# gitlab_shell['auth_file'] = "/var/opt/gitlab/.ssh/authorized_keys"
-
-### Migration to Go feature flags
-###! Docs: https://gitlab.com/gitlab-org/gitlab-shell#migration-to-go-feature-flags
-# gitlab_shell['migration'] = { enabled: true, features: [] }
-
-### Git trace log file.
-###! If set, git commands receive GIT_TRACE* environment variables
-###! Docs: https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging
-###! An absolute path starting with / – the trace output will be appended to
-###! that file. It needs to exist so we can check permissions and avoid
-###! throwing warnings to the users.
-# gitlab_shell['git_trace_log_file'] = "/var/log/gitlab/gitlab-shell/gitlab-shell-git-trace.log"
-
-##! **We do not recommend changing this directory.**
-# gitlab_shell['dir'] = "/var/opt/gitlab/gitlab-shell"
-
-################################################################
-## GitLab PostgreSQL
-################################################################
-
-###! Changing any of these settings requires a restart of postgresql.
-###! By default, reconfigure reloads postgresql if it is running. If you
-###! change any of these settings, be sure to run `gitlab-ctl restart postgresql`
-###! after reconfigure in order for the changes to take effect.
-postgresql['enable'] = false
-# postgresql['listen_address'] = nil
-# postgresql['port'] = 5432
-
-## Only used when Patroni is enabled. This is the port that PostgreSQL responds to other
-## cluster members. This port is used by Patroni to advertize the PostgreSQL connection
-## endpoint to the cluster. By default it is the same as postgresql['port'].
-# postgresql['connect_port'] = 5432
-
-# postgresql['data_dir'] = "/var/opt/gitlab/postgresql/data"
-
-##! **recommend value is 1/4 of total RAM, up to 14GB.**
-# postgresql['shared_buffers'] = "256MB"
-
-### Advanced settings
-# postgresql['ha'] = false
-# postgresql['dir'] = "/var/opt/gitlab/postgresql"
-# postgresql['log_directory'] = "/var/log/gitlab/postgresql"
-# postgresql['log_destination'] = nil
-# postgresql['logging_collector'] = nil
-# postgresql['log_truncate_on_rotation'] = nil
-# postgresql['log_rotation_age'] = nil
-# postgresql['log_rotation_size'] = nil
-# postgresql['username'] = "gitlab-psql"
-# postgresql['group'] = "gitlab-psql"
-##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab`
-# postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH'
-# postgresql['uid'] = nil
-# postgresql['gid'] = nil
-# postgresql['shell'] = "/bin/sh"
-# postgresql['home'] = "/var/opt/gitlab/postgresql"
-# postgresql['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH"
-# postgresql['sql_user'] = "gitlab"
-# postgresql['max_connections'] = 200
-# postgresql['md5_auth_cidr_addresses'] = []
-# postgresql['trust_auth_cidr_addresses'] = []
-# postgresql['wal_buffers'] = "-1"
-# postgresql['autovacuum_max_workers'] = "3"
-# postgresql['autovacuum_freeze_max_age'] = "200000000"
-# postgresql['log_statement'] = nil
-# postgresql['track_activity_query_size'] = "1024"
-# postgresql['shared_preload_libraries'] = nil
-# postgresql['dynamic_shared_memory_type'] = nil
-# postgresql['hot_standby'] = "off"
-
-### SSL settings
-# See https://www.postgresql.org/docs/11/static/runtime-config-connection.html#GUC-SSL-CERT-FILE for more details
-# postgresql['ssl'] = 'on'
-# postgresql['hostssl'] = false
-# postgresql['ssl_ciphers'] = 'HIGH:MEDIUM:+3DES:!aNULL:!SSLv3:!TLSv1'
-# postgresql['ssl_cert_file'] = 'server.crt'
-# postgresql['ssl_key_file'] = 'server.key'
-# postgresql['ssl_ca_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
-# postgresql['ssl_crl_file'] = nil
-
-### Replication settings
-###! Note, some replication settings do not require a full restart. They are documented below.
-# postgresql['wal_level'] = "hot_standby"
-# postgresql['max_wal_senders'] = 5
-# postgresql['max_replication_slots'] = 0
-# postgresql['max_locks_per_transaction'] = 128
-
-# Backup/Archive settings
-# postgresql['archive_mode'] = "off"
-
-###! Changing any of these settings only requires a reload of postgresql. You do not need to
-###! restart postgresql if you change any of these and run reconfigure.
-# postgresql['work_mem'] = "16MB"
-# postgresql['maintenance_work_mem'] = "16MB"
-# postgresql['checkpoint_segments'] = 10
-# postgresql['checkpoint_timeout'] = "5min"
-# postgresql['checkpoint_completion_target'] = 0.9
-# postgresql['effective_io_concurrency'] = 1
-# postgresql['checkpoint_warning'] = "30s"
-# postgresql['effective_cache_size'] = "1MB"
-# postgresql['shmmax'] = 17179869184 # or 4294967295
-# postgresql['shmall'] = 4194304 # or 1048575
-# postgresql['autovacuum'] = "on"
-# postgresql['log_autovacuum_min_duration'] = "-1"
-# postgresql['autovacuum_naptime'] = "1min"
-# postgresql['autovacuum_vacuum_threshold'] = "50"
-# postgresql['autovacuum_analyze_threshold'] = "50"
-# postgresql['autovacuum_vacuum_scale_factor'] = "0.02"
-# postgresql['autovacuum_analyze_scale_factor'] = "0.01"
-# postgresql['autovacuum_vacuum_cost_delay'] = "20ms"
-# postgresql['autovacuum_vacuum_cost_limit'] = "-1"
-# postgresql['statement_timeout'] = "60000"
-# postgresql['idle_in_transaction_session_timeout'] = "60000"
-# postgresql['log_line_prefix'] = "%a"
-# postgresql['max_worker_processes'] = 8
-# postgresql['max_parallel_workers_per_gather'] = 0
-# postgresql['log_lock_waits'] = 1
-# postgresql['deadlock_timeout'] = '5s'
-# postgresql['track_io_timing'] = 0
-# postgresql['default_statistics_target'] = 1000
-
-### Available in PostgreSQL 9.6 and later
-# postgresql['min_wal_size'] = 80MB
-# postgresql['max_wal_size'] = 1GB
-
-# Backup/Archive settings
-# postgresql['archive_command'] = nil
-# postgresql['archive_timeout'] = "0"
-
-### Replication settings
-# postgresql['sql_replication_user'] = "gitlab_replicator"
-# postgresql['sql_replication_password'] = "md5 hash of postgresql password" # You can generate with `gitlab-ctl pg-password-md5 <dbuser>`
-# postgresql['wal_keep_segments'] = 10
-# postgresql['max_standby_archive_delay'] = "30s"
-# postgresql['max_standby_streaming_delay'] = "30s"
-# postgresql['synchronous_commit'] = on
-# postgresql['synchronous_standby_names'] = ''
-# postgresql['hot_standby_feedback'] = 'off'
-# postgresql['random_page_cost'] = 2.0
-# postgresql['log_temp_files'] = -1
-# postgresql['log_checkpoints'] = 'off'
-# To add custom entries to pg_hba.conf use the following
-# postgresql['custom_pg_hba_entries'] = {
-# APPLICATION: [ # APPLICATION should identify what the settings are used for
-# {
-# type: example,
-# database: example,
-# user: example,
-# cidr: example,
-# method: example,
-# option: example
-# }
-# ]
-# }
-# See https://www.postgresql.org/docs/11/static/auth-pg-hba-conf.html for an explanation
-# of the values
-
-### Version settings
-# Set this if you have disabled the bundled PostgreSQL but still want to use the backup rake tasks
-# postgresql['version'] = 10
-
-################################################################################
-## GitLab Redis
-##! **Can be disabled if you are using your own Redis instance.**
-##! Docs: https://docs.gitlab.com/omnibus/settings/redis.html
-################################################################################
-
-# redis['enable'] = true
-# redis['ha'] = false
-# redis['hz'] = 10
-# redis['dir'] = "/var/opt/gitlab/redis"
-# redis['log_directory'] = "/var/log/gitlab/redis"
-# redis['username'] = "gitlab-redis"
-# redis['group'] = "gitlab-redis"
-# redis['maxclients'] = "10000"
-# redis['maxmemory'] = "0"
-# redis['maxmemory_policy'] = "noeviction"
-# redis['maxmemory_samples'] = "5"
-# redis['tcp_backlog'] = 511
-# redis['tcp_timeout'] = "60"
-# redis['tcp_keepalive'] = "300"
-# redis['uid'] = nil
-# redis['gid'] = nil
-
-### Disable or obfuscate unnecessary redis command names
-### Uncomment and edit this block to add or remove entries.
-### See https://docs.gitlab.com/omnibus/settings/redis.html#renamed-commands
-### for detailed usage
-###
-# redis['rename_commands'] = {
-# 'KEYS': ''
-#}
-#
-
-###! **To enable only Redis service in this machine, uncomment
-###! one of the lines below (choose master or replica instance types).**
-###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html
-###! https://docs.gitlab.com/ee/administration/high_availability/redis.html
-# redis_master_role['enable'] = true
-# redis_replica_role['enable'] = true
-
-### Redis TCP support (will disable UNIX socket transport)
-# redis['bind'] = '0.0.0.0' # or specify an IP to bind to a single one
-# redis['port'] = 6379
-# redis['password'] = 'redis-password-goes-here'
-
-### Redis Sentinel support
-###! **You need a master replica Redis replication to be able to do failover**
-###! **Please read the documentation before enabling it to understand the
-###! caveats:**
-###! Docs: https://docs.gitlab.com/ee/administration/high_availability/redis.html
-
-### Replication support
-#### Replica Redis instance
-# redis['master'] = false # by default this is true
-
-#### Replica and Sentinel shared configuration
-####! **Both need to point to the master Redis instance to get replication and
-####! heartbeat monitoring**
-# redis['master_name'] = 'gitlab-redis'
-# redis['master_ip'] = nil
-# redis['master_port'] = 6379
-
-#### Support to run redis replicas in a Docker or NAT environment
-####! Docs: https://redis.io/topics/replication#configuring-replication-in-docker-and-nat
-# redis['announce_ip'] = nil
-# redis['announce_port'] = nil
-
-####! **Master password should have the same value defined in
-####! redis['password'] to enable the instance to transition to/from
-####! master/replica in a failover event.**
-# redis['master_password'] = 'redis-password-goes-here'
-
-####! Increase these values when your replicas can't catch up with master
-# redis['client_output_buffer_limit_normal'] = '0 0 0'
-# redis['client_output_buffer_limit_replica'] = '256mb 64mb 60'
-# redis['client_output_buffer_limit_pubsub'] = '32mb 8mb 60'
-
-#####! Redis snapshotting frequency
-#####! Set to [] to disable
-#####! Set to [''] to clear previously set values
-# redis['save'] = [ '900 1', '300 10', '60 10000' ]
-
-#####! Redis lazy freeing
-#####! Defaults to false
-# redis['lazyfree_lazy_eviction'] = true
-# redis['lazyfree_lazy_expire'] = true
-# redis['lazyfree_lazy_server_del'] = true
-# redis['replica_lazy_flush'] = true
-
-################################################################################
-## GitLab Web server
-##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server
-################################################################################
-
-##! When bundled nginx is disabled we need to add the external webserver user to
-##! the GitLab webserver group.
-# web_server['external_users'] = []
-# web_server['username'] = 'gitlab-www'
-# web_server['group'] = 'gitlab-www'
-# web_server['uid'] = nil
-# web_server['gid'] = nil
-# web_server['shell'] = '/bin/false'
-# web_server['home'] = '/var/opt/gitlab/nginx'
-
-################################################################################
-## GitLab NGINX
-##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
-################################################################################
-
-# nginx['enable'] = true
-nginx['client_max_body_size'] = '1g'
-nginx['redirect_http_to_https'] = false
-# nginx['redirect_http_to_https_port'] = 80
-
-##! Most root CA's are included by default
-# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
-
-##! enable/disable 2-way SSL client authentication
-# nginx['ssl_verify_client'] = "off"
-
-##! if ssl_verify_client on, verification depth in the client certificates chain
-# nginx['ssl_verify_depth'] = "1"
-
-# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
-# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
-# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256"
-# nginx['ssl_prefer_server_ciphers'] = "on"
-
-##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-##! https://cipherli.st/**
-# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3"
-
-##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
-# nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m"
-
-##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
-# nginx['ssl_session_timeout'] = "5m"
-
-# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
-# nginx['listen_addresses'] = ['*', '[::]']
-
-##! **Defaults to forcing web browsers to always communicate using only HTTPS**
-##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-http-strict-transport-security
-# nginx['hsts_max_age'] = 31536000
-# nginx['hsts_include_subdomains'] = false
-
-##! Defaults to stripping path information when making cross-origin requests
-# nginx['referrer_policy'] = 'strict-origin-when-cross-origin'
-
-##! **Docs: http://nginx.org/en/docs/http/ngx_http_gzip_module.html**
-# nginx['gzip_enabled'] = true
-
-##! **Override only if you use a reverse proxy**
-##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
-nginx['listen_port'] = 80
-
-##! **Override only if your reverse proxy internally communicates over HTTP**
-##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
-nginx['listen_https'] = false
-
-# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
-# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
-# nginx['proxy_read_timeout'] = 3600
-# nginx['proxy_connect_timeout'] = 300
-# nginx['proxy_set_headers'] = {
-# "Host" => "$http_host_with_default",
-# "X-Real-IP" => "$remote_addr",
-# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
-# "X-Forwarded-Proto" => "https",
-# "X-Forwarded-Ssl" => "on",
-# "Upgrade" => "$http_upgrade",
-# "Connection" => "$connection_upgrade"
-# }
-# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
-# nginx['proxy_cache'] = 'gitlab'
-# nginx['http2_enabled'] = true
-# nginx['real_ip_trusted_addresses'] = []
-# nginx['real_ip_header'] = nil
-# nginx['real_ip_recursive'] = nil
-# nginx['custom_error_pages'] = {
-# '404' => {
-# 'title' => 'Example title',
-# 'header' => 'Example header',
-# 'message' => 'Example message'
-# }
-# }
-
-### Advanced settings
-# nginx['dir'] = "/var/opt/gitlab/nginx"
-# nginx['log_directory'] = "/var/log/gitlab/nginx"
-# nginx['worker_processes'] = 4
-# nginx['worker_connections'] = 10240
-# nginx['log_format'] = '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio'
-# nginx['sendfile'] = 'on'
-# nginx['tcp_nopush'] = 'on'
-# nginx['tcp_nodelay'] = 'on'
-# nginx['gzip'] = "on"
-# nginx['gzip_http_version'] = "1.0"
-# nginx['gzip_comp_level'] = "2"
-# nginx['gzip_proxied'] = "any"
-# nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
-# nginx['keepalive_timeout'] = 65
-# nginx['cache_max_size'] = '5000m'
-# nginx['server_names_hash_bucket_size'] = 64
-##! These paths have proxy_request_buffering disabled
-# nginx['request_buffering_off_path_regex'] = "\.git/git-receive-pack$|\.git/info/refs?service=git-receive-pack$|\.git/gitlab-lfs/objects|\.git/info/lfs/objects/batch$"
-
-### Nginx status
-# nginx['status'] = {
-# "enable" => true,
-# "listen_addresses" => ["127.0.0.1"],
-# "fqdn" => "dev.example.com",
-# "port" => 9999,
-# "vts_enable" => true,
-# "options" => {
-# "stub_status" => "on", # Turn on stats
-# "server_tokens" => "off", # Don't show the version of NGINX
-# "access_log" => "off", # Disable logs for stats
-# "allow" => "127.0.0.1", # Only allow access from localhost
-# "deny" => "all" # Deny access to anyone else
-# }
-# }
-
-################################################################################
-## GitLab Logging
-##! Docs: https://docs.gitlab.com/omnibus/settings/logs.html
-################################################################################
-
-# logging['svlogd_size'] = 200 * 1024 * 1024 # rotate after 200 MB of log data
-# logging['svlogd_num'] = 30 # keep 30 rotated log files
-# logging['svlogd_timeout'] = 24 * 60 * 60 # rotate after 24 hours
-# logging['svlogd_filter'] = "gzip" # compress logs with gzip
-# logging['svlogd_udp'] = nil # transmit log messages via UDP
-# logging['svlogd_prefix'] = nil # custom prefix for log messages
-# logging['logrotate_frequency'] = "daily" # rotate logs daily
-# logging['logrotate_maxsize'] = nil # rotate logs when they grow bigger than size bytes even before the specified time interval (daily, weekly, monthly, or yearly)
-# logging['logrotate_size'] = nil # do not rotate by size by default
-# logging['logrotate_rotate'] = 30 # keep 30 rotated logs
-# logging['logrotate_compress'] = "compress" # see 'man logrotate'
-# logging['logrotate_method'] = "copytruncate" # see 'man logrotate'
-# logging['logrotate_postrotate'] = nil # no postrotate command by default
-# logging['logrotate_dateformat'] = nil # use date extensions for rotated files rather than numbers e.g. a value of "-%Y-%m-%d" would give rotated files like production.log-2016-03-09.gz
-
-### UDP log forwarding
-##! Docs: http://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding
-
-##! remote host to ship log messages to via UDP
-# logging['udp_log_shipping_host'] = nil
-
-##! override the hostname used when logs are shipped via UDP,
-## by default the system hostname will be used.
-# logging['udp_log_shipping_hostname'] = nil
-
-##! remote port to ship log messages to via UDP
-# logging['udp_log_shipping_port'] = 514
-
-################################################################################
-## Logrotate
-##! Docs: https://docs.gitlab.com/omnibus/settings/logs.html#logrotate
-##! You can disable built in logrotate feature.
-################################################################################
-# logrotate['enable'] = true
-# logrotate['log_directory'] = "/var/log/gitlab/logrotate"
-
-################################################################################
-## Users and groups accounts
-##! Disable management of users and groups accounts.
-##! **Set only if creating accounts manually**
-##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#disable-user-and-group-account-management
-################################################################################
-
-# manage_accounts['enable'] = false
-
-################################################################################
-## Storage directories
-##! Disable managing storage directories
-##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#disable-storage-directories-management
-################################################################################
-
-##! **Set only if the select directories are created manually**
-# manage_storage_directories['enable'] = false
-# manage_storage_directories['manage_etc'] = false
-
-################################################################################
-## Runtime directory
-##! Docs: https://docs.gitlab.com//omnibus/settings/configuration.html#configuring-runtime-directory
-################################################################################
-
-# runtime_dir '/run'
-
-################################################################################
-## Git
-##! Advanced setting for configuring git system settings for omnibus-gitlab
-##! internal git
-################################################################################
-
-##! For multiple options under one header use array of comma separated values,
-##! eg.:
-##! { "receive" => ["fsckObjects = true"], "alias" => ["st = status", "co = checkout"] }
-
-# omnibus_gitconfig['system'] = {
-# "pack" => ["threads = 1", "useSparse = true"],
-# "receive" => ["fsckObjects = true", "advertisePushOptions = true"],
-# "repack" => ["writeBitmaps = true"],
-# "transfer" => ["hideRefs=^refs/tmp/", "hideRefs=^refs/keep-around/", "hideRefs=^refs/remotes/"],
-# "core" => [
-# 'alternateRefsCommand="exit 0 #"',
-# "fsyncObjectFiles = true"
-# ],
-# "fetch" => ["writeCommitGraph = true"]
-# }
-
-################################################################################
-## GitLab Pages
-##! Docs: https://docs.gitlab.com/ee/pages/administration.html
-################################################################################
-
-##! Define to enable GitLab Pages
-# pages_external_url "http://pages.example.com/"
-# gitlab_pages['enable'] = false
-
-##! Configure to expose GitLab Pages on external IP address, serving the HTTP
-# gitlab_pages['external_http'] = []
-
-##! Configure to expose GitLab Pages on external IP address, serving the HTTPS
-# gitlab_pages['external_https'] = []
-
-##! Configure to use the default list of cipher suites
-# gitlab_pages['insecure_ciphers'] = false
-
-##! Configure to enable health check endpoint on GitLab Pages
-# gitlab_pages['status_uri'] = "/@status"
-
-##! Tune the maximum number of concurrent connections GitLab Pages will handle.
-##! This should be in the range 1 - 10000, defaulting to 5000.
-# gitlab_pages['max_connections'] = 5000
-
-##! Configure to use JSON structured logging in GitLab Pages
-# gitlab_pages['log_format'] = "json"
-
-##! Configure verbose logging for GitLab Pages
-# gitlab_pages['log_verbose'] = false
-
-##! Error Reporting and Logging with Sentry
-# gitlab_pages['sentry_enabled'] = false
-# gitlab_pages['sentry_dsn'] = 'https://<key>@sentry.io/<project>'
-# gitlab_pages['sentry_environment'] = 'production'
-
-##! Listen for requests forwarded by reverse proxy
-# gitlab_pages['listen_proxy'] = "localhost:8090"
-
-# gitlab_pages['redirect_http'] = true
-# gitlab_pages['use_http2'] = true
-# gitlab_pages['dir'] = "/var/opt/gitlab/gitlab-pages"
-# gitlab_pages['log_directory'] = "/var/log/gitlab/gitlab-pages"
-
-# gitlab_pages['artifacts_server'] = true
-# gitlab_pages['artifacts_server_url'] = nil # Defaults to external_url + '/api/v4'
-# gitlab_pages['artifacts_server_timeout'] = 10
-
-##! Environments that do not support bind-mounting should set this parameter to
-##! true. This is incompatible with the artifacts server
-# gitlab_pages['inplace_chroot'] = false
-
-##! Prometheus metrics for Pages docs: https://gitlab.com/gitlab-org/gitlab-pages/#enable-prometheus-metrics
-# gitlab_pages['metrics_address'] = ":9235"
-
-##! Specifies the minimum SSL/TLS version ("ssl3", "tls1.0", "tls1.1" or "tls1.2")
-# gitlab_pages['tls_min_version'] = "ssl3"
-
-##! Specifies the maximum SSL/TLS version ("ssl3", "tls1.0", "tls1.1" or "tls1.2")
-# gitlab_pages['tls_max_version'] = "tls1.2"
-
-##! Pages access control
-# gitlab_pages['access_control'] = false
-# gitlab_pages['gitlab_id'] = nil # Automatically generated if not present
-# gitlab_pages['gitlab_secret'] = nil # Generated if not present
-# gitlab_pages['auth_redirect_uri'] = nil # Defaults to projects subdomain of pages_external_url and + '/auth'
-# gitlab_pages['gitlab_server'] = nil # Defaults to external_url
-# gitlab_pages['internal_gitlab_server'] = nil # defaults to gitlab_server, can be changed to internal load balancer
-# gitlab_pages['auth_secret'] = nil # Generated if not present
-
-##! GitLab API HTTP client connection timeout
-# gitlab_pages['gitlab_client_http_timeout'] = "10s"
-
-##! GitLab API JWT Token expiry time"
-# gitlab_pages['gitlab_client_jwt_expiry'] = "30s"
-
-##! Define custom gitlab-pages HTTP headers for the whole instance
-# gitlab_pages['headers'] = []
-
-##! Shared secret used for authentication between Pages and GitLab
-# gitlab_pages['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.
-
-################################################################################
-## GitLab Pages NGINX
-################################################################################
-
-# All the settings defined in the "GitLab Nginx" section are also available in
-# this "GitLab Pages NGINX" section, using the key `pages_nginx`. However,
-# those settings should be explicitly set. That is, settings given as
-# `nginx['some_setting']` WILL NOT be automatically replicated as
-# `pages_nginx['some_setting']` and should be set separately.
-
-# Below you can find settings that are exclusive to "GitLab Pages NGINX"
-# pages_nginx['enable'] = false
-
-# gitlab_rails['pages_path'] = "/var/opt/gitlab/gitlab-rails/shared/pages"
-
-################################################################################
-## GitLab CI
-##! Docs: https://docs.gitlab.com/ee/ci/quick_start/README.html
-################################################################################
-
-# gitlab_ci['gitlab_ci_all_broken_builds'] = true
-# gitlab_ci['gitlab_ci_add_pusher'] = true
-# gitlab_ci['builds_directory'] = '/var/opt/gitlab/gitlab-ci/builds'
-
-################################################################################
-## GitLab Mattermost
-##! Docs: https://docs.gitlab.com/omnibus/gitlab-mattermost
-################################################################################
-
-# mattermost_external_url 'http://mattermost.example.com'
-
-# mattermost['enable'] = false
-# mattermost['username'] = 'mattermost'
-# mattermost['group'] = 'mattermost'
-# mattermost['uid'] = nil
-# mattermost['gid'] = nil
-# mattermost['home'] = '/var/opt/gitlab/mattermost'
-# mattermost['database_name'] = 'mattermost_production'
-# mattermost['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-# mattermost['service_address'] = "127.0.0.1"
-# mattermost['service_port'] = "8065"
-# mattermost['service_site_url'] = nil
-# mattermost['service_allowed_untrusted_internal_connections'] = ""
-# mattermost['service_enable_api_team_deletion'] = true
-# mattermost['team_site_name'] = "GitLab Mattermost"
-# mattermost['sql_driver_name'] = 'mysql'
-# mattermost['sql_data_source'] = "mmuser:mostest@tcp(dockerhost:3306)/mattermost_test?charset=utf8mb4,utf8"
-# mattermost['log_file_directory'] = '/var/log/gitlab/mattermost/'
-# mattermost['gitlab_enable'] = false
-# mattermost['gitlab_id'] = "12345656"
-# mattermost['gitlab_secret'] = "123456789"
-# mattermost['gitlab_scope'] = ""
-# mattermost['gitlab_auth_endpoint'] = "http://gitlab.example.com/oauth/authorize"
-# mattermost['gitlab_token_endpoint'] = "http://gitlab.example.com/oauth/token"
-# mattermost['gitlab_user_api_endpoint'] = "http://gitlab.example.com/api/v4/user"
-# mattermost['file_directory'] = "/var/opt/gitlab/mattermost/data"
-# mattermost['plugin_directory'] = "/var/opt/gitlab/mattermost/plugins"
-# mattermost['plugin_client_directory'] = "/var/opt/gitlab/mattermost/client-plugins"
-
-################################################################################
-## Mattermost NGINX
-################################################################################
-
-# All the settings defined in the "GitLab Nginx" section are also available in
-# this "Mattermost NGINX" section, using the key `mattermost_nginx`. However,
-# those settings should be explicitly set. That is, settings given as
-# `nginx['some_setting']` WILL NOT be automatically replicated as
-# `mattermost_nginx['some_setting']` and should be set separately.
-
-# Below you can find settings that are exclusive to "Mattermost NGINX"
-# mattermost_nginx['enable'] = false
-
-# mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
-# mattermost_nginx['proxy_set_headers'] = {
-# "Host" => "$http_host",
-# "X-Real-IP" => "$remote_addr",
-# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
-# "X-Frame-Options" => "SAMEORIGIN",
-# "X-Forwarded-Proto" => "https",
-# "X-Forwarded-Ssl" => "on",
-# "Upgrade" => "$http_upgrade",
-# "Connection" => "$connection_upgrade"
-# }
-
-
-################################################################################
-## Registry NGINX
-################################################################################
-
-# All the settings defined in the "GitLab Nginx" section are also available in
-# this "Registry NGINX" section, using the key `registry_nginx`. However, those
-# settings should be explicitly set. That is, settings given as
-# `nginx['some_setting']` WILL NOT be automatically replicated as
-# `registry_nginx['some_setting']` and should be set separately.
-
-# Below you can find settings that are exclusive to "Registry NGINX"
-# registry_nginx['enable'] = false
-
-# registry_nginx['proxy_set_headers'] = {
-# "Host" => "$http_host",
-# "X-Real-IP" => "$remote_addr",
-# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
-# "X-Forwarded-Proto" => "https",
-# "X-Forwarded-Ssl" => "on"
-# }
-
-# When the registry is automatically enabled using the same domain as `external_url`,
-# it listens on this port
-# registry_nginx['listen_port'] = 5050
-
-################################################################################
-## Prometheus
-##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/
-################################################################################
-
-###! **To enable only Monitoring service in this machine, uncomment
-###! the line below.**
-###! Docs: https://docs.gitlab.com/ee/administration/high_availability
-# monitoring_role['enable'] = true
-
-# prometheus['enable'] = true
-# prometheus['monitor_kubernetes'] = true
-# prometheus['username'] = 'gitlab-prometheus'
-# prometheus['group'] = 'gitlab-prometheus'
-# prometheus['uid'] = nil
-# prometheus['gid'] = nil
-# prometheus['shell'] = '/bin/sh'
-# prometheus['home'] = '/var/opt/gitlab/prometheus'
-# prometheus['log_directory'] = '/var/log/gitlab/prometheus'
-# prometheus['rules_files'] = ['/var/opt/gitlab/prometheus/rules/*.rules']
-# prometheus['scrape_interval'] = 15
-# prometheus['scrape_timeout'] = 15
-# prometheus['env_directory'] = '/opt/gitlab/etc/prometheus/env'
-# prometheus['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-#
-### Custom scrape configs
-#
-# Prometheus can scrape additional jobs via scrape_configs. The default automatically
-# includes all of the exporters supported by the omnibus config.
-#
-# See: https://prometheus.io/docs/operating/configuration/#<scrape_config>
-#
-# Example:
-#
-# prometheus['scrape_configs'] = [
-# {
-# 'job_name': 'example',
-# 'static_configs' => [
-# 'targets' => ['hostname:port'],
-# ],
-# },
-# ]
-#
-### Custom alertmanager config
-#
-# To configure external alertmanagers, create an alertmanager config.
-#
-# See: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config
-#
-# prometheus['alertmanagers'] = [
-# {
-# 'static_configs' => [
-# {
-# 'targets' => [
-# 'hostname:port'
-# ]
-# }
-# ]
-# }
-# ]
-#
-### Custom Prometheus flags
-#
-# prometheus['flags'] = {
-# 'storage.tsdb.path' => "/var/opt/gitlab/prometheus/data",
-# 'storage.tsdb.retention.time' => "15d",
-# 'config.file' => "/var/opt/gitlab/prometheus/prometheus.yml"
-# }
-
-##! Advanced settings. Should be changed only if absolutely needed.
-# prometheus['listen_address'] = 'localhost:9090'
-#
-
-################################################################################
-###! **Only needed if Prometheus and Rails are not on the same server.**
-### For example, in a multi-node architecture, Prometheus will be installed on the monitoring node, while Rails will be on the Rails node.
-### https://docs.gitlab.com/ee/administration/monitoring/prometheus/index.html#using-an-external-prometheus-server
-### This value should be the address at which Prometheus is available to GitLab Rails(Puma/Unicorn, Sidekiq) node.
-################################################################################
-# gitlab_rails['prometheus_address'] = 'your.prom:9090'
-
-################################################################################
-## Prometheus Alertmanager
-################################################################################
-
-# alertmanager['enable'] = true
-# alertmanager['home'] = '/var/opt/gitlab/alertmanager'
-# alertmanager['log_directory'] = '/var/log/gitlab/alertmanager'
-# alertmanager['admin_email'] = 'admin@example.com'
-# alertmanager['flags'] = {
-# 'web.listen-address' => "localhost:9093"
-# 'storage.path' => "/var/opt/gitlab/alertmanager/data"
-# 'config.file' => "/var/opt/gitlab/alertmanager/alertmanager.yml"
-# }
-# alertmanager['env_directory'] = '/opt/gitlab/etc/alertmanager/env'
-# alertmanager['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-
-##! Advanced settings. Should be changed only if absolutely needed.
-# alertmanager['listen_address'] = 'localhost:9093'
-# alertmanager['global'] = {}
-
-################################################################################
-## Prometheus Node Exporter
-##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/node_exporter.html
-################################################################################
-
-# node_exporter['enable'] = true
-# node_exporter['home'] = '/var/opt/gitlab/node-exporter'
-# node_exporter['log_directory'] = '/var/log/gitlab/node-exporter'
-# node_exporter['flags'] = {
-# 'collector.textfile.directory' => "/var/opt/gitlab/node-exporter/textfile_collector"
-# }
-# node_exporter['env_directory'] = '/opt/gitlab/etc/node-exporter/env'
-# node_exporter['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-
-##! Advanced settings. Should be changed only if absolutely needed.
-# node_exporter['listen_address'] = 'localhost:9100'
-
-################################################################################
-## Prometheus Redis exporter
-##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/redis_exporter.html
-################################################################################
-
-# redis_exporter['enable'] = true
-# redis_exporter['log_directory'] = '/var/log/gitlab/redis-exporter'
-# redis_exporter['flags'] = {
-# 'redis.addr' => "unix:///var/opt/gitlab/redis/redis.socket",
-# }
-# redis_exporter['env_directory'] = '/opt/gitlab/etc/redis-exporter/env'
-# redis_exporter['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-
-##! Advanced settings. Should be changed only if absolutely needed.
-# redis_exporter['listen_address'] = 'localhost:9121'
-
-################################################################################
-## Prometheus Postgres exporter
-##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/postgres_exporter.html
-################################################################################
-
-# postgres_exporter['enable'] = true
-# postgres_exporter['home'] = '/var/opt/gitlab/postgres-exporter'
-# postgres_exporter['log_directory'] = '/var/log/gitlab/postgres-exporter'
-# postgres_exporter['flags'] = {}
-# postgres_exporter['listen_address'] = 'localhost:9187'
-# postgres_exporter['env_directory'] = '/opt/gitlab/etc/postgres-exporter/env'
-# postgres_exporter['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-# postgres_exporter['sslmode'] = nil
-
-################################################################################
-## Prometheus PgBouncer exporter (EE only)
-##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/pgbouncer_exporter.html
-################################################################################
-
-# pgbouncer_exporter['enable'] = false
-# pgbouncer_exporter['log_directory'] = "/var/log/gitlab/pgbouncer-exporter"
-# pgbouncer_exporter['listen_address'] = 'localhost:9188'
-# pgbouncer_exporter['env_directory'] = '/opt/gitlab/etc/pgbouncer-exporter/env'
-# pgbouncer_exporter['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-
-################################################################################
-## Prometheus Gitlab exporter
-##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_exporter.html
-################################################################################
-
-
-# gitlab_exporter['enable'] = true
-# gitlab_exporter['log_directory'] = "/var/log/gitlab/gitlab-exporter"
-# gitlab_exporter['home'] = "/var/opt/gitlab/gitlab-exporter"
-
-##! Advanced settings. Should be changed only if absolutely needed.
-# gitlab_exporter['listen_address'] = 'localhost'
-# gitlab_exporter['listen_port'] = '9168'
-
-##! Manage gitlab-exporter sidekiq probes. false by default when Sentinels are
-##! found.
-# gitlab_exporter['probe_sidekiq'] = true
-
-# To completely disable prometheus, and all of it's exporters, set to false
-# prometheus_monitoring['enable'] = true
-
-################################################################################
-## Grafana Dashboards
-##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/#prometheus-as-a-grafana-data-source
-################################################################################
-
-# grafana['enable'] = true
-# grafana['log_directory'] = '/var/log/gitlab/grafana'
-# grafana['home'] = '/var/opt/gitlab/grafana'
-# grafana['admin_password'] = 'admin'
-# grafana['allow_user_sign_up'] = false
-# grafana['basic_auth_enabled'] = false
-# grafana['disable_login_form'] = true
-# grafana['gitlab_application_id'] = 'GITLAB_APPLICATION_ID'
-# grafana['gitlab_secret'] = 'GITLAB_SECRET'
-# grafana['env_directory'] = '/opt/gitlab/etc/grafana/env'
-# grafana['allowed_groups'] = []
-# grafana['gitlab_auth_sign_up'] = true
-# grafana['env'] = {
-# 'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/"
-# }
-# grafana['metrics_enabled'] = false
-# grafana['metrics_basic_auth_username'] = 'grafana_metrics' # default: nil
-# grafana['metrics_basic_auth_password'] = 'please_set_a_unique_password' # default: nil
-# grafana['alerting_enabled'] = false
-
-### Dashboards
-#
-# See: http://docs.grafana.org/administration/provisioning/#dashboards
-#
-# NOTE: Setting this will override the default.
-#
-# grafana['dashboards'] = [
-# {
-# 'name' => 'GitLab Omnibus',
-# 'orgId' => 1,
-# 'folder' => 'GitLab Omnibus',
-# 'type' => 'file',
-# 'disableDeletion' => true,
-# 'updateIntervalSeconds' => 600,
-# 'options' => {
-# 'path' => '/opt/gitlab/embedded/service/grafana-dashboards',
-# }
-# }
-# ]
-
-### Datasources
-#
-# See: http://docs.grafana.org/administration/provisioning/#example-datasource-config-file
-#
-# NOTE: Setting this will override the default.
-#
-# grafana['datasources'] = [
-# {
-# 'name' => 'GitLab Omnibus',
-# 'type' => 'prometheus',
-# 'access' => 'proxy',
-# 'url' => 'http://localhost:9090'
-# }
-# ]
-
-##! Advanced settings. Should be changed only if absolutely needed.
-# grafana['http_addr'] = 'localhost'
-# grafana['http_port'] = 3000
-
-################################################################################
-## Gitaly
-##! Docs:
-################################################################################
-
-# The gitaly['enable'] option exists for the purpose of cluster
-# deployments, see https://docs.gitlab.com/ee/administration/gitaly/index.html .
-# gitaly['enable'] = true
-# gitaly['dir'] = "/var/opt/gitlab/gitaly"
-# gitaly['log_directory'] = "/var/log/gitlab/gitaly"
-# gitaly['bin_path'] = "/opt/gitlab/embedded/bin/gitaly"
-# gitaly['env_directory'] = "/opt/gitlab/etc/gitaly/env"
-# gitaly['env'] = {
-# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin",
-# 'HOME' => '/var/opt/gitlab',
-# 'TZ' => ':/etc/localtime',
-# 'PYTHONPATH' => "/opt/gitlab/embedded/lib/python3.7/site-packages",
-# 'ICU_DATA' => "/opt/gitlab/embedded/share/icu/current",
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
-# 'WRAPPER_JSON_LOGGING' => true
-# }
-
-##! internal_socket_dir is the directory that will contain internal gitaly sockets,
-##! separate from socket_path which is the socket that external clients listen on
-
-# gitaly['internal_socket_dir'] = "/var/opt/gitlab/gitaly"
-# gitaly['socket_path'] = "/var/opt/gitlab/gitaly/gitaly.socket"
-# gitaly['listen_addr'] = "localhost:8075"
-# gitaly['tls_listen_addr'] = "localhost:9075"
-# gitaly['certificate_path'] = "/var/opt/gitlab/gitaly/certificate.pem"
-# gitaly['key_path'] = "/var/opt/gitlab/gitaly/key.pem"
-# gitaly['prometheus_listen_addr'] = "localhost:9236"
-# gitaly['logging_level'] = "warn"
-# gitaly['logging_format'] = "json"
-# gitaly['logging_sentry_dsn'] = "https://<key>:<secret>@sentry.io/<project>"
-# gitaly['logging_ruby_sentry_dsn'] = "https://<key>:<secret>@sentry.io/<project>"
-# gitaly['logging_sentry_environment'] = "production"
-# gitaly['prometheus_grpc_latency_buckets'] = "[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]"
-# gitaly['auth_token'] = '<secret>'
-# gitaly['auth_transitioning'] = false # When true, auth is logged to Prometheus but NOT enforced
-# gitaly['graceful_restart_timeout'] = '1m' # Grace time for a gitaly process to finish ongoing requests
-# gitaly['git_catfile_cache_size'] = 100 # Number of 'git cat-file' processes kept around for re-use
-# gitaly['open_files_ulimit'] = 15000 # Maximum number of open files allowed for the gitaly process
-# gitaly['ruby_max_rss'] = 300000000 # RSS threshold in bytes for triggering a gitaly-ruby restart
-# gitaly['ruby_graceful_restart_timeout'] = '10m' # Grace time for a gitaly-ruby process to finish ongoing requests
-# gitaly['ruby_restart_delay'] = '5m' # Period of sustained high RSS that needs to be observed before restarting gitaly-ruby
-# gitaly['ruby_rugged_git_config_search_path'] = "/opt/gitlab/embedded/etc" # Location of system-wide gitconfig file
-# gitaly['ruby_num_workers'] = 3 # Number of gitaly-ruby worker processes. Minimum 2, default 2.
-# gitaly['concurrency'] = [
-# {
-# 'rpc' => "/gitaly.SmartHTTPService/PostReceivePack",
-# 'max_per_repo' => 20
-# }, {
-# 'rpc' => "/gitaly.SSHService/SSHUploadPack",
-# 'max_per_repo' => 5
-# }
-# ]
-
-################################################################################
-## Praefect
-##! Docs: https://gitlab.com/gitlab-org/gitaly/blob/master/doc/design_ha.md
-################################################################################
-
-# praefect['enable'] = false
-# praefect['dir'] = "/var/opt/gitlab/praefect"
-# praefect['log_directory'] = "/var/log/gitlab/praefect"
-# praefect['env_directory'] = "/opt/gitlab/etc/praefect/env"
-# praefect['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
-# 'GITALY_PID_FILE' => "/var/opt/gitlab/praefect/praefect.pid",
-# 'WRAPPER_JSON_LOGGING' => true
-# }
-# praefect['wrapper_path'] = "/opt/gitlab/embedded/bin/gitaly-wrapper"
-# praefect['virtual_storage_name'] = "praefect"
-# praefect['failover_enabled'] = false
-# praefect['failover_election_strategy'] = 'sql'
-# praefect['failover_read_only_after_failover'] = true
-# praefect['auth_token'] = ""
-# praefect['auth_transitioning'] = false
-# praefect['listen_addr'] = "localhost:2305"
-# praefect['tls_listen_addr'] = "localhost:3305"
-# praefect['certificate_path'] = "/var/opt/gitlab/prafect/certificate.pem"
-# praefect['key_path'] = "/var/opt/gitlab/prafect/key.pem"
-# praefect['prometheus_listen_addr'] = "localhost:9652"
-# praefect['prometheus_grpc_latency_buckets'] = "[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]"
-# praefect['logging_level'] = "warn"
-# praefect['logging_format'] = "json"
-# praefect['virtual_storages'] = {
-# 'default' => {
-# 'praefect-internal-0' => {
-# 'address' => 'tcp://10.23.56.78:8075',
-# 'token' => 'abc123'
-# },
-# 'praefect-internal-1' => {
-# 'address' => 'tcp://10.76.23.31:8075',
-# 'token' => 'xyz456'
-# }
-# },
-# 'alternative' => {
-# 'praefect-internal-2' => {
-# 'address' => 'tcp://10.34.1.16:8075',
-# 'token' => 'abc321'
-# },
-# 'praefect-internal-3' => {
-# 'address' => 'tcp://10.23.18.6:8075',
-# 'token' => 'xyz890'
-# }
-# }
-# }
-# praefect['sentry_dsn'] = "https://<key>:<secret>@sentry.io/<project>"
-# praefect['sentry_environment'] = "production"
-# praefect['auto_migrate'] = true
-# praefect['database_host'] = 'postgres.internal'
-# praefect['database_port'] = 5432
-# praefect['database_user'] = 'praefect'
-# praefect['database_password'] = 'secret'
-# praefect['database_dbname'] = 'praefect_production'
-# praefect['database_sslmode'] = 'disable'
-# praefect['database_sslcert'] = '/path/to/client-cert'
-# praefect['database_sslkey'] = '/path/to/client-key'
-# praefect['database_sslrootcert'] = '/path/to/rootcert'
-
-################################################################################
-# Storage check
-################################################################################
-# storage_check['enable'] = false
-# storage_check['target'] = 'unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'
-# storage_check['log_directory'] = '/var/log/gitlab/storage-check'
-
-################################################################################
-# Let's Encrypt integration
-################################################################################
-letsencrypt['enable'] = false
-# letsencrypt['contact_emails'] = [] # This should be an array of email addresses to add as contacts
-# letsencrypt['group'] = 'root'
-# letsencrypt['key_size'] = 2048
-# letsencrypt['owner'] = 'root'
-# letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www'
-# See http://docs.gitlab.com/omnibus/settings/ssl.html#automatic-renewal for more on these sesttings
-# letsencrypt['auto_renew'] = true
-# letsencrypt['auto_renew_hour'] = 0
-# letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified.
-# letsencrypt['auto_renew_day_of_month'] = "*/4"
-
-##! Turn off automatic init system detection. To skip init detection in
-##! non-docker containers. Recommended not to change.
-# package['detect_init'] = true
-
-##! Specify maximum number of tasks that can be created by the systemd unit
-##! Will be populated as TasksMax value to the unit file if user is on a systemd
-##! version that supports it (>= 227). Will be a no-op if user is not on systemd.
-# package['systemd_tasks_max'] = 4915
-
-##! Settings to configure order of GitLab's systemd unit.
-##! Note: We do not recommend changing these values unless absolutely necessary
-# package['systemd_after'] = 'multi-user.target'
-# package['systemd_wanted_by'] = 'multi-user.target'
-################################################################################
-################################################################################
-## Configuration Settings for GitLab EE only ##
-################################################################################
-################################################################################
-
-
-################################################################################
-## Auxiliary cron jobs applicable to GitLab EE only
-################################################################################
-#
-# gitlab_rails['geo_file_download_dispatch_worker_cron'] = "*/10 * * * *"
-# gitlab_rails['geo_repository_sync_worker_cron'] = "*/5 * * * *"
-# gitlab_rails['geo_secondary_registry_consistency_worker'] = "* * * * *"
-# gitlab_rails['geo_prune_event_log_worker_cron'] = "*/5 * * * *"
-# gitlab_rails['geo_repository_verification_primary_batch_worker_cron'] = "*/5 * * * *"
-# gitlab_rails['geo_repository_verification_secondary_scheduler_worker_cron'] = "*/5 * * * *"
-# gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *"
-# gitlab_rails['ldap_group_sync_worker_cron'] = "0 * * * *"
-# gitlab_rails['historical_data_worker_cron'] = "0 12 * * *"
-# gitlab_rails['pseudonymizer_worker_cron'] = "0 23 * * *"
-# gitlab_rails['elastic_index_bulk_cron'] = "*/1 * * * *"
-
-################################################################################
-## Kerberos (EE Only)
-##! Docs: https://docs.gitlab.com/ee/integration/kerberos.html#http-git-access
-################################################################################
-
-# gitlab_rails['kerberos_enabled'] = true
-# gitlab_rails['kerberos_keytab'] = /etc/http.keytab
-# gitlab_rails['kerberos_service_principal_name'] = HTTP/gitlab.example.com@EXAMPLE.COM
-# gitlab_rails['kerberos_use_dedicated_port'] = true
-# gitlab_rails['kerberos_port'] = 8443
-# gitlab_rails['kerberos_https'] = true
-
-################################################################################
-## Package repository (EE Only)
-##! Docs: https://docs.gitlab.com/ee/administration/maven_packages.md
-################################################################################
-
-# gitlab_rails['packages_enabled'] = true
-# gitlab_rails['packages_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/packages"
-# gitlab_rails['packages_object_store_enabled'] = false
-# gitlab_rails['packages_object_store_direct_upload'] = false
-# gitlab_rails['packages_object_store_background_upload'] = true
-# gitlab_rails['packages_object_store_proxy_download'] = false
-# gitlab_rails['packages_object_store_remote_directory'] = "packages"
-# gitlab_rails['packages_object_store_connection'] = {
-# 'provider' => 'AWS',
-# 'region' => 'eu-west-1',
-# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
-# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
-# # # The below options configure an S3 compatible host instead of AWS
-# # 'host' => 's3.amazonaws.com',
-# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
-# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
-# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
-# }
-
-################################################################################
-## Dependency proxy (EE Only)
-##! Docs: https://docs.gitlab.com/ee/administration/dependency_proxy.md
-################################################################################
-
-# gitlab_rails['dependency_proxy_enabled'] = true
-# gitlab_rails['dependency_proxy_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/dependency_proxy"
-# gitlab_rails['dependency_proxy_object_store_enabled'] = false
-# gitlab_rails['dependency_proxy_object_store_direct_upload'] = false
-# gitlab_rails['dependency_proxy_object_store_background_upload'] = true
-# gitlab_rails['dependency_proxy_object_store_proxy_download'] = false
-# gitlab_rails['dependency_proxy_object_store_remote_directory'] = "dependency_proxy"
-# gitlab_rails['dependency_proxy_object_store_connection'] = {
-# 'provider' => 'AWS',
-# 'region' => 'eu-west-1',
-# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
-# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
-# # # The below options configure an S3 compatible host instead of AWS
-# # 'host' => 's3.amazonaws.com',
-# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
-# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
-# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
-# }
-
-################################################################################
-## GitLab Sentinel (EE Only)
-##! Docs: http://docs.gitlab.com/ce/administration/high_availability/redis.html#high-availability-with-sentinel
-################################################################################
-
-##! **Make sure you configured all redis['master_*'] keys above before
-##! continuing.**
-
-##! To enable Sentinel and disable all other services in this machine,
-##! uncomment the line below (if you've enabled Redis role, it will keep it).
-##! Docs: https://docs.gitlab.com/ee/administration/high_availability/redis.html
-# redis_sentinel_role['enable'] = true
-
-# sentinel['enable'] = true
-
-##! Bind to all interfaces, uncomment to specify an IP and bind to a single one
-# sentinel['bind'] = '0.0.0.0'
-
-##! Uncomment to change default port
-# sentinel['port'] = 26379
-
-#### Support to run sentinels in a Docker or NAT environment
-#####! Docs: https://redis.io/topics/sentinel#sentinel-docker-nat-and-possible-issues
-# In an standard case, Sentinel will run in the same network service as Redis, so the same IP will be announce for Redis and Sentinel
-# Only define these values if it is needed to announce for Sentinel a differen IP service than Redis
-# sentinel['announce_ip'] = nil # If not defined, its value will be taken from redis['announce_ip'] or nil if not present
-# sentinel['announce_port'] = nil # If not defined, its value will be taken from sentinel['port'] or nil if redis['announce_ip'] not present
-
-##! Quorum must reflect the amount of voting sentinels it take to start a
-##! failover.
-##! **Value must NOT be greater then the amount of sentinels.**
-##! The quorum can be used to tune Sentinel in two ways:
-##! 1. If a the quorum is set to a value smaller than the majority of Sentinels
-##! we deploy, we are basically making Sentinel more sensible to master
-##! failures, triggering a failover as soon as even just a minority of
-##! Sentinels is no longer able to talk with the master.
-##! 2. If a quorum is set to a value greater than the majority of Sentinels, we
-##! are making Sentinel able to failover only when there are a very large
-##! number (larger than majority) of well connected Sentinels which agree
-##! about the master being down.
-# sentinel['quorum'] = 1
-
-### Consider unresponsive server down after x amount of ms.
-# sentinel['down_after_milliseconds'] = 10000
-
-### Specifies the failover timeout in milliseconds.
-##! It is used in many ways:
-##!
-##! - The time needed to re-start a failover after a previous failover was
-##! already tried against the same master by a given Sentinel, is two
-##! times the failover timeout.
-##!
-##! - The time needed for a replica replicating to a wrong master according
-##! to a Sentinel current configuration, to be forced to replicate
-##! with the right master, is exactly the failover timeout (counting since
-##! the moment a Sentinel detected the misconfiguration).
-##!
-##! - The time needed to cancel a failover that is already in progress but
-##! did not produced any configuration change (REPLICAOF NO ONE yet not
-##! acknowledged by the promoted replica).
-##!
-##! - The maximum time a failover in progress waits for all the replicas to be
-##! reconfigured as replicas of the new master. However even after this time
-##! the replicas will be reconfigured by the Sentinels anyway, but not with
-##! the exact parallel-syncs progression as specified.
-# sentinel['failover_timeout'] = 60000
-
-################################################################################
-## Additional Database Settings (EE only)
-##! Docs: https://docs.gitlab.com/ee/administration/database_load_balancing.html
-################################################################################
-# gitlab_rails['db_load_balancing'] = { 'hosts' => ['secondary1.example.com'] }
-
-################################################################################
-## GitLab Geo
-##! Docs: https://docs.gitlab.com/ee/gitlab-geo
-################################################################################
-##! Geo roles 'geo_primary_role' and 'geo_secondary_role' are set above with
-##! other roles. For more information, see: https://docs.gitlab.com/omnibus/roles/README.html#roles.
-
-# This is an optional identifier which Geo nodes can use to identify themselves.
-# For example, if external_url is the same for two secondaries, you must specify
-# a unique Geo node name for those secondaries.
-#
-# If it is blank, it defaults to external_url.
-# gitlab_rails['geo_node_name'] = nil
-
-# gitlab_rails['geo_registry_replication_enabled'] = true
-# gitlab_rails['geo_registry_replication_primary_api_url'] = 'https://example.com:5050'
-
-
-################################################################################
-## GitLab Geo Secondary (EE only)
-################################################################################
-# geo_secondary['auto_migrate'] = true
-# geo_secondary['db_adapter'] = "postgresql"
-# geo_secondary['db_encoding'] = "unicode"
-# geo_secondary['db_collation'] = nil
-# geo_secondary['db_database'] = "gitlabhq_geo_production"
-# geo_secondary['db_pool'] = 1
-# geo_secondary['db_username'] = "gitlab_geo"
-# geo_secondary['db_password'] = nil
-# geo_secondary['db_host'] = "/var/opt/gitlab/geo-postgresql"
-# geo_secondary['db_port'] = 5431
-# geo_secondary['db_socket'] = nil
-# geo_secondary['db_sslmode'] = nil
-# geo_secondary['db_sslcompression'] = 0
-# geo_secondary['db_sslrootcert'] = nil
-# geo_secondary['db_sslca'] = nil
-# geo_secondary['db_fdw'] = true
-
-################################################################################
-## GitLab Geo Secondary Tracking Database (EE only)
-################################################################################
-
-# geo_postgresql['enable'] = false
-# geo_postgresql['ha'] = false
-# geo_postgresql['dir'] = '/var/opt/gitlab/geo-postgresql'
-# geo_postgresql['data_dir'] = '/var/opt/gitlab/geo-postgresql/data'
-# geo_postgresql['pgbouncer_user'] = nil
-# geo_postgresql['pgbouncer_user_password'] = nil
-##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab`
-# geo_postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH'
-
-################################################################################
-## Unleash
-##! These settings are for GitLab internal use.
-##! They are used to control feature flags during GitLab development.
-##! Docs: https://docs.gitlab.com/ee/development/feature_flags
-################################################################################
-# gitlab_rails['feature_flags_unleash_enabled'] = false
-# gitlab_rails['feature_flags_unleash_url'] = nil
-# gitlab_rails['feature_flags_unleash_app_name'] = nil
-# gitlab_rails['feature_flags_unleash_instance_id'] = nil
-
-################################################################################
-# Pgbouncer (EE only)
-# See [GitLab PgBouncer documentation](http://docs.gitlab.com/omnibus/settings/database.html#enabling-pgbouncer-ee-only)
-# See the [PgBouncer page](https://pgbouncer.github.io/config.html) for details
-################################################################################
-# pgbouncer['enable'] = false
-# pgbouncer['log_directory'] = '/var/log/gitlab/pgbouncer'
-# pgbouncer['data_directory'] = '/var/opt/gitlab/pgbouncer'
-# pgbouncer['env_directory'] = '/opt/gitlab/etc/pgbouncer/env'
-# pgbouncer['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-# pgbouncer['listen_addr'] = '0.0.0.0'
-# pgbouncer['listen_port'] = '6432'
-# pgbouncer['pool_mode'] = 'transaction'
-# pgbouncer['server_reset_query'] = 'DISCARD ALL'
-# pgbouncer['application_name_add_host'] = '1'
-# pgbouncer['max_client_conn'] = '2048'
-# pgbouncer['default_pool_size'] = '100'
-# pgbouncer['min_pool_size'] = '0'
-# pgbouncer['reserve_pool_size'] = '5'
-# pgbouncer['reserve_pool_timeout'] = '5.0'
-# pgbouncer['server_round_robin'] = '0'
-# pgbouncer['log_connections'] = '0'
-# pgbouncer['server_idle_timeout'] = '30'
-# pgbouncer['dns_max_ttl'] = '15.0'
-# pgbouncer['dns_zone_check_period'] = '0'
-# pgbouncer['dns_nxdomain_ttl'] = '15.0'
-# pgbouncer['admin_users'] = %w(gitlab-psql postgres pgbouncer)
-# pgbouncer['stats_users'] = %w(gitlab-psql postgres pgbouncer)
-# pgbouncer['ignore_startup_parameters'] = 'extra_float_digits'
-# pgbouncer['databases'] = {
-# DATABASE_NAME: {
-# host: HOSTNAME,
-# port: PORT
-# user: USERNAME,
-# password: PASSWORD
-###! generate this with `echo -n '$password + $username' | md5sum`
-# }
-# ...
-# }
-# pgbouncer['logfile'] = nil
-# pgbouncer['unix_socket_dir'] = nil
-# pgbouncer['unix_socket_mode'] = '0777'
-# pgbouncer['unix_socket_group'] = nil
-# pgbouncer['auth_type'] = 'md5'
-# pgbouncer['auth_hba_file'] = nil
-# pgbouncer['auth_query'] = 'SELECT username, password FROM public.pg_shadow_lookup($1)'
-# pgbouncer['users'] = {
-# {
-# name: USERNAME,
-# password: MD5_PASSWORD_HASH
-# }
-# }
-# postgresql['pgbouncer_user'] = nil
-# postgresql['pgbouncer_user_password'] = nil
-# pgbouncer['server_reset_query_always'] = 0
-# pgbouncer['server_check_query'] = 'select 1'
-# pgbouncer['server_check_delay'] = 30
-# pgbouncer['max_db_connections'] = nil
-# pgbouncer['max_user_connections'] = nil
-# pgbouncer['syslog'] = 0
-# pgbouncer['syslog_facility'] = 'daemon'
-# pgbouncer['syslog_ident'] = 'pgbouncer'
-# pgbouncer['log_disconnections'] = 1
-# pgbouncer['log_pooler_errors'] = 1
-# pgbouncer['stats_period'] = 60
-# pgbouncer['verbose'] = 0
-# pgbouncer['server_lifetime'] = 3600
-# pgbouncer['server_connect_timeout'] = 15
-# pgbouncer['server_login_retry'] = 15
-# pgbouncer['query_timeout'] = 0
-# pgbouncer['query_wait_timeout'] = 120
-# pgbouncer['client_idle_timeout'] = 0
-# pgbouncer['client_login_timeout'] = 60
-# pgbouncer['autodb_idle_timeout'] = 3600
-# pgbouncer['suspend_timeout'] = 10
-# pgbouncer['idle_transaction_timeout'] = 0
-# pgbouncer['pkt_buf'] = 4096
-# pgbouncer['listen_backlog'] = 128
-# pgbouncer['sbuf_loopcnt'] = 5
-# pgbouncer['max_packet_size'] = 2147483647
-# pgbouncer['tcp_defer_accept'] = 0
-# pgbouncer['tcp_socket_buffer'] = 0
-# pgbouncer['tcp_keepalive'] = 1
-# pgbouncer['tcp_keepcnt'] = 0
-# pgbouncer['tcp_keepidle'] = 0
-# pgbouncer['tcp_keepintvl'] = 0
-# pgbouncer['disable_pqexec'] = 0
-
-## Pgbouncer client TLS options
-# pgbouncer['client_tls_sslmode'] = 'disable'
-# pgbouncer['client_tls_ca_file'] = nil
-# pgbouncer['client_tls_key_file'] = nil
-# pgbouncer['client_tls_cert_file'] = nil
-# pgbouncer['client_tls_protocols'] = 'all'
-# pgbouncer['client_tls_dheparams'] = 'auto'
-# pgbouncer['client_tls_ecdhcurve'] = 'auto'
-#
-## Pgbouncer server TLS options
-# pgbouncer['server_tls_sslmode'] = 'disable'
-# pgbouncer['server_tls_ca_file'] = nil
-# pgbouncer['server_tls_key_file'] = nil
-# pgbouncer['server_tls_cert_file'] = nil
-# pgbouncer['server_tls_protocols'] = 'all'
-# pgbouncer['server_tls_ciphers'] = 'fast'
-
-################################################################################
-# Repmgr (EE only)
-################################################################################
-# repmgr['enable'] = false
-# repmgr['cluster'] = 'gitlab_cluster'
-# repmgr['database'] = 'gitlab_repmgr'
-# repmgr['host'] = nil
-# repmgr['node_number'] = nil
-# repmgr['port'] = 5432
-# repmgr['trust_auth_cidr_addresses'] = []
-# repmgr['username'] = 'gitlab_repmgr'
-# repmgr['sslmode'] = 'prefer'
-# repmgr['sslcompression'] = 0
-# repmgr['failover'] = 'automatic'
-# repmgr['log_directory'] = '/var/log/gitlab/repmgrd'
-# repmgr['node_name'] = nil
-# repmgr['pg_bindir'] = '/opt/gitlab/embedded/bin'
-# repmgr['service_start_command'] = '/opt/gitlab/bin/gitlab-ctl start postgresql'
-# repmgr['service_stop_command'] = '/opt/gitlab/bin/gitlab-ctl stop postgresql'
-# repmgr['service_reload_command'] = '/opt/gitlab/bin/gitlab-ctl hup postgresql'
-# repmgr['service_restart_command'] = '/opt/gitlab/bin/gitlab-ctl restart postgresql'
-# repmgr['service_promote_command'] = nil
-# repmgr['promote_command'] = '/opt/gitlab/embedded/bin/repmgr standby promote -f /var/opt/gitlab/postgresql/repmgr.conf'
-# repmgr['follow_command'] = '/opt/gitlab/embedded/bin/repmgr standby follow -f /var/opt/gitlab/postgresql/repmgr.conf'
-
-# repmgr['upstream_node'] = nil
-# repmgr['use_replication_slots'] = false
-# repmgr['loglevel'] = 'INFO'
-# repmgr['logfacility'] = 'STDERR'
-# repmgr['logfile'] = nil
-
-# repmgr['event_notification_command'] = nil
-# repmgr['event_notifications'] = nil
-
-# repmgr['rsync_options'] = nil
-# repmgr['ssh_options'] = nil
-# repmgr['priority'] = nil
-#
-# HA setting to specify if a node should attempt to be master on initialization
-# repmgr['master_on_initialization'] = true
-
-# repmgr['retry_promote_interval_secs'] = 300
-# repmgr['witness_repl_nodes_sync_interval_secs'] = 15
-# repmgr['reconnect_attempts'] = 6
-# repmgr['reconnect_interval'] = 10
-# repmgr['monitor_interval_secs'] = 2
-# repmgr['master_response_timeout'] = 60
-# repmgr['daemon'] = true
-# repmgrd['enable'] = true
-
-################################################################################
-# Patroni (EE only)
-#
-# NOTICE: Patroni is an experimental feature and subject to change.
-#
-################################################################################
-# patroni['enable'] = false
-
-# patroni['dir'] = '/var/opt/gitlab/patroni'
-# patroni['data_dir'] = '/var/opt/gitlab/patroni/data'
-# patroni['ctl_command'] = '/opt/gitlab/embedded/bin/patronictl'
-
-# patroni['scope'] = 'gitlab-postgresql-ha'
-# patroni['name'] = nil
-
-# patroni['log_directory'] = '/var/log/gitlab/patroni'
-# patroni['log_level'] = 'INFO'
-
-# patroni['consul']['url'] = 'http://127.0.0.1:8500'
-# patroni['consul']['service_check_interval'] = '10s'
-# patroni['consul']['register_service'] = false
-# patroni['consul']['checks'] = []
-
-## Bootstrap settings
-# patroni['loop_wait'] = 10
-# patroni['ttl'] = 30
-# patroni['retry_timeout'] = 10
-# patroni['maximum_lag_on_failover'] = 1_048_576
-# patroni['max_timelines_history'] = 0
-# patroni['master_start_timeout'] = 300
-
-## PostgreSQL configuration override
-# patroni['postgresql']['wal_level'] = 'replica'
-# patroni['postgresql']['hot_standby'] = 'on'
-# patroni['postgresql']['wal_keep_segments'] = 8
-# patroni['postgresql']['max_wal_senders'] = 5
-# patroni['postgresql']['max_replication_slots'] = 5
-# patroni['postgresql']['checkpoint_timeout'] = 30
-
-# patroni['use_pg_rewind'] = false
-# patroni['use_slots'] = true
-
-## The address and port that Patroni API binds to and listens on.
-# patroni['listen_address'] = nil
-# patroni['port'] = '8008'
-
-## The address of the Patroni node that is advertized to other cluster
-## members to communicate with its API and PostgreSQL. If it is not specified,
-## it tries to use the first available private IP and falls back to the default
-## network interface.
-# patroni['connect_address'] = nil
-
-## The port that Patroni API responds to other cluster members. This port is
-## advertized and by default is the same as patroni['port'].
-# patroni['connect_port'] = '8008'
-
-
-################################################################################
-# Consul (EEP only)
-################################################################################
-# consul['enable'] = false
-# consul['dir'] = '/var/opt/gitlab/consul'
-# consul['username'] = 'gitlab-consul'
-# consul['group'] = 'gitlab-consul'
-# consul['config_file'] = '/var/opt/gitlab/consul/config.json'
-# consul['config_dir'] = '/var/opt/gitlab/consul/config.d'
-# consul['data_dir'] = '/var/opt/gitlab/consul/data'
-# consul['log_directory'] = '/var/log/gitlab/consul'
-# consul['env_directory'] = '/opt/gitlab/etc/consul/env'
-# consul['env'] = {
-# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
-# }
-# consul['monitoring_service_discovery'] = false
-# consul['node_name'] = nil
-# consul['script_directory'] = '/var/opt/gitlab/consul/scripts'
-# consul['configuration'] = {
-# 'client_addr' => nil,
-# 'datacenter' => 'gitlab_consul',
-# 'enable_script_checks' => true,
-# 'server' => false
-# }
-# consul['services'] = []
-# consul['service_config'] = {
-# 'postgresql' => {
-# 'service' => {
-# 'name' => "postgresql",
-# 'address' => '',
-# 'port' => 5432,
-# 'checks' => [
-# {
-# 'script' => "/var/opt/gitlab/consul/scripts/check_postgresql",
-# 'interval' => "10s"
-# }
-# ]
-# }
-# }
-# }
-# consul['watchers'] = {
-# 'postgresql' => {
-# enable: false,
-# handler: 'failover_pgbouncer'
-# }
-# }
-################################################################################
-# Service desk email settings (EEP only)
-################################################################################
-### Service desk email
-###! Allow users to create new service desk issues by sending an email to
-###! service desk address.
-###! Docs: https://docs.gitlab.com/ee/administration/reply_by_email.html
-# gitlab_rails['service_desk_email_enabled'] = false
-
-#### Service Desk Mailbox Settings (via `mail_room`)
-#### Service Desk Email Address
-####! The email address including the `%{key}` placeholder that will be replaced
-####! to reference the item being replied to.
-####! **The placeholder can be omitted but if present, it must appear in the
-####! "user" part of the address (before the `@`).**
-# gitlab_rails['service_desk_email_address'] = "contact_project+%{key}@gmail.com"
-
-#### Service Desk Email account username
-####! **With third party providers, this is usually the full email address.**
-####! **With self-hosted email servers, this is usually the user part of the
-####! email address.**
-# gitlab_rails['service_desk_email_email'] = "contact_project@gmail.com"
-
-#### Service Desk Email account password
-# gitlab_rails['service_desk_email_password'] = "[REDACTED]"
-
-####! The mailbox where service desk mail will end up. Usually "inbox".
-# gitlab_rails['service_desk_email_mailbox_name'] = "inbox"
-####! The IDLE command timeout.
-# gitlab_rails['service_desk_email_idle_timeout'] = 60
-####! The file name for internal `mail_room` JSON logfile
-# gitlab_rails['service_desk_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log"
-
-#### Service Desk IMAP Settings
-# gitlab_rails['service_desk_email_host'] = "imap.gmail.com"
-# gitlab_rails['service_desk_email_port'] = 993
-# gitlab_rails['service_desk_email_ssl'] = true
-# gitlab_rails['service_desk_email_start_tls'] = false
diff --git a/gitlab/gitlab_small.yaml b/gitlab/gitlab_small.yaml
deleted file mode 100644
index 6d43a941c125b03693aed8f2642973afac154f75..0000000000000000000000000000000000000000
--- a/gitlab/gitlab_small.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-apiVersion: v1
-name: gitlab
-namespace: gitlab
-type: gitlab
-deployments:
-- id: gitlab
- image: ${GITLAB_IMAGE}
- name: gitlab
- uri:
- - git.${BASE_URL}
- - git.${JOOS_IO_BASE_URL}
- maxUploadSize: 1024m
- volumes:
- gitlab-config:
- nfs:
- path: /gitlab/config
- gitlab-logs:
- nfs:
- path: /gitlab/logs
- size: 100Mi
- gitlab-data:
- nfs:
- path: /gitlab/data
- size: 10Gi
-- id: postgres
- image: postgres:15
- name: postgres
- env:
- content:
- POSTGRES_DB: gitlab_production
- POSTGRES_USER: 5450298f7b96
- POSTGRES_PASSWORD: b4f301d36179
- volumes:
- postgresdb:
- nfs:
- path: /gitlab/db
- size: 2Gi
diff --git a/gitlab/runner/gitlab_runner_docker/config.toml b/gitlab/runner/gitlab_runner_docker/config.toml
deleted file mode 100644
index 6a531077361877a1fe35fde8f4f481a779ef9561..0000000000000000000000000000000000000000
--- a/gitlab/runner/gitlab_runner_docker/config.toml
+++ /dev/null
@@ -1,50 +0,0 @@
-concurrent = 1
-check_interval = 0
-
-[session_server]
- session_timeout = 1800
-
-[[runners]]
- name = "shared-runner-3-linux-docker"
- url = "https://git.420joos.dev/"
- token = "6DA6b5wz-W9LLSWufeBG"
- executor = "kubernetes"
- [runners.custom_build_dir]
- [runners.cache]
- [runners.cache.s3]
- [runners.cache.gcs]
- [runners.cache.azure]
- [runners.kubernetes]
- tls_verify = true
- image = "andrijoos/docker-buildx:1.0"
- pull_policy = ["always", "if-not-present"]
- bearer_token_overwrite_allowed = false
- namespace = "gitlab-runner"
- namespace_overwrite_allowed = ""
- service_account_overwrite_allowed = ""
- pod_annotations_overwrite_allowed = ""
- helper_cpu_limit = "1"
- helper_memory_limit = "128Mi"
- service_cpu_limit = "1"
- service_memory_limit = "128Mi"
- poll_interval = 5
- poll_timeout = 600
- privileged = true
- [runners.kubernetes.pod_labels]
- "app" = "gitlab-runner-docker"
- # pod_annotations =
- [runners.kubernetes.affinity]
- [runners.kubernetes.pod_security_context]
- # [runners.kubernetes.pod_security_context.capabilities]
- # add = ["SYS_ADMIN"]
- [runners.kubernetes.volumes]
- [[runners.kubernetes.volumes.pvc]]
- name = "gitlab-runner-docker-docker-sock"
- mount_path = "/var/run/docker.sock"
- read_only = true
- [runners.kubernetes.dns_config]
- [runners.kubernetes.container_lifecycle]
- [runners.kubernetes.node_selector]
- "kubernetes.io/arch" = "amd64" # otherwise wrong image is pulled
- "kubernetes.io/os" = "linux"
- "kubernetes.io/hostname" = "cluster-node-00"
\ No newline at end of file
diff --git a/gitlab/runner/gitlab_runner_docker/gitlab_runner_docker_small.yaml b/gitlab/runner/gitlab_runner_docker/gitlab_runner_docker_small.yaml
deleted file mode 100644
index 4d479ac7a863a85a36df9611482f1719b72d2d42..0000000000000000000000000000000000000000
--- a/gitlab/runner/gitlab_runner_docker/gitlab_runner_docker_small.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-apiVersion: v1
-name: gitlab-runner-docker
-type: gitlab-runner
-deployments:
-- id: default
- name: gitlab-runner-docker
- serviceAccount:
- type: namespace
- rules:
- - apiGroups:
- - '*'
- resources:
- - 'pods'
- - 'pods/exec'
- - 'pods/attach'
- - 'configmaps'
- - 'secrets'
- verbs:
- - 'get'
- - 'list'
- - 'watch'
- - 'create'
- - 'patch'
- - 'delete'
- - 'update'
- volumes:
- docker-sock:
- accessModes:
- - ReadWriteOnce # pods must be on the same node (which they are forced to)
- mountPath: /var/run/docker.sock
- hostpath:
- path: /var/run/docker.sock
- deviceHostname: cluster-node-00
- subPath: true
- size: 20Mi
- type: pv
- runner-config:
- content:
- - gitlab/runner/gitlab_runner_docker/config.toml
- mountPath: /etc/gitlab-runner
- type: configMap
diff --git a/gitlab/runner/gitlab_runner_kubernetes/config.toml b/gitlab/runner/gitlab_runner_kubernetes/config.toml
deleted file mode 100644
index 0674ad529a2437d0b301d6a166e2adc7359d4c5b..0000000000000000000000000000000000000000
--- a/gitlab/runner/gitlab_runner_kubernetes/config.toml
+++ /dev/null
@@ -1,68 +0,0 @@
-concurrent = 1
-check_interval = 0
-
-[session_server]
- session_timeout = 1800
-
-[[runners]]
- name = "gitlab-runner-kubernetes"
- url = "https://git.420joos.dev/"
- token = "vayo63bHKyE1dPedsA42"
- executor = "kubernetes"
- [runners.custom_build_dir]
- [runners.cache]
- [runners.cache.s3]
- [runners.cache.gcs]
- [runners.cache.azure]
- [runners.kubernetes]
- tls_verify = true
- image = "andrijoos/docker-buildx:1.0"
- pull_policy = ["always", "if-not-present"]
- bearer_token_overwrite_allowed = false
- namespace = "gitlab-runner"
- namespace_overwrite_allowed = ""
- service_account_overwrite_allowed = ""
- pod_annotations_overwrite_allowed = ""
- helper_cpu_limit = "1"
- helper_memory_limit = "128Mi"
- service_cpu_limit = "1"
- service_memory_limit = "128Mi"
- poll_interval = 5
- poll_timeout = 600
- privileged = true
- service_account = "gitlab-runner-kubernetes-sa"
- [runners.kubernetes.pod_labels]
- "app" = "gitlab-runner-kubernetes"
- # pod_annotations =
- [runners.kubernetes.affinity]
- [runners.kubernetes.pod_security_context]
- # [runners.kubernetes.pod_security_context.capabilities]
- # add = ["SYS_ADMIN"]
- [runners.kubernetes.volumes]
- [[runners.kubernetes.volumes.pvc]]
- name = "gitlab-runner-kubernetes-prod-config"
- mount_path = "/kubeconfig/prod_config"
- read_only = true
- # [[runners.kubernetes.volumes.pvc]]
- # name = "gitlab-runner-kubernetes-ssh-config"
- # mount_path = "/ssh_config/"
- # read_only = true # must be false for generating new pub/priv key pair
- # [[runners.kubernetes.volumes.pvc]]
- # name = "gitlab-runner-kubernetes-test-config-pvc"
- # mount_path = "/kubeconfig/test_config"
- # read_only = false
- # [[runners.kubernetes.volumes.pvc]]
- # name = "testcluster-data-pvc"
- # mount_path = "/testcluster_data"
- # read_only = false
- # [[runners.kubernetes.volumes.pvc]]
- # name = "prodcluster-data-pvc"
- # mount_path = "/prodcluster_data"
- # read_only = false
- [runners.kubernetes.dns_config]
- [runners.kubernetes.container_lifecycle]
- [runners.kubernetes.node_selector]
- "kubernetes.io/arch" = "arm64" # otherwise wrong image is pulled
- "kubernetes.io/os" = "linux"
- "kubernetes.io/hostname" = "cluster-master-00"
- #"node-role.kubernetes.io/master" = "true" # operator: DoesNotExist if not on master
\ No newline at end of file
diff --git a/gitlab/runner/gitlab_runner_kubernetes/gitlab_runner_kubernetes_small.yaml b/gitlab/runner/gitlab_runner_kubernetes/gitlab_runner_kubernetes_small.yaml
deleted file mode 100644
index b99f92610107668c34ecb5e3f211eca6180e6961..0000000000000000000000000000000000000000
--- a/gitlab/runner/gitlab_runner_kubernetes/gitlab_runner_kubernetes_small.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: v1
-name: gitlab-runner-kubernetes
-type: gitlab-runner
-deployments:
-- id: default
- name: gitlab-runner-kubernetes
- serviceAccount:
- type: cluster
- rules:
- - apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - '*'
- volumes:
- prod-config:
- accessModes:
- - ReadWriteOnce # pods must be on the same node (which they are forced to)
- mountPath: /kubeconfig/prod_config
- hostpath:
- path: /root/.kube
- deviceHostname: cluster-master-00
- size: 20Mi
- type: pv
- runner-config:
- content:
- - gitlab/runner/gitlab_runner_kubernetes/config.toml
- mountPath: /etc/gitlab-runner
- type: configMap
diff --git a/gitlab/runner/shared_runner_0/config.toml b/gitlab/runner/shared_runner_0/config.toml
deleted file mode 100644
index 9788b83016dc52cf5eadceb23c2d981c77edb449..0000000000000000000000000000000000000000
--- a/gitlab/runner/shared_runner_0/config.toml
+++ /dev/null
@@ -1,44 +0,0 @@
-concurrent = 1
-check_interval = 0
-
-[session_server]
- session_timeout = 1800
-
-[[runners]]
- name = "gitlab-shared-runner-0"
- url = "https://git.420joos.dev/"
- token = "TwVB6zeusyR3kjsU1usE"
- executor = "kubernetes"
- [runners.custom_build_dir]
- [runners.cache]
- [runners.cache.s3]
- [runners.cache.gcs]
- [runners.cache.azure]
- [runners.kubernetes]
- tls_verify = true
- image = "scratch"
- pull_policy = ["always", "if-not-present"]
- bearer_token_overwrite_allowed = false
- namespace = "gitlab-runner"
- namespace_overwrite_allowed = ""
- service_account_overwrite_allowed = ""
- pod_annotations_overwrite_allowed = ""
- helper_cpu_limit = "1"
- helper_memory_limit = "128Mi"
- service_cpu_limit = "1"
- service_memory_limit = "128Mi"
- poll_interval = 5
- poll_timeout = 600
- privileged = true
- service_account = "gitlab-shared-runner-0-sa"
- [runners.kubernetes.pod_labels]
- "app" = "gitlab-shared-runner-0"
- # pod_annotations =
- [runners.kubernetes.affinity]
- [runners.kubernetes.pod_security_context]
- [runners.kubernetes.volumes]
- [runners.kubernetes.dns_config]
- [runners.kubernetes.container_lifecycle]
- [runners.kubernetes.node_selector]
- "kubernetes.io/arch" = "arm64" # otherwise wrong image is pulled
- "kubernetes.io/os" = "linux"
\ No newline at end of file
diff --git a/gitlab/runner/shared_runner_0/gitlab_shared_runner_0.yaml b/gitlab/runner/shared_runner_0/gitlab_shared_runner_0.yaml
deleted file mode 100644
index 70b18a7d1dc601661627932a54915385bb286243..0000000000000000000000000000000000000000
--- a/gitlab/runner/shared_runner_0/gitlab_shared_runner_0.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: v1
-name: gitlab-shared-runner-0
-type: gitlab-runner
-deployments:
-- id: default
- name: gitlab-shared-runner-0
- serviceAccount:
- type: namespace # should be namespace
- rules:
- - apiGroups:
- - '*'
- resources:
- - 'pods'
- - 'pods/exec'
- - 'pods/attach'
- - 'configmaps'
- - 'secrets'
- verbs:
- - 'get'
- - 'list'
- - 'watch'
- - 'create'
- - 'patch'
- - 'delete'
- - 'update'
- volumes:
- runner-config:
- content:
- - gitlab/runner/shared_runner_0/config.toml
- mountPath: /etc/gitlab-runner
- type: configMap
diff --git a/gitlab/runner/shared_runner_4/config.toml b/gitlab/runner/shared_runner_4/config.toml
deleted file mode 100644
index 279d945d15982e573303bb5c49a51c2f6c33b536..0000000000000000000000000000000000000000
--- a/gitlab/runner/shared_runner_4/config.toml
+++ /dev/null
@@ -1,41 +0,0 @@
-concurrent = 1
-check_interval = 0
-
-[session_server]
- session_timeout = 1800
-
-[[runners]]
- name = "gitlab-shared-runner-4"
- url = "https://git.420joos.dev/"
- token = "sSzFNsPtuaS4sRJc6wJP"
- executor = "kubernetes"
- [runners.custom_build_dir]
- [runners.cache]
- [runners.cache.s3]
- [runners.cache.gcs]
- [runners.cache.azure]
- [runners.kubernetes]
- tls_verify = true
- image = "scratch"
- # pull_policy = ["always", "if-not-present"]
- bearer_token_overwrite_allowed = false
- namespace = "gitlab-runner"
- namespace_overwrite_allowed = ""
- service_account_overwrite_allowed = ""
- pod_annotations_overwrite_allowed = ""
- helper_cpu_limit = "1"
- helper_memory_limit = "128Mi"
- service_cpu_limit = "1"
- service_memory_limit = "128Mi"
- poll_interval = 5
- poll_timeout = 600
- [runners.kubernetes.pod_labels]
- "app" = "gitlab-shared-runner-4"
- [runners.kubernetes.affinity]
- [runners.kubernetes.pod_security_context]
- [runners.kubernetes.volumes]
- [runners.kubernetes.dns_config]
- [runners.kubernetes.container_lifecycle]
- [runners.kubernetes.node_selector]
- "kubernetes.io/arch" = "amd64"
- "kubernetes.io/os" = "linux"
\ No newline at end of file
diff --git a/gitlab/runner/shared_runner_4/gitlab_shared_runner_4.yaml b/gitlab/runner/shared_runner_4/gitlab_shared_runner_4.yaml
deleted file mode 100644
index f45e5533f56dbae6b0339d23fb291d4fbc1a9085..0000000000000000000000000000000000000000
--- a/gitlab/runner/shared_runner_4/gitlab_shared_runner_4.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: v1
-name: gitlab-shared-runner-4
-type: gitlab-runner
-deployments:
-- id: default
- name: gitlab-shared-runner-4
- serviceAccount:
- type: namespace # should be namespace
- rules:
- - apiGroups:
- - '*'
- resources:
- - 'pods'
- - 'pods/exec'
- - 'pods/attach'
- - 'configmaps'
- - 'secrets'
- verbs:
- - 'get'
- - 'list'
- - 'watch'
- - 'create'
- - 'patch'
- - 'delete'
- - 'update'
- volumes:
- runner-config:
- content:
- - gitlab/runner/shared_runner_4/config.toml
- mountPath: /etc/gitlab-runner
- type: configMap
diff --git a/images/cluster_tools/Dockerfile b/images/cluster_tools/Dockerfile
deleted file mode 100644
index bb41208bb16ba4621ffd094e2407272f12f1667d..0000000000000000000000000000000000000000
--- a/images/cluster_tools/Dockerfile
+++ /dev/null
@@ -1,50 +0,0 @@
-# with nfs-utils only version 3.12.1 works
-ARG ALPINE=alpine:latest
-# ARG ALPINE=alpine:3.12.1
-FROM ${ALPINE} AS alpine
-ARG KUBERNETES_RELEASE=v1.21.3
-WORKDIR /bin
-RUN set -x \
- && ARCH=$(uname -m) \
- && if [[ ${ARCH} = "aarch64" ]]; then ARCH="arm64"; elif [[ ${ARCH} = "x86_64" ]]; then ARCH="amd64"; fi \
- && apk update \
- && apk --no-cache add curl \
- && curl -fsSLO https://storage.googleapis.com/kubernetes-release/release/${KUBERNETES_RELEASE}/bin/linux/${ARCH}/kubectl \
- && chmod +x kubectl
-
-FROM ubuntu:20.04
-COPY --from=alpine /bin/kubectl /bin/kubectl
-# RUN set -x && apk update
-# && apk --no-cache add openrc \
-# && apk --no-cache add nfs-utils \
-# && rc-update add nfsmount
-
-# RUN set -x && apk --no-cache add rpcbind
-# RUN set -x && apk --no-cache add openrc
-# RUN set -x && apk --no-cache add nfs-utils
-# RUN set -x && rc-update add nfsmount
-
-RUN set -x && apt update
-# RUN set -x && apt install -y nfs-kernel-server
-RUN set -x && apt install -y nfs-common
-
-# RUN set -x && apk --no-cache add make git
-# RUN set -x && git clone https://github.com/delphix/nfs-utils && cd nfs-utils && git pull
-# RUN bash ./configure
-
-# RUN set -xe && echo '#!/bin/sh' > /usr/sbin/policy-rc.d && echo 'exit 101' >> /usr/sbin/policy-rc.d && chmod +x /usr/sbin/policy-rc.d && dpkg-divert --local --rename --add /sbin/initctl && cp -a /usr/sbin/policy-rc.d /sbin/initctl && sed -i 's/^exit.*/exit 0/' /sbin/initctl && echo 'force-unsafe-io' > /etc/dpkg/dpkg.cfg.d/docker-apt-speedup && echo 'DPkg::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; };' > /etc/apt/apt.conf.d/docker-clean && echo 'APT::Update::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; };' >> /etc/apt/apt.conf.d/docker-clean && echo 'Dir::Cache::pkgcache ""; Dir::Cache::srcpkgcache "";' >> /etc/apt/apt.conf.d/docker-clean && echo 'Acquire::Languages "none";' > /etc/apt/apt.conf.d/docker-no-languages && echo 'Acquire::GzipIndexes "true"; Acquire::CompressionTypes::Order:: "gz";' > /etc/apt/apt.conf.d/docker-gzip-indexes && echo 'Apt::AutoRemove::SuggestsImportant "false";' > /etc/apt/apt.conf.d/docker-autoremove-suggests
-# RUN rm -rf /var/lib/apt/lists/*
-# RUN sed -i 's/^#\s*\(deb.*universe\)$/\1/g' /etc/apt/sources.list
-# RUN mkdir -p /run/systemd && echo 'docker' > /run/systemd/container
-# ENV DEBIAN_FRONTEND=noninteractive
-# RUN apt-get update -qq && apt-get install -y nfs-kernel-server runit inotify-tools -qq
-# RUN mkdir -p /exports
-# RUN mkdir -p /etc/sv/nfs && echo "nfs 2049/tcp" >> /etc/services && echo "nfs 2049/udp" >> /etc/services
-# ADD nfs.init /etc/sv/nfs/run
-# ADD nfs.stop /etc/sv/nfs/finish
-# ADD nfs_setup.sh /usr/local/bin/nfs_setup
-
-# RUN set -x && pacman -Sy --noconfirm nfs-utils
-
-ENTRYPOINT ["/bin/kubectl"]
-CMD ["help"]
diff --git a/images/docker_buildx/Dockerfile b/images/docker_buildx/Dockerfile
deleted file mode 100644
index ef967bd54690786dc956f613c30113302ffdabd6..0000000000000000000000000000000000000000
--- a/images/docker_buildx/Dockerfile
+++ /dev/null
@@ -1,6 +0,0 @@
-FROM docker:20.10.22-alpine3.17
-COPY --from=docker/buildx-bin:latest /buildx /usr/libexec/docker/cli-plugins/docker-buildx
-# COPY daemon.json /etc/docker/daemon.json
-
-ENTRYPOINT ["docker-entrypoint.sh"]
-# CMD ["--insecure-registry=192.168.8.221:5000", "--insecure-registry=http://192.168.8.221:5000"]
diff --git a/images/element/Dockerfile b/images/element/Dockerfile
deleted file mode 100644
index 301dc9c7b73d9aad8be85544346296c82500823f..0000000000000000000000000000000000000000
--- a/images/element/Dockerfile
+++ /dev/null
@@ -1,20 +0,0 @@
-FROM node as builder
-ARG ELEMENT_RELEASE=1.11.34
-# FROM ubuntu:20.04 as builder
-
-RUN apt update \
- && apt install -y curl yarn
-RUN curl -Lo element.tar.gz https://github.com/vector-im/element-web/releases/download/v${ELEMENT_RELEASE}/element-v${ELEMENT_RELEASE}.tar.gz
-RUN mkdir /element
-RUN file element.tar.gz
-RUN tar -xvzf element.tar.gz -C /element --strip-components=1
-RUN ls -la element
-
-
-# get prebuilt package from github
-FROM nginx:alpine
-
-COPY --from=builder /element /app
-
-RUN rm -rf /usr/share/nginx/html \
- && ln -s /app /usr/share/nginx/html
\ No newline at end of file
diff --git a/images/gitlab/Dockerfile b/images/gitlab/Dockerfile
deleted file mode 100644
index ab87f194aeb0f64854b8c7aa20b3861a7d5f6e8a..0000000000000000000000000000000000000000
--- a/images/gitlab/Dockerfile
+++ /dev/null
@@ -1,50 +0,0 @@
-ARG IMAGE_SERVER
-FROM ${IMAGE_SERVER}/ubuntu:22.04
-LABEL maintainer "Pierre Ugaz <ulm0@innersea.xyz>, Andri Joos <andri@joos.io>"
-SHELL ["/bin/sh", "-c"],
-ENV LANG=C.UTF-8
-# Install required packages
-RUN set -eux; \
- apt-get update -q \
- && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
- apt-transport-https \
- ca-certificates \
- less \
- nano \
- openssh-server \
- tzdata \
- libatomic1 \
- vim \
- wget \
- lsb-release \
- perl \
- language-pack-en \
- && rm -rf /var/lib/apt/lists/* \
- && sed 's/session\s*required\s*pam_loginuid.so/session optional pam_loginuid.so/g' -i /etc/pam.d/sshd \
- # Remove MOTD
- && rm -rf /etc/update-motd.d /etc/motd /etc/motd.dynamic \
- && ln -fs /dev/null /run/motd.dynamic
-
-# Copy assets
-COPY RELEASE /
-COPY assets/ /assets/
-RUN set -x \
- && ARCH=$(uname -m) \
- && DISTRO="ubuntu/$(lsb_release -c -s)" \
- && if [ "${ARCH}" = "aarch64" ]; then ARCH="arm64"; elif [ "${ARCH}" = "x86_64" ]; then ARCH="amd64"; fi \
- # && if [ "${ARCH}" = "arm64" ]; then DISTRO="ubuntu/${DISTRO}"; elif [ "${ARCH}" = "amd64" ]; then DISTRO="ubuntu/${DISTRO}"; fi \
- && ARCH=${ARCH} DISTRO=${DISTRO} /assets/setup
-
-# Allow to access embedded tools
-ENV PATH /opt/gitlab/embedded/bin:/opt/gitlab/bin:/assets:$PATH
-# Resolve error: TERM environment variable not set.
-ENV TERM xterm
-# Expose web & ssh
-EXPOSE 443 80 22
-# Define data volumes
-VOLUME ["/etc/gitlab", "/var/opt/gitlab", "/var/log/gitlab"]
-# Wrapper to handle signal, trigger runit and reconfigure GitLab
-CMD ["/assets/wrapper"]
-HEALTHCHECK --interval=60s --timeout=30s --retries=5 \
-CMD /opt/gitlab/bin/gitlab-healthcheck --fail --max-time 10
-
diff --git a/images/gitlab/README.md b/images/gitlab/README.md
deleted file mode 100644
index 3a611a806075f0f35aae66c9295fea933385fb53..0000000000000000000000000000000000000000
--- a/images/gitlab/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# gitlab-arm
-This Project is something of a fork of https://github.com/ulm0/gitlab
-
diff --git a/images/gitlab/RELEASE b/images/gitlab/RELEASE
deleted file mode 100644
index 11ab35c4782e898131a26e2d355f1f17552f6d39..0000000000000000000000000000000000000000
--- a/images/gitlab/RELEASE
+++ /dev/null
@@ -1,4 +0,0 @@
-PACKAGECLOUD_REPO=stable
-RELEASE_PACKAGE=gitlab-ce
-RELEASE_VERSION=15.6.0-ce.0
-DOWNLOAD_URL=https://packages.gitlab.com/gitlab/gitlab-ce/packages/${DISTRO}/gitlab-ce_${RELEASE_VERSION}_${ARCH}.deb/download.deb
diff --git a/images/gitlab/assets/gitlab.rb b/images/gitlab/assets/gitlab.rb
deleted file mode 100644
index 01824093ce3440641a5740234efdc60e3ba9454d..0000000000000000000000000000000000000000
--- a/images/gitlab/assets/gitlab.rb
+++ /dev/null
@@ -1,47 +0,0 @@
-# Docker options for ARM Image
-
-# Set the internal API URL
-# fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/29870
-gitlab_rails['internal_api_url'] = 'http://localhost:8080/'
-
-## Prevent Postgres from trying to allocate 25% of total memory
-postgresql['shared_buffers'] = '1MB'
-postgresql['autovacuum_max_workers'] = "2"
-
-# Disable Prometheus node_exporter inside Docker.
-node_exporter['enable'] = false
-
-## To completely disable prometheus, and all of it's exporters, set to false
-prometheus_monitoring['enable'] = false
-
-## Set Unicorn timeout and lower processes (2 is the lowest allowed at this moment)
-puma['max_threads'] = 2
-puma['min_threads'] = 1
-puma['worker_processes'] = 2
-puma['worker_timeout'] = 60
-
-## Set Sidekiq timeout and lower its concurrency to the lowest allowed
-sidekiq['shutdown_timeout'] = 4
-sidekiq['concurrency'] = 5
-
-# Manage accounts with docker
-# manage_accounts['enable'] = false
-
-# Nginx settings
-nginx['worker_processes'] = 2
-nginx['worker_connections'] = 2048
-
-# Get hostname from shell
-host = `hostname`.strip
-external_url "http://#{host}"
-
-# Explicitly disable init detection since we are running on a container
-package['detect_init'] = false
-
-# Load custom config from environment variable: GITLAB_OMNIBUS_CONFIG
-# Disabling the cop since rubocop considers using eval to be security risk but
-# we don't have an easy way out, atleast yet.
-eval ENV["GITLAB_OMNIBUS_CONFIG"].to_s # rubocop:disable Security/Eval
-
-# Load configuration stored in /etc/gitlab/gitlab.rb
-from_file("/etc/gitlab/gitlab.rb")
diff --git a/images/gitlab/assets/setup b/images/gitlab/assets/setup
deleted file mode 100755
index 9fb18c44bae92b1e5a9a64947dd53d9bcad484b4..0000000000000000000000000000000000000000
--- a/images/gitlab/assets/setup
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/bin/bash
-
-set -e
-
-source /etc/lsb-release
-source /RELEASE
-
-# Install GitLab
-#DOWNLOAD_URL=${DOWNLOAD_URL} RELEASE_VERSION=${RELEASE_VERSION} /assets/download-package
-echo "${DOWNLOAD_URL}"
-DOWNLOAD_URL=${DOWNLOAD_URL} RELEASE_VERSION=${RELEASE_VERSION}
-wget -q "${DOWNLOAD_URL}" -O /tmp/gitlab.deb
-dpkg -i /tmp/gitlab.deb
-rm -f /tmp/gitlab.deb
-rm -rf /var/lib/apt/lists/*
-
-unset DOWNLOAD_URL
-
-# Create sshd daemon
-mkdir -p /opt/gitlab/sv/sshd/supervise /opt/gitlab/sv/sshd/log/supervise
-mkfifo /opt/gitlab/sv/sshd/supervise/ok /opt/gitlab/sv/sshd/log/supervise/ok
-printf "#!/bin/sh\nexec 2>&1\numask 077\nexec /usr/sbin/sshd -D -f /assets/sshd_config -e" > /opt/gitlab/sv/sshd/run
-printf "#!/bin/sh\nexec svlogd -tt /var/log/gitlab/sshd" > /opt/gitlab/sv/sshd/log/run
-chmod a+x /opt/gitlab/sv/sshd/run /opt/gitlab/sv/sshd/log/run
-
-# Remove current gitlab.rb file
-rm -f /etc/gitlab/gitlab.rb
-
-# Patch omnibus package
-sed -i "s/external_url 'GENERATED_EXTERNAL_URL'/# external_url 'GENERATED_EXTERNAL_URL'/" /opt/gitlab/etc/gitlab.rb.template
-sed -i "s/\/etc\/gitlab\/gitlab.rb/\/assets\/gitlab.rb/" /opt/gitlab/embedded/cookbooks/gitlab/recipes/show_config.rb
-sed -i "s/\/etc\/gitlab\/gitlab.rb/\/assets\/gitlab.rb/" /opt/gitlab/embedded/cookbooks/gitlab/recipes/config.rb
-
-# Set install type to docker
-echo 'gitlab-docker' > /opt/gitlab/embedded/service/gitlab-rails/INSTALLATION_TYPE
-
-# Create groups
-groupadd -g 998 git
-groupadd -g 999 gitlab-www
-groupadd -g 997 gitlab-redis
-groupadd -g 996 gitlab-psql
-
-groupadd -g 994 mattermost
-groupadd -g 993 registry
-groupadd -g 992 gitlab-prometheus
-groupadd -g 991 gitlab-consul
-
-# Create accounts
-useradd -m -u 998 -g git -m -s /bin/sh -d /var/opt/gitlab git
-useradd -m -u 999 -g gitlab-www -m -s /bin/false -d /var/opt/gitlab/nginx gitlab-www
-useradd -m -u 997 -g gitlab-redis -m -s /bin/false -d /var/opt/gitlab/redis gitlab-redis
-useradd -m -u 996 -g gitlab-psql -m -s /bin/sh -d /var/opt/gitlab/postgresql gitlab-psql
-useradd -m -u 994 -g mattermost -m -s /bin/sh -d /var/opt/gitlab/mattermost mattermost
-useradd -m -u 993 -g registry -m -s /bin/sh -d /var/opt/gitlab/registry registry
-useradd -m -u 992 -g gitlab-prometheus -m -s /bin/sh -d /var/opt/gitlab/prometheus gitlab-prometheus
-useradd -m -u 991 -g gitlab-consul -m -s /bin/sh -d /var/opt/gitlab/consul gitlab-consul
-
diff --git a/images/gitlab/assets/sshd_config b/images/gitlab/assets/sshd_config
deleted file mode 100755
index 657a67f083b769b9584e1b3e977ab2ac986cf826..0000000000000000000000000000000000000000
--- a/images/gitlab/assets/sshd_config
+++ /dev/null
@@ -1,26 +0,0 @@
-Port 22
-ChallengeResponseAuthentication no
-HostKey /etc/gitlab/ssh_host_rsa_key
-HostKey /etc/gitlab/ssh_host_ecdsa_key
-HostKey /etc/gitlab/ssh_host_ed25519_key
-Protocol 2
-PermitRootLogin no
-PasswordAuthentication no
-MaxStartups 100:30:200
-AllowUsers git
-PrintMotd no
-PrintLastLog no
-PubkeyAuthentication yes
-AuthorizedKeysFile %h/.ssh/authorized_keys /gitlab-data/ssh/authorized_keys
-AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
-AuthorizedKeysCommandUser git
-
-# Fix: User username not allowed because account is locked
-# With "UsePAM yes" the "!" is seen as a password disabled account and not fully locked so ssh public key login works
-UsePAM yes
-
-# Disabling use DNS in ssh since it tends to slow connecting
-UseDNS no
-
-# Enable the use of Git protcol v2
-AcceptEnv GIT_PROTOCOL
diff --git a/images/gitlab/assets/update-permissions b/images/gitlab/assets/update-permissions
deleted file mode 100755
index eed06f410e1cc6ecbed14148f022c7dba3caabe2..0000000000000000000000000000000000000000
--- a/images/gitlab/assets/update-permissions
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/bin/bash
-
-set -x
-
-# chown_if_exists
-# input: matches `chown` command, see `man chown`
-# Simply, this checks that the file you're trying to chown actually exists
-# before making the chown call. DRY'ing the rest of this script's checks.
-chown_if_exists()
-{
- # the last argument of chown is the file or path
- path="${@:${#@}}"
- if [ -e "$path" ]; then
- chown $@
- else
- echo "skipping, path does not exist: $path"
- fi
-}
-
-chmod_if_exists()
-{
- # the last argument of chown is the file or path
- path="${@:${#@}}"
- if [ -e "$path" ]; then
- chmod $@
- else
- echo "skipping, path does not exist: $path"
- fi
-}
-
-# Fix GitLab permissions
-if id -u git; then
- # Fix data storage
- chown_if_exists -R git:git /var/opt/gitlab/.ssh
- chown_if_exists -R git:git /var/opt/gitlab/.gitconfig
- chown_if_exists -R git:git /var/opt/gitlab/git-data
- chmod_if_exists 2770 /var/opt/gitlab/git-data/repositories
- chown_if_exists -R git:git /var/opt/gitlab/gitlab-ci/builds
- chown_if_exists -R git:git /var/opt/gitlab/gitlab-rails
- chown_if_exists -R git:git /var/opt/gitlab/gitlab-shell
- if id -g gitlab-www; then
- chown_if_exists -R git:gitlab-www /var/opt/gitlab/gitlab-workhorse
- fi
-
- # Fix log storage
- chown_if_exists git /var/log/gitlab/gitlab-workhorse
- chown_if_exists git /var/log/gitlab/gitlab-rails
- chown_if_exists git /var/log/gitlab/gitlab-shell
- chown_if_exists git /var/log/gitlab/sidekiq
- chown_if_exists git /var/log/gitlab/puma
- chown_if_exists git /var/log/gitlab/unicorn
-
- # Update log files
- chown_if_exists -R git:git /var/log/gitlab/gitlab-rails/*.log
- chown_if_exists -R git:git /var/log/gitlab/gitlab-shell/*.log
- chown_if_exists -R git:git /var/log/gitlab/puma/*.log
- chown_if_exists -R git:git /var/log/gitlab/unicorn/*.log
-fi
-
-# Fix nginx buffering directory permission
-if id -u gitlab-www; then
- chown_if_exists -R gitlab-www:gitlab-www /var/opt/gitlab/nginx/*_temp
- chown_if_exists -R gitlab-www:gitlab-www /var/opt/gitlab/nginx/*_cache
-fi
-
-# Fix database storage and logs
-if id -u gitlab-psql; then
- chown_if_exists -R gitlab-psql:gitlab-psql /var/opt/gitlab/postgresql
- chown_if_exists gitlab-psql /var/log/gitlab/postgresql
-fi
-
-# Fix prometheus storage and logs
-if id -u gitlab-prometheus; then
- chown_if_exists -R gitlab-prometheus:gitlab-prometheus /var/opt/gitlab/prometheus
- chown_if_exists gitlab-prometheus /var/log/gitlab/prometheus
- chown_if_exists -R gitlab-prometheus:gitlab-prometheus /var/opt/gitlab/alertmanager
- chown_if_exists gitlab-prometheus /var/log/gitlab/alertmanager
-fi
-
-# Fix redis storage and logs
-if id -u gitlab-redis; then
- chown_if_exists -R gitlab-redis:gitlab-redis /var/opt/gitlab/redis
- if id -g git ; then
- chown_if_exists gitlab-redis:git /var/opt/gitlab/redis
- fi
- chown_if_exists gitlab-redis /var/log/gitlab/redis
-fi
-
-# Fix registry storage
-if id -u registry; then
- chown_if_exists -R registry:git /var/opt/gitlab/gitlab-rails/shared/registry
-fi
-
-# Fix mattermost storage
-if id -u mattermost; then
- chown_if_exists -R mattermost /var/opt/gitlab/mattermost
-fi
diff --git a/images/gitlab/assets/wrapper b/images/gitlab/assets/wrapper
deleted file mode 100755
index b1b02691359b195e6590aa2dcf255e1fc900162a..0000000000000000000000000000000000000000
--- a/images/gitlab/assets/wrapper
+++ /dev/null
@@ -1,145 +0,0 @@
-#!/bin/bash
-
-set -e
-
-function sigterm_handler() {
- echo "SIGTERM signal received, try to gracefully shutdown all services..."
- gitlab-ctl stop
-}
-
-function failed_pg_upgrade() {
- echo 'Upgrading the existing database failed and was reverted.'
- echo 'Please check the output, and open an issue at:'
- echo 'https://gitlab.com/gitlab-org/omnibus-gitlab/issues'
- echo 'If you would like to restart the instance without attempting to'
- echo 'upgrade, add the following to your docker command:'
- echo '-e GITLAB_SKIP_PG_UPGRADE=true'
- exit 1
-}
-
-function clean_stale_pids() {
- # cleanup known pid/socket files
- for x in /opt/gitlab/sv /run $(ls -d /tmp/gitaly-ruby* 2>/dev/null) ; do
- # find
- # - any (s)ocket or regular (f)ile
- # - by the name of "*.pid" or "socket.?"
- # - and delete them
- find $x \
- \( \
- -type f \
- -o -type s \
- \) \(\
- -name pid \
- -o -name "*.pid" \
- -o -name "socket.?" \
- \) \
- -delete ;
- done
-}
-
-function detect_unclean_start() {
- set +e
- echo "Cleaning stale PIDs & sockets"
- clean_stale_pids
- set -e
-}
-
-trap "sigterm_handler; exit" TERM
-
-source /RELEASE
-echo "Thank you for using GitLab Docker Image!"
-echo "Current version: $RELEASE_PACKAGE=$RELEASE_VERSION"
-echo ""
-if [[ "$PACKAGECLOUD_REPO" == "unstable" ]]; then
- echo "You are using UNSTABLE version of $RELEASE_PACKAGE!"
- echo ""
-fi
-echo "Configure GitLab for your system by editing /etc/gitlab/gitlab.rb file"
-echo "And restart this container to reload settings."
-echo "To do it use docker exec:"
-echo
-echo " docker exec -it gitlab vim /etc/gitlab/gitlab.rb"
-echo " docker restart gitlab"
-echo
-echo "For a comprehensive list of configuration options please see the Omnibus GitLab readme"
-echo "https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md"
-echo
-echo "If this container fails to start due to permission problems try to fix it by executing:"
-echo
-echo " docker exec -it gitlab update-permissions"
-echo " docker restart gitlab"
-echo
-sleep 3s
-
-# Run unclean start detection & cleanup
-detect_unclean_start
-
-# Check if this is a valid upgrade path
-# If the VERSION file doesn't exist, then this is not an upgrade
-if old_version=$(cat /var/opt/gitlab/gitlab-rails/VERSION)
-then
- new_version=$(awk '/^gitlab-(c|e)e/ {print $NF}' /opt/gitlab/version-manifest.txt)
- gitlab-ctl upgrade-check "${old_version}" "${new_version}"
-fi
-
-# Copy gitlab.rb for the first time
-if [[ ! -e /etc/gitlab/gitlab.rb ]]; then
- echo "Installing gitlab.rb config..."
- cp /opt/gitlab/etc/gitlab.rb.template /etc/gitlab/gitlab.rb
- chmod 0600 /etc/gitlab/gitlab.rb
-fi
-
-# Generate ssh host key for the first time
-if [[ ! -f /etc/gitlab/ssh_host_rsa_key ]]; then
- echo "Generating ssh_host_rsa_key..."
- ssh-keygen -f /etc/gitlab/ssh_host_rsa_key -N '' -t rsa
- chmod 0600 /etc/gitlab/ssh_host_rsa_key
-fi
-if [[ ! -f /etc/gitlab/ssh_host_ecdsa_key ]]; then
- echo "Generating ssh_host_ecdsa_key..."
- ssh-keygen -f /etc/gitlab/ssh_host_ecdsa_key -N '' -t ecdsa
- chmod 0600 /etc/gitlab/ssh_host_ecdsa_key
-fi
-if [[ ! -f /etc/gitlab/ssh_host_ed25519_key ]]; then
- echo "Generating ssh_host_ed25519_key..."
- ssh-keygen -f /etc/gitlab/ssh_host_ed25519_key -N '' -t ed25519
- chmod 0600 /etc/gitlab/ssh_host_ed25519_key
-fi
-
-# Remove all services, the reconfigure will create them
-echo "Preparing services..."
-rm -f /opt/gitlab/service/*
-ln -s /opt/gitlab/sv/sshd /opt/gitlab/service
-ln -sf /opt/gitlab/embedded/bin/sv /opt/gitlab/init/sshd
-mkdir -p /var/run/sshd
-mkdir -p /var/log/gitlab/sshd
-mkdir -p /var/log/gitlab/reconfigure
-
-# Start service manager
-echo "Starting services..."
-GITLAB_OMNIBUS_CONFIG= /opt/gitlab/embedded/bin/runsvdir-start &
-
-echo "Configuring GitLab..."
-gitlab-ctl reconfigure
-
-# This must be false when the opt-in PostgreSQL version is the default for pg-upgrade,
-# otherwise it must be true.
-ATTEMPT_AUTO_PG_UPGRADE='true'
-
-# Make sure PostgreSQL is at the latest version.
-# If it fails, print a message with a workaround and exit
-if [ "${GITLAB_SKIP_PG_UPGRADE}" != 'true' -a "${ATTEMPT_AUTO_PG_UPGRADE}" != 'false' ]; then
- gitlab-ctl pg-upgrade -w --skip-disk-check || failed_pg_upgrade
-fi
-
-if [ -n "${GITLAB_POST_RECONFIGURE_SCRIPT+x}" ]; then
- echo "Running Post Reconfigure Script..."
- eval "${GITLAB_POST_RECONFIGURE_SCRIPT}"
-fi
-
-# Tail all logs
-gitlab-ctl tail &
-
-# Wait for SIGTERM
-wait
-
diff --git a/images/my_bot/Dockerfile b/images/my_bot/Dockerfile
deleted file mode 100644
index b5556c9ecd2628df2474f449bb9d7893816f4398..0000000000000000000000000000000000000000
--- a/images/my_bot/Dockerfile
+++ /dev/null
@@ -1,13 +0,0 @@
-ARG PYTHON=python:3.9
-FROM ${PYTHON} AS python
-COPY scripts/ /scripts/
-WORKDIR /scripts
-
-RUN set -eux; \
- apt-get update -q \
- && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
- apt-utils libolm-dev
-
-RUN python3 -m pip install --upgrade pip
-RUN pip3 install -r requirements.txt
-CMD ["python3", "./main.py"]
diff --git a/images/my_bot/scripts/.gitignore b/images/my_bot/scripts/.gitignore
deleted file mode 100644
index 11614af2870733183efe883810764d8708bddf8f..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/.gitignore
+++ /dev/null
@@ -1,115 +0,0 @@
-# Byte-compiled / optimized / DLL files
-__pycache__/
-*.py[cod]
-*$py.class
-
-# C extensions
-*.so
-
-# Distribution / packaging
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-share/python-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
-
-# PyInstaller
-# Usually these files are written by a python script from a template
-# before PyInstaller builds the exe, so as to inject date/other infos into it.
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Unit test / coverage reports
-htmlcov/
-.tox/
-.nox/
-.coverage
-.coverage.*
-.cache
-nosetests.xml
-coverage.xml
-*.cover
-.hypothesis/
-.pytest_cache/
-
-# Translations
-*.mo
-*.pot
-
-# Django stuff:
-*.log
-local_settings.py
-db.sqlite3
-
-# Flask stuff:
-instance/
-.webassets-cache
-
-# Scrapy stuff:
-.scrapy
-
-# Sphinx documentation
-docs/_build/
-
-# PyBuilder
-target/
-
-# Jupyter Notebook
-.ipynb_checkpoints
-
-# IPython
-profile_default/
-ipython_config.py
-
-# pyenv
-.python-version
-
-# celery beat schedule file
-celerybeat-schedule
-
-# SageMath parsed files
-*.sage.py
-
-# Environments
-.env
-.venv
-env/
-venv/
-ENV/
-env.bak/
-venv.bak/
-
-# Spyder project settings
-.spyderproject
-.spyproject
-
-# Rope project settings
-.ropeproject
-
-# mkdocs documentation
-/site
-
-# mypy
-.mypy_cache/
-.dmypy.json
-dmypy.json
-
-# Pyre type checker
-.pyre/
diff --git a/images/my_bot/scripts/.vscode/launch.json b/images/my_bot/scripts/.vscode/launch.json
deleted file mode 100644
index 1a5813c02f2b330f939d1a826ecedbd69cdb51dd..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/.vscode/launch.json
+++ /dev/null
@@ -1,29 +0,0 @@
-{
- // Use IntelliSense to learn about possible attributes.
- // Hover to view descriptions of existing attributes.
- // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
- "version": "0.2.0",
- "configurations": [
- {
- "name": "Python: Current File",
- "type": "python",
- "request": "launch",
- "program": "main.py",
- "console": "integratedTerminal",
- "justMyCode": true,
- "env": {
- "BASE_DIR": ".",
- "NEXT_BATCH_PATH": "./next_batch.txt",
- "STORE_PATH": "./store",
- "TIMERS_PATH": "./timers.json",
- "TASKS_PATH": "./tasks.json",
- "BASE_URL": "matrix.420joos.dev",
- "ROOM_ID": "!vIyCoGLKXcSWJZMEAN",
- "USERNAME": "mybot",
- "PASSWORD": "_fsuxGgSCwmd-STlrzTf33NvatKVV8CU",
- "TASKGROUPS_PATH": "./taskgroups.json",
- "LOG_PATH": "./log.txt"
- }
- }
- ]
-}
\ No newline at end of file
diff --git a/images/my_bot/scripts/Task.py b/images/my_bot/scripts/Task.py
deleted file mode 100644
index 66f1daf667428f8beeeeaead9d07cc6bc1790753..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/Task.py
+++ /dev/null
@@ -1,301 +0,0 @@
-import Task
-from Timer import Timer
-import threading
-import os
-import json
-import uuid
-from matrix_wrapper import send_message
-
-# Tasks, Taskgroups, subgroups, each Task has Timer
-
-class Task():
- ID_JSON_ID = "id"
- NAME_JSON_ID = "name"
- TIMERS_JSON_ID = "timers"
- SUBTASKS_JSON_ID = "subtasks"
- STATE_JSON_ID = "state"
-
- STATE_TICKED = "ticked"
- STATE_UNTICKED = "unticked"
-
- ERROR_CODE_OK = 0
- ERROR_CODE_ALREADY_PART_OF = 1
-
- _id: str = None
- _name: str = None
- _timers: list[Timer]
- _state: str = None
- _backup: bool = None
- _subtasks: list[Task] = None
- _shared_timer_callbacks: list = None
- _successful_timer_callbacks: list = None
- _cancel_timer_callbacks: list = None
- _removal_callbacks: list = None
-
- tasks_lock: threading.Lock = threading.Lock()
- tasks: list[Task] = []
-
- _tasks_backup_file_lock: threading.Lock = threading.Lock()
- _backup_path: str = os.environ["TASKS_PATH"]
-
- def __init__(self, name: str, id: str=None, backup: bool=True) -> None:
- self._name = name
- self._backup = backup
- self._state = Task.STATE_UNTICKED
-
- self._subtasks = []
- self._timers = []
- self._shared_timer_callbacks = []
- self._successful_timer_callbacks = []
- self._cancel_timer_callbacks = []
- self._removal_callbacks = []
-
-
- self._shared_timer_callbacks.append(self.timer_expired_cancelled)
- self._successful_timer_callbacks.append(self.default_timer_callback)
-
- self._id = id if id is not None else str(uuid.uuid4())
- self._redump()
-
- with Task.tasks_lock:
- Task.tasks.append(self)
-
- def add_timer(self, duration: float, text: str=None, id: str=None):
- timer = Timer(duration, text, id=id, backup=False, cancel_callbacks=self.get_cancel_timer_callbacks(), successfull_callbacks=self.get_succ_timer_callbacks())
- timer.start()
-
- self._timers.append(timer)
- self._redump()
-
- return timer
-
- def link_timer(self, timer: Timer) -> int:
- if timer in self._timers:
- return Task.ERROR_CODE_ALREADY_PART_OF
-
- timer._backup = False
- timer._remove_backup()
-
- timer.add_callbacks(successful_callbacks=self.get_succ_timer_callbacks(), cancel_callbacks=self.get_cancel_timer_callbacks())
-
- self._timers.append(timer)
-
- self._redump()
- return Task.ERROR_CODE_OK
-
- def add_subtask(self, name: str, id: str=None):
- subtask = Task(name, id, self._backup)
- subtask.add_removal_callback(self.subtask_removed)
-
- self._subtasks.append(subtask)
- self._redump()
-
- return subtask
-
- def link_subtask(self, task: Task) -> int:
- if task in self.get_subtasks():
- return Task.ERROR_CODE_ALREADY_PART_OF
- task._backup = self._backup
- task.add_removal_callback(self.subtask_removed)
- task._redump()
-
- self._subtasks.append(task)
- self._redump()
- return Task.ERROR_CODE_OK
-
- def unlink_subtask(self, task: Task):
- if task in self._subtasks:
- task.remove_removal_callback(self.subtask_removed)
- self._subtasks.remove(task)
- self._redump()
-
-
- def tick(self):
- self._state = Task.STATE_TICKED
- for timer in self._timers:
- timer.cancel()
-
- for subtask in self.get_subtasks():
- subtask.tick()
- subtask._redump()
-
- self._redump()
-
- def untick(self):
- self._state = Task.STATE_UNTICKED
- self._redump()
-
- def get_subtasks(self):
- return self._subtasks
-
- def get_timers(self):
- return self._timers
-
- def get_state(self):
- return self._state
-
- def get_subtasks_deep(self):
- subtasks = []
- for subtask in self.get_subtasks():
- subtasks.append(subtask.get_subtasks_deep())
-
- return {self: subtasks}
-
- def get_subtask(self, id: str):
- for subtask in self.get_subtasks():
- if subtask.get_id() == id:
- return subtask
-
- def _checked_dump(self):
- if self._backup:
- self._dump()
-
- def _dump(self):
- dump_str = Task.get_dump_str(self.get_dump())
- with Task._tasks_backup_file_lock:
- with open(Task._backup_path, "a+") as f:
- f.write(dump_str)
-
- def get_dump(self):
- return {Task.ID_JSON_ID: str(self.get_id()),
- Task.NAME_JSON_ID: self.get_name(),
- Task.STATE_JSON_ID: self.get_state(),
- Task.TIMERS_JSON_ID: [timer.get_dump() for timer in self._timers],
- Task.SUBTASKS_JSON_ID: [subtask.get_id() for subtask in self.get_subtasks()]}
-
- def get_id(self):
- return self._id
-
- def get_name(self):
- return self._name
-
- def add_removal_callback(self, callback):
- self._removal_callbacks.append(callback)
-
- def remove_removal_callback(self, callback):
- if callback in self._removal_callbacks:
- self._removal_callbacks.remove(callback)
-
- def subtask_removed(self, subtask: Task):
- if subtask in self._subtasks:
- self._subtasks.remove(subtask)
- self._redump()
-
- async def timer_expired_cancelled(self, timer: Timer):
- self._timers.remove(timer)
- self._redump()
-
- async def default_timer_callback(self, timer: Timer):
- await send_message("task {} elapsed".format(self.get_name()))
-
- def _remove_backup(self):
- if not os.path.exists(Task._backup_path):
- return
-
- with Task._tasks_backup_file_lock:
- tasks = []
- with open(Task._backup_path, "r") as f:
- for line in f:
- task = json.loads(line)
- if task.get(Task.ID_JSON_ID) != self._id:
- tasks.append(task)
-
- with open(Task._backup_path, "w") as f:
- for task in tasks:
- f.write(Task.get_dump_str(task))
-
-
- def remove(self):
- subtasks = self.get_subtasks()
- while subtasks:
- subtask = subtasks[0]
- subtask.remove()
-
- self._remove_backup()
-
- with Task.tasks_lock:
- Task.tasks.remove(self)
-
- for callback in self._removal_callbacks:
- callback(self)
-
- def _redump(self):
- if self._backup:
- self._remove_backup()
- self._checked_dump()
-
- def get_succ_timer_callbacks(self):
- return self._shared_timer_callbacks + self._successful_timer_callbacks
-
- def get_cancel_timer_callbacks(self):
- return self._shared_timer_callbacks + self._cancel_timer_callbacks
-
- @staticmethod
- def get_dump_str(obj: dict):
- return json.dumps(obj) + "\n"
-
- @staticmethod
- async def check_and_create_task(task_obj: dict, backup=True):
- task = await Task._lazy_load_task(task_obj.get(Task.ID_JSON_ID)) ## needed because subtasks are loosely linked in backup (via id)
- task._name = task_obj.get(Task.NAME_JSON_ID)
- task._state = task_obj.get(Task.STATE_JSON_ID)
- task._backup = backup
-
- timers = task_obj.get(Task.TIMERS_JSON_ID)
- for timer in timers:
- created_timer = await Timer.check_and_create_timer(timer, backup=False, successfull_callbacks=task.get_succ_timer_callbacks(), cancel_callbacks=task.get_cancel_timer_callbacks())
- if created_timer is not None:
- created_timer.start()
- task.link_timer(created_timer)
-
- subtask_ids = task_obj.get(Task.SUBTASKS_JSON_ID)
- for subtask_id in subtask_ids:
- task.link_subtask(await Task._lazy_load_task(subtask_id))
-
- task._redump()
-
- return task
-
- @staticmethod
- async def _lazy_load_task(task_id: str):
- task = Task.get_from_id(task_id)
- if task is None:
- task = Task(None, task_id, False)
-
- return task
-
- @staticmethod
- async def restartExisting():
- if not os.path.exists(Task._backup_path):
- return
-
- tasks = []
- with Task._tasks_backup_file_lock:
- with open(Task._backup_path, "r") as f:
- for line in f:
- tasks.append(json.loads(line))
-
- with open(Task._backup_path, "r+") as f:
- f.truncate(0)
-
- for task in tasks:
- await Task.check_and_create_task(task)
-
- @staticmethod
- def get_from_id(task_id: str):
- with Task.tasks_lock:
- for task in Task.tasks:
- if task.get_id() == task_id:
- return task
-
- return None
-
- @staticmethod
- def dump_all():
- with Task.tasks_lock:
- for task in Task.tasks:
- task._redump()
-
- @staticmethod
- def task_state_to_html(state: str):
- return "[x]" if state == Task.STATE_TICKED else "[ ]"
diff --git a/images/my_bot/scripts/TaskGroup.py b/images/my_bot/scripts/TaskGroup.py
deleted file mode 100644
index 9534d62750cbeefc18b6c86632aa8e01c061671e..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/TaskGroup.py
+++ /dev/null
@@ -1,246 +0,0 @@
-import TaskGroup
-import threading
-import os
-from Task import Task
-import uuid
-import json
-
-class TaskGroup():
- ID_JSON_ID = "id"
- NAME_JSON_ID = "name"
- SUBTASKGROUPS_JSON_ID = "subtaskgroups"
- TASKS_JSON_ID = "tasks"
-
- tasksGroups_lock: threading.Lock = threading.Lock()
- taskGroups: list[TaskGroup] = []
-
- _tasksGroups_backup_file_lock: threading.Lock = threading.Lock()
- _backup_path: str = os.environ["TASKGROUPS_PATH"]
-
- _subTaskGroups: list[TaskGroup] = None
- _tasks: list[Task] = None
- _removal_callbacks: list = None
- _id: str = None
- _name: str = None
- _backup: bool = None
-
- def __init__(self, name: str, id: str=None, backup: bool=True) -> None:
- self._subTaskGroups = []
- self._tasks = []
- self._removal_callbacks = []
-
- self._name = name
- self._id = id if id is not None else str(uuid.uuid4())
- self._backup = backup
-
- self._redump()
- TaskGroup._add_taskGroup(self)
-
- def _redump(self):
- if self._backup:
- self._remove_backup()
- self._checked_dump()
-
- def _remove_backup(self):
- if not os.path.exists(TaskGroup._backup_path):
- return
-
- with TaskGroup._tasksGroups_backup_file_lock:
- taskGroups = []
- with open(TaskGroup._backup_path, "r") as f:
- for line in f:
- taskGroup = json.loads(line)
- if taskGroup.get(Task.ID_JSON_ID) != self._id:
- taskGroups.append(taskGroup)
-
- with open(TaskGroup._backup_path, "w") as f:
- for taskGroup in taskGroups:
- f.write(TaskGroup.get_dump_str(taskGroup))
-
- def _checked_dump(self):
- if self._backup:
- self._dump()
-
- def _dump(self):
- dump_str = TaskGroup.get_dump_str(self.get_dump())
- with TaskGroup._tasksGroups_backup_file_lock:
- with open(TaskGroup._backup_path, "a+") as f:
- f.write(dump_str)
-
- def get_dump(self):
- return {TaskGroup.ID_JSON_ID: self.get_id(),
- TaskGroup.NAME_JSON_ID: self.get_name(),
- TaskGroup.SUBTASKGROUPS_JSON_ID: [taskGroup.get_id() for taskGroup in self.get_subTaskGroups()],
- TaskGroup.TASKS_JSON_ID: [task.get_id() for task in self.get_tasks()]}
-
- def get_id(self):
- return self._id
-
- def get_name(self):
- return self._name
-
- def get_subTaskGroups(self):
- return self._subTaskGroups
-
- def get_tasks(self):
- return self._tasks
-
- def add_subTaskGroup(self, name: str, id: str=None):
- subTaskGroup = TaskGroup(name, id, self._backup)
- subTaskGroup.add_removal_callback(self.subTaskGroup_removed)
- subTaskGroup._redump()
-
- self._subTaskGroups.append(subTaskGroup)
- self._redump()
-
- return subTaskGroup
-
- def link_subTaskGroup(self, subTaskGroup: TaskGroup):
- if subTaskGroup in self.get_subTaskGroups():
- return
-
- subTaskGroup._backup = self._backup
- subTaskGroup.add_removal_callback(self.subTaskGroup_removed)
- subTaskGroup._redump()
-
- self._subTaskGroups.append(subTaskGroup)
- self._redump()
-
- def unlink_subTaskGroup(self, subTaskGroup: TaskGroup):
- if subTaskGroup in self._subTaskGroups:
- subTaskGroup.remove_removal_callback(self.subTaskGroup_removed)
- self._subTaskGroups.remove(subTaskGroup)
- self._redump()
-
- def add_task(self, name: str, id: str=None):
- task = Task(name, id, self._backup)
- task.add_removal_callback(self.task_removed)
-
- self._tasks.append(task)
- self._redump()
- return task
-
- def link_task(self, task: Task):
- if task in self.get_tasks():
- return
-
- task._backup = self._backup
- task.add_removal_callback(self.task_removed)
- task._redump()
-
- self._tasks.append(task)
- self._redump()
-
- def unlink_task(self, task: Task):
- if task in self.get_tasks():
- task.remove_removal_callback(self.task_removed)
- self._tasks.remove(task)
- self._redump()
-
- def add_removal_callback(self, callback):
- self._removal_callbacks.append(callback)
-
- def remove_removal_callback(self, callback):
- if callback in self._removal_callbacks:
- self._removal_callbacks.remove(callback)
-
- def subTaskGroup_removed(self, subTaskGroup: TaskGroup):
- if subTaskGroup in self._subTaskGroups:
- self._subTaskGroups.remove(subTaskGroup)
- self._redump()
-
- def task_removed(self, task: Task):
- if task in self._tasks:
- self._tasks.remove(task)
- self._redump()
-
- def remove(self):
- subTaskGroups = self.get_subTaskGroups()
- while subTaskGroups:
- subTaskGroups[0].remove()
-
- tasks = self.get_tasks()
- while tasks:
- tasks[0].remove()
-
- self._remove_backup()
- TaskGroup._remove_taskGroup(self)
-
- for callback in self._removal_callbacks:
- callback(self)
-
-
- @staticmethod
- def get_dump_str(obj: dict):
- return json.dumps(obj) + "\n"
-
- @staticmethod
- def _remove_taskGroup(taskGroup: TaskGroup):
- with TaskGroup.tasksGroups_lock:
- if taskGroup in TaskGroup.taskGroups:
- TaskGroup.taskGroups.remove(taskGroup)
-
- @staticmethod
- def _add_taskGroup(taskGroup: TaskGroup):
- with TaskGroup.tasksGroups_lock:
- if not taskGroup in TaskGroup.taskGroups:
- TaskGroup.taskGroups.append(taskGroup)
-
- @staticmethod
- async def check_and_create_taskGroup(taskGroup_obj: dict, backup=True):
- taskGroup = await TaskGroup._lazy_load_taskGroup(taskGroup_obj.get(TaskGroup.ID_JSON_ID)) ## needed because subTasksGroups are loosely linked in backup (via id) and therefore the subtask object may needed before it's actual creation
- taskGroup._name = taskGroup_obj.get(TaskGroup.NAME_JSON_ID)
- taskGroup._backup = backup
-
- subTaskGroup_ids = taskGroup_obj.get(TaskGroup.SUBTASKGROUPS_JSON_ID)
- for subTaskGroup_id in subTaskGroup_ids:
- taskGroup.link_subTaskGroup(await TaskGroup._lazy_load_taskGroup(subTaskGroup_id))
-
- task_ids = taskGroup_obj.get(TaskGroup.TASKS_JSON_ID)
- for task_id in task_ids:
- taskGroup.link_task(await Task._lazy_load_task(task_id))
-
- taskGroup._redump()
-
- return taskGroup
-
- @staticmethod
- async def _lazy_load_taskGroup(taskGroup_id: str):
- taskGroup = TaskGroup.get_from_id(taskGroup_id)
- if taskGroup is None:
- taskGroup = TaskGroup(None, taskGroup_id, backup=False)
-
- return taskGroup
-
- # here
- @staticmethod
- async def restartExisting():
- if not os.path.exists(TaskGroup._backup_path):
- return
-
- taskGroups = []
- with TaskGroup._tasksGroups_backup_file_lock:
- with open(TaskGroup._backup_path, "r") as f:
- for line in f:
- taskGroups.append(json.loads(line))
-
- with open(TaskGroup._backup_path, "r+") as f:
- f.truncate(0)
-
- for taskGroup in taskGroups:
- await TaskGroup.check_and_create_taskGroup(taskGroup)
-
- @staticmethod
- def get_from_id(taskGroup_id: str):
- with TaskGroup.tasksGroups_lock:
- for taskGroup in TaskGroup.taskGroups:
- if taskGroup.get_id() == taskGroup_id:
- return taskGroup
-
- return None
-
- @staticmethod
- def dump_all():
- with TaskGroup.tasksGroups_lock:
- for taskGroup in TaskGroup.taskGroups:
- taskGroup._redump()
\ No newline at end of file
diff --git a/images/my_bot/scripts/Timer.py b/images/my_bot/scripts/Timer.py
deleted file mode 100644
index 64bca2e167c1ec9e29443fe123572cdf33a0b3cc..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/Timer.py
+++ /dev/null
@@ -1,183 +0,0 @@
-import asyncio
-import os
-import threading
-import uuid
-from matrix_wrapper import *
-import json
-from datetime import datetime, timedelta
-import Timer
-
-class Timer:
- CALLBACK_MESSAGE_JSON_ID = "callback_message"
- ID_JSON_ID = "id"
- END_JSON_ID = "end"
- TIME_JSON_FORMAT = "%d/%m/%Y/%H/%M/%S"
-
- STATE_CREATED = "created"
- STATE_RUNNING = "running"
- STATE_CANCELED = "canceled" # means stopped, a new timer has to be created for "restarting"
- STATE_FINISHED = "finished"
-
- timers_lock: threading.Lock = threading.Lock()
- timers: list[Timer] = []
-
- _timers_backup_file_lock: threading.Lock = threading.Lock()
- _backup_path: str = os.environ["TIMERS_PATH"]
-
- _id: str = None
- _timer: threading.Timer = None
- _callback_message: str = None
- _end_time: datetime = None
- _started_at: datetime = None
- _loop: asyncio.AbstractEventLoop = None
- _state: str = None
- _backup: bool = None
- _successfull_callbacks: list = None
- _cancel_callbacks: list = None
-
- def __init__(self, duration: float, callback_message: str=None, id: str=None, backup: bool=True, successfull_callbacks: list=[], cancel_callbacks: list=[]) -> None:
- self._callback_message = callback_message
- self._backup = backup
- self._successfull_callbacks = successfull_callbacks
- self._cancel_callbacks = cancel_callbacks
- self._timer = threading.Timer(duration, self._callback)
- self._loop = asyncio.get_event_loop()
-
- self._id = id if id is not None else str(uuid.uuid4())
- self._state = Timer.STATE_CREATED
-
- with Timer.timers_lock:
- Timer.timers.append(self)
-
- def _callback(self):
- if self.get_callback_message() is not None:
- asyncio.run_coroutine_threadsafe(send_message(self.get_callback_message()), self._loop)
- self._remove()
- self._state = Timer.STATE_FINISHED
-
- for callback in self._successfull_callbacks:
- asyncio.run_coroutine_threadsafe(callback(self), self._loop)
-
- def start(self):
- if self._timer.is_alive(): # already started
- return
-
- self._started_at = datetime.now()
- self._end_time = self._started_at + timedelta(seconds=self._timer.interval)
- self._timer.start()
- self._state = Timer.STATE_RUNNING
-
- if self._backup:
- self._dump()
-
- def cancel(self): # after cancel, a new timer has to be created to "restart"
- self._timer.cancel()
- self._remove()
- self._state = Timer.STATE_CANCELED
-
- for callback in self._cancel_callbacks:
- callback(self)
-
- def elapsed(self):
- return datetime.now() - self._started_at
-
- def remaining(self):
- return timedelta(seconds=self._timer.interval - self.elapsed().total_seconds())
-
-
- def _remove_backup(self):
- if not os.path.exists(Timer._backup_path):
- return
-
- with Timer._timers_backup_file_lock:
- timers = []
- with open(Timer._backup_path, "r") as f:
- for line in f:
- timer = json.loads(line)
- if timer.get(Timer.ID_JSON_ID) != self._id:
- timers.append(timer)
-
- with open(Timer._backup_path, "w") as f:
- for timer in timers:
- f.write(Timer.get_dump_str(timer))
-
- def _remove(self):
- self._remove_backup
- with Timer.timers_lock:
- Timer.timers.remove(self)
-
- def _dump(self):
- dump_str = Timer.get_dump_str(self.get_dump())
- with Timer._timers_backup_file_lock:
- with open(Timer._backup_path, "a+") as f:
- f.write(dump_str)
-
- def get_dump(self):
- return {Timer.ID_JSON_ID: self.get_id(),
- Timer.CALLBACK_MESSAGE_JSON_ID: self.get_callback_message(),
- Timer.END_JSON_ID: self._end_time.strftime(Timer.TIME_JSON_FORMAT)}
-
- def get_id(self):
- return self._id
-
- def get_callback_message(self):
- return self._callback_message
-
- def get_state(self):
- return self._state
-
- def add_callbacks(self, successful_callbacks=[], cancel_callbacks=[]):
- self._successfull_callbacks.extend(successful_callbacks)
- self._cancel_callbacks.extend(cancel_callbacks)
-
- @staticmethod
- async def restartExisting():
- if not os.path.exists(Timer._backup_path):
- return
- timers = []
- with Timer._timers_backup_file_lock:
- with open(Timer._backup_path, "r") as f:
- for line in f:
- timers.append(json.loads(line))
-
- with Timer._timers_backup_file_lock:
- with open(Timer._backup_path, "r+") as f:
- f.truncate(0)
-
- for timer in timers:
- created_timer = await Timer.check_and_create_timer(timer)
- if created_timer is not None:
- created_timer.start()
-
- @staticmethod
- async def check_and_create_timer(timer_obj: dict, backup=True, successfull_callbacks: list=[], cancel_callbacks: list=[]) -> Timer:
- with Timer.timers_lock:
- for timer in Timer.timers:
- if timer.get_id() == timer_obj.get(Timer.ID_JSON_ID):
- return timer
-
-
- timer_time = datetime.strptime(timer_obj.get(Timer.END_JSON_ID), Timer.TIME_JSON_FORMAT)
- current_time = datetime.now()
-
- if current_time >= timer_time:
- await send_message("timer has expired before it could be restarted: {}".format(timer_obj.get(Timer.CALLBACK_MESSAGE_JSON_ID)))
- else:
- remaining_time = timer_time - current_time
- return Timer(remaining_time.total_seconds(), timer_obj.get(Timer.CALLBACK_MESSAGE_JSON_ID), timer_obj.get(Timer.ID_JSON_ID), backup=backup, successfull_callbacks=successfull_callbacks, cancel_callbacks=cancel_callbacks) # each of them already backed up so you could assume another backup
-
- return None
-
- @staticmethod
- def get_dump_str(serialized_object: dict) -> str:
- return json.dumps(serialized_object) + "\n"
-
- @staticmethod
- def get_from_id(timer_id: str):
- with Timer.timers_lock:
- for task in Timer.timers:
- if task.get_id() == timer_id:
- return task
-
- return None
-
diff --git a/images/my_bot/scripts/callback/Callback.py b/images/my_bot/scripts/callback/Callback.py
deleted file mode 100644
index 1f43b03f2fbfb6f40bc93b4e1128de1414635866..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/callback/Callback.py
+++ /dev/null
@@ -1,35 +0,0 @@
-class Callback():
- NO_PARAM = "no_param"
- GET_PARAM = "get"
- CREATE_PARAM = "create"
- CANCEL_PARAM = "cancel"
- DELETE_PARAM = "delete"
- TIMER_PARAM = "timer"
- LINK_PARAM = "link"
- UNLINK_PARAM = "unlink"
- SUBTASK_PARAM = "subtask"
- TICK_PARAM = "tick"
- UNTICK_PARAM = "untick"
- DUMP_PARAM = "dump"
- TASK_PARAM = "task"
- SUBTASKGROUP_PARAM = "subgroup"
- INTERACTIVE_PARAM = "interactive"
- INTERACTIVE_DISABLE_PARAM = "interactive-disable"
-
- TEXT_ARG = "--text"
- DURATION_ARG = "--duration"
- ID_ARG = "--id"
- NAME_ARG = "--name"
- SUBTASKS_ARG = "--subtasks"
- TASK_ID_ARG = "--task-id"
- TIMER_ID_ARG = "--timer-id"
- SUBTASK_ID_ARG = "--subtask-id"
- SUBGROUPS_ARG = "--subgroups"
- TASKGROUP_ID_ARG = "--group-id"
- SUBTASKGROUP_ID_ARG = "--subgroup-id"
-
- ACTION_NAME = None
-
- async def run(self, args: dict):
- pass
-
diff --git a/images/my_bot/scripts/callback/callback_helper.py b/images/my_bot/scripts/callback/callback_helper.py
deleted file mode 100644
index b1949dee349848592b617f6d259338314f9a20a1..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/callback/callback_helper.py
+++ /dev/null
@@ -1,96 +0,0 @@
-import matrix_wrapper
-from callback.Callback import Callback
-from typing import Callable, Optional
-import shlex
-from callback.Callback import Callback
-import traceback
-
-_callbacks: dict = {}
-_interactive_callback: Callback = None
-_interactive: bool = False
-
-
-async def get_single_param(args: dict, arg_name: str, pre_command: str, cast_class=str, required=True) -> str:
- arg_params = await get_multi_params(args, arg_name, pre_command, required)
-
- if arg_params is None:
- return None
- elif len(arg_params) != 1:
- await matrix_wrapper.send_html("<code>{}</code> needs arg <code>{}</code> exactly once".format(pre_command, arg_name))
- return None
-
- arg_param = arg_params.pop(0)
-
- try:
- return cast_class(arg_param)
- except (ValueError, TypeError):
- await matrix_wrapper.send_html("<code{} {}<code> needs floating point number as param".format(pre_command, arg_name))
-
-async def get_multi_params(args: dict, arg_name: str, pre_command: str, required=True) -> list[str]:
- arg_params: list[str] = args.get(arg_name)
-
- if arg_params is None and required:
- await matrix_wrapper.send_html("<code>{}</code> needs arg <code>{}</code>".format(pre_command, arg_name))
-
- return arg_params
-
-def parse_args(args: list[str]):
- parsed_args = {}
-
- if not args:
- return parsed_args
-
- current_arg = Callback.NO_PARAM
- parsed_args.update({current_arg: []})
- while args:
- value = args.pop(0)
- if value.startswith("-"):
- current_arg = value
- parsed_args.update({current_arg: []})
- else:
- elements = parsed_args.get(current_arg)
- if elements is None:
- elements = []
- elements.append(value)
- parsed_args.update({current_arg: elements})
-
- return parsed_args
-
-async def exec(args: list[str]):
- global _callbacks, _interactive_callback, _interactive
-
- if not args:
- await matrix_wrapper.send_message("no command provided")
- return
-
- callback: Callback = None
- if _interactive:
- callback = _interactive_callback
- else:
- fnc_name = args.pop(0)
- callback = _callbacks.get(fnc_name)
- if callback is None:
- await matrix_wrapper.send_message("command {{{}}} not understood, please try again".format(fnc_name))
- return
-
- try:
- await callback().run(parse_args(args))
- except Exception:
- await(matrix_wrapper.send_html("someting went wrong in the code<br/><code>{}</code>".format(traceback.format_exc())))
-
-def set_interactive(interactive: bool, callback: Callback):
- _interactive = interactive
- _interactive_callback = callback
-
-# def register(id: str, callback: Callable[[list[str],], Optional[None]]):
-def register(id: str, callback: Callback):
- global _callbacks
-
- _callbacks.update({id: callback})
-
-def unpack(message: str):
- msg = message.strip()
- if msg.startswith("*"):
- msg = msg.removeprefix("*")
- msg = msg.strip()
- return shlex.split(msg)
\ No newline at end of file
diff --git a/images/my_bot/scripts/callback/callbacks/DiskUsageCallback.py b/images/my_bot/scripts/callback/callbacks/DiskUsageCallback.py
deleted file mode 100644
index 0a03f1dbdb36425ad17b68339ca11e4e57467712..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/callback/callbacks/DiskUsageCallback.py
+++ /dev/null
@@ -1,43 +0,0 @@
-from callback.Callback import Callback
-from matrix_wrapper import *
-import subprocess
-from callback.callbacks import DiskUsageCallback
-
-
-class DiskUsageCallback(Callback):
- BASE_DIR = os.environ["BASE_DIR"]
- ACTION_NAME = "du"
-
- async def run(self, args: dict):
- dir_size = {}
- directories = args.get(Callback.NO_PARAM)
-
- if not directories:
- dir_size.update({DiskUsageCallback.BASE_DIR: self.get_dir_size(DiskUsageCallback.BASE_DIR)})
-
- else:
- for directory in directories:
- try:
- full_directory = "{}/{}".format(DiskUsageCallback.BASE_DIR, directory)
- dir_size.update({directory: self.get_dir_size(full_directory)})
- except Exception as e:
- await send_message("error encountered: {}".format(e))
- return
-
- message = """<h2>Disk Usages</h2>
-<table>
- <tr>
- <th>Directory</th>
- <th>Disk Usage</th>
- </tr>
-"""
- for key, value in dir_size.items():
- message += "<tr><td>{}</td><td>{}</td></tr>".format(key, value)
-
- message += "</table>"
-
- await send_html(message)
-
-
- def get_dir_size(directory: str):
- return subprocess.check_output(['du','-sh', directory]).split()[0].decode('utf-8')
\ No newline at end of file
diff --git a/images/my_bot/scripts/callback/callbacks/HelpCallback.py b/images/my_bot/scripts/callback/callbacks/HelpCallback.py
deleted file mode 100644
index 5b8ca217d76441a14127cb79453a89f866d39448..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/callback/callbacks/HelpCallback.py
+++ /dev/null
@@ -1,238 +0,0 @@
-from callback.Callback import Callback
-from matrix_wrapper import *
-from callback.callbacks import HelpCallback
-from callback.callbacks.DiskUsageCallback import DiskUsageCallback
-from callback.callbacks.ListDirectoriesCallback import ListDirectoriesCallback
-from callback.callbacks.TimerCallback import TimerCallback
-from callback.callbacks.TaskCallback import TaskCallback
-from callback.callbacks.TaskGroupCallback import TaskGroupCallback
-
-
-
-class HelpCallback(Callback):
- ACTION_NAME = "help"
-
- async def run(self, args: dict):
- await send_html(
- """
-<h2>Help</h2>
-<p>
-<code>{}</code> prints all available commands<br/>
-<code>{}</code> gets disk usage for a directory, multiple or no directories can be specified<br/>
-Example: <code>{} path/to/dir path/to/dir2 .</code><br/>
-<code>{}</code> lists all directories at given path<br/>
-Example: <code>{} path/to/dir path/to/dir2 .</code><br/>
-<code>{}</code> interacts with timers
-<ul>
- <li><code>{}</code> gets all timers</li>
- <li>
- <code>{}</code> creates new timer
- <ul>
- <code>{}</code> (required) duration in seconds
- <code>{}</code> (required) this will be sent when timer is finished
- </ul>
- </li>
- <li>
- <code>{}</code> cancels a given timer
- <ul>
- <code>{}</code> (required) timer with this id will be deleted
- </ul>
- </li>
-</ul><br/>
-<code>{}</code> interacts with tasks
-<ul>
- <li>
- <code>{}</code> creates new task
- <ul>
- <li><code>{}</code> (required) name for new task</li>
- </ul>
- </li>
- <li>
- <code>{}</code> gets tasks
- <ul>
- <li><code>{}</code> (optional) task with (recursive) subtasks</li>
- <li><code>{}</code> (optional,multiple) parent task ids, required when <code>{}</code></li>
- </ul>
- </li>
- <li>
- <code>{}</code> deletes task
- <ul>
- <li><code>{}</code> (required) id for task to delete</li>
- </ul>
- </li>
- <li>
- <code>{}</code> ticks task
- <ul>
- <li><code>{}</code> (required) id for task to tick</li>
- </ul>
- </li>
- <li>
- <code>{}</code> unticks task
- <ul>
- <li><code>{}</code> (required) id for task to untick</li>
- </ul>
- </li>
- <li>
- <code>{}</code> manually dumps all tasks to the backup file, shouldn't be necessary
- </li>
- <li>
- <code>{}</code> interacts with timers for a task
- <ul>
- <li>
- <code>{}</code> creates timer for a given task
- <ul>
- <li><code>{}</code> (required) to which task the timer will be added</li>
- <li><code>{}</code> (optional) text for timer</li>
- <li><code>{}</code> (required) duration for timer</li>
- </ul>
- </li>
- <li>
- <code>{}</code> links timers to a given task
- <ul>
- <li><code>{}</code> (required) id of task where timer is added</li>
- <li><code>{}</code> (required,multiple) ids of timers to be added</li>
- </ul>
- </li>
- <li>
- <code>{}</code> gets all timers for a given task
- <ul>
- <li><code>{}</code> (required) id of task where the timers will be queried
- </ul>
- </li>
- </ul>
- </li>
- <li>
- <code>{}</code> interacts with subtasks for a task
- <ul>
- <li>
- <code>{}</code> creates new subtasks
- <ul>
- <li><code>{}</code> (required) id of the parent task</li>
- <li><code>{}</code> (required,multiple) name of the subtask</li>
- </ul>
- </li>
- <li>
- <code>{}</code> links existing subtasks to a task
- <ul>
- <li><code>{}</code> (required) id of the parent task where subtask is added</li>
- <li><code>{}</code> (required,multiple) ids of the subtasks to be added</li>
- </ul>
- </li>
- <li>
- <code>{}</code> unlinks subtasks from a task
- <ul>
- <li><code>{}</code> (required) id of the parent task</li>
- <li><code>{}</code> (required,multiple) ids uf subtasks to be removed</li>
- </ul>
- </li>
- <li>
- <code>{}</code> gets subtasks from a task
- <ul>
- <li><code>{}</code> (required) id of the parent task where subtask is added</li>
- </ul>
- </li>
- </ul>
- </li>
-</ul><br/>
-<code>{}</code> interacts with taskgroups
-<ul>
- <li>
- <code>{}</code> creates new taskgroups
- <ul>
- <li><code>{}</code> (required,multiple) name for new taskgroup</li>
- </ul>
- </li>
- <li>
- <code>{}</code> gets taskgroups
- <ul>
- <li><code>{}</code> (optional) if subgroups should be added</li>
- <li><code>{}</code> (optional,multiple) id of taskgroup, required when {} set</li>
- <li><code>{}</code> (optional) if tasks should be added only used when {} set</li>
- </ul>
- </li>
- <li>
- <code>{}</code> deletes taskgroups
- <ul>
- <li><code>{}</code> (required,multiple) id of taskgroup</li>
- </ul>
- </li>
- <li>
- <code>{}</code> interacts with tasks in taskgroups
- <ul>
- <li>
- <code>{}</code> creates tasks in taskgroup
- <ul>
- <li><code>{}</code> (required) id of taskgroup</li>
- <li><code>{}</code> (required,multiple) name of new tasks</li>
- </ul>
- </li>
- <li>
- <code>{}</code> gets tasks in taskgroup
- <ul>
- <li><code>{}</code> (required) id of taskgroup</li>
- </ul>
- </li>
- <li>
- <code>{}</code> links existing tasks to a taskgroup
- <ul>
- <li><code>{}</code> (required) id of taskgroup</li>
- <li><code>{}</code> (required,multiple) ids of tasks to link</li>
- </ul>
- </li>
- <li>
- <code>{}</code> unlinks tasks from a taskgroup
- <ul>
- <li><code>{}</code> (required) id of taskgroup</li>
- <li><code>{}</code> (required,multiple) ids of tasks to unlink</li>
- </ul>
- </li>
- </ul>
- </li>
- <li>
- <code>{}</code> interacts with subgroups in taskgroups
- <ul>
- <li>
- <code>{}</code> creates new subgroups in taskgroup
- <ul>
- <li><code>{}</code> (required) id of taskgroup</li>
- <li><code>{}</code> (required,multiple) name of new subtaskgroups</li>
- </ul>
- </li>
- <li>
- <code>{}</code> gets subgroups in taskgroup
- <ul>
- <li><code>{}</code> (required) id of taskgroup</li>
- </ul>
- </li>
- <li>
- <code>{}</code> links existing subgroups to taskgroup
- <ul>
- <li><code>{}</code> (required) id of taskgroup</li>
- <li><code>{}</code> (required,multiple) id of subgroup</li>
- </ul>
- </li>
- <li>
- <code>{}</code> unlinks subgroups from taskgroup
- <ul>
- <li><code>{}</code> (required) id of taskgroup</li>
- <li><code>{}</code> (required,multiple) id of subgroup</li>
- </ul>
- </li>
- </ul>
- </li>
-</ul>
-<br/>
-Warning: unknown args will not be used
-</p>
- """.format(
- HelpCallback.ACTION_NAME,
- DiskUsageCallback.ACTION_NAME, DiskUsageCallback.ACTION_NAME,
- ListDirectoriesCallback.ACTION_NAME, ListDirectoriesCallback.ACTION_NAME,
- TimerCallback.ACTION_NAME, Callback.GET_PARAM, Callback.CREATE_PARAM, Callback.DURATION_ARG, Callback.TEXT_ARG, Callback.CANCEL_PARAM, Callback.ID_ARG,
- TaskCallback.ACTION_NAME, Callback.CREATE_PARAM, Callback.NAME_ARG, Callback.GET_PARAM, Callback.SUBTASKS_ARG, Callback.ID_ARG, Callback.SUBTASKS_ARG, Callback.DELETE_PARAM, Callback.ID_ARG, Callback.TICK_PARAM, Callback.ID_ARG, Callback.UNTICK_PARAM, Callback.ID_ARG, Callback.DUMP_PARAM,
- Callback.TIMER_PARAM, Callback.CREATE_PARAM, Callback.TASK_ID_ARG, Callback.TEXT_ARG, Callback.DURATION_ARG, Callback.LINK_PARAM, Callback.TASK_ID_ARG, Callback.TIMER_ID_ARG, Callback.GET_PARAM, Callback.TASK_ID_ARG,
- Callback.SUBTASK_PARAM, Callback.CREATE_PARAM, Callback.TASK_ID_ARG, Callback.NAME_ARG, Callback.LINK_PARAM, Callback.TASK_ID_ARG, Callback.SUBTASK_ID_ARG, Callback.UNLINK_PARAM, Callback.TASK_ID_ARG, Callback.SUBTASK_ID_ARG, Callback.GET_PARAM, Callback.TASK_ID_ARG,
- TaskGroupCallback.ACTION_NAME, Callback.CREATE_PARAM, Callback.NAME_ARG, Callback.GET_PARAM, Callback.SUBGROUPS_ARG, Callback.ID_ARG, Callback.SUBGROUPS_ARG, Callback.SUBTASKS_ARG, Callback.SUBGROUPS_ARG, Callback.DELETE_PARAM, Callback.ID_ARG,
- Callback.TASK_PARAM, Callback.CREATE_PARAM, Callback.TASKGROUP_ID_ARG, Callback.NAME_ARG, Callback.GET_PARAM, Callback.TASKGROUP_ID_ARG, Callback.LINK_PARAM, Callback.TASKGROUP_ID_ARG, Callback.TASK_ID_ARG, Callback.UNLINK_PARAM, Callback.TASKGROUP_ID_ARG, Callback.TASK_ID_ARG,
- Callback.SUBTASK_PARAM, Callback.CREATE_PARAM, Callback.TASKGROUP_ID_ARG, Callback.NAME_ARG, Callback.GET_PARAM, Callback.TASKGROUP_ID_ARG, Callback.LINK_PARAM, Callback.TASKGROUP_ID_ARG, Callback.SUBTASKGROUP_ID_ARG, Callback.UNLINK_PARAM, Callback.TASKGROUP_ID_ARG, Callback.SUBTASKGROUP_ID_ARG)
- )
diff --git a/images/my_bot/scripts/callback/callbacks/ListDirectoriesCallback.py b/images/my_bot/scripts/callback/callbacks/ListDirectoriesCallback.py
deleted file mode 100644
index 2619847b48fed8ccb053ecb0234da16d2afad186..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/callback/callbacks/ListDirectoriesCallback.py
+++ /dev/null
@@ -1,44 +0,0 @@
-from callback.Callback import Callback
-from matrix_wrapper import *
-from callback.callbacks import ListDirectoriesCallback
-
-class ListDirectoriesCallback(Callback):
- BASE_DIR = os.environ["BASE_DIR"]
- ACTION_NAME = "lsdir"
-
-
- async def run(self, args: dict):
- subdirs = {}
- directories = args.get(Callback.NO_PARAM)
-
- if not directories:
- subdirs.update({ListDirectoriesCallback.BASE_DIR: self.get_immediate_subdirectories(ListDirectoriesCallback.BASE_DIR)})
- else:
- for directory in directories:
- try:
- full_directory = "{}/{}".format(ListDirectoriesCallback.BASE_DIR, directory)
- subdirs.update({directory: self.get_immediate_subdirectories(full_directory)})
- except Exception as e:
- await send_message("error encountered: {}".format(e))
- return
-
- message = """<h2>List Directories</h2>
-<table>
- <tr>
- <th>Directory</th>
- <th>Subdirectories</th>
- </tr>
- """
- for key, value in subdirs.items():
- message += "<tr><td>{}</td><td>".format(key)
- for subdir in value:
- message += "{}<br/>".format(subdir)
-
- message += "</td></tr>"
- message += "</table>"
-
- await send_html(message)
-
- def get_immediate_subdirectories(directory: str):
- return [name for name in os.listdir(directory)
- if os.path.isdir(os.path.join(directory, name))]
\ No newline at end of file
diff --git a/images/my_bot/scripts/callback/callbacks/TaskCallback.py b/images/my_bot/scripts/callback/callbacks/TaskCallback.py
deleted file mode 100644
index 14013d636c941e1ed167206c4ac977f20fb1c19d..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/callback/callbacks/TaskCallback.py
+++ /dev/null
@@ -1,428 +0,0 @@
-from callback.Callback import Callback
-from Task import Task
-from Timer import Timer
-from matrix_wrapper import *
-from callback import callback_helper
-from callback.callbacks import TaskCallback
-
-
-class TaskCallback(Callback):
- ACTION_NAME = "task"
- WRONG_ID_MESSAGE = "there was a wrong id"
-
- async def run(self, args: dict):
- actions: list[str] = await callback_helper.get_multi_params(args, Callback.NO_PARAM, TaskCallback.ACTION_NAME)
- if actions is None: # actions is at least an empty list; actually not needed, but leaved for simplicity
- return
- elif not actions:
- await send_html("<code>{}</code> needs <code>{}</code>, <code>{}</code>, <code>{}</code>, <code>{}</code>, <code>{}</code>, <code>{}</code> or <code>{}</code>".format(
- TaskCallback.ACTION_NAME, Callback.CREATE_PARAM, Callback.GET_PARAM, Callback.DELETE_PARAM, Callback.TIMER_PARAM,
- Callback.SUBTASK_PARAM, Callback.TICK_PARAM, Callback.UNTICK_PARAM
- ))
- return
-
- action = actions.pop(0)
-
- if action == Callback.CREATE_PARAM:
- await self.handle_create(actions, args)
-
- elif action == Callback.GET_PARAM:
- await self.handle_get(actions, args)
-
- elif action == Callback.DELETE_PARAM:
- await self.handle_delete(actions, args)
-
- elif action == Callback.TIMER_PARAM:
- await self.handle_timer(actions, args)
-
- elif action == Callback.SUBTASK_PARAM:
- await self.handle_subtask(actions, args)
-
- elif action == Callback.TICK_PARAM:
- await self.handle_tick(actions, args)
-
- elif action == Callback.UNTICK_PARAM:
- await self.handle_untick(actions, args)
-
- elif action == Callback.DUMP_PARAM:
- await self.handle_dump(actions, args)
-
- else:
- await send_message("unknown param {}".format(action))
-
- return await super().run(args)
-
- async def handle_create(self, no_params: list[str], args: dict):
- pre_command = "{} {}".format(TaskCallback.ACTION_NAME, Callback.CREATE_PARAM)
- task_names = await callback_helper.get_multi_params(args, Callback.NAME_ARG, pre_command)
- if task_names is None:
- return
-
- message = "created tasks"
- for task_name in task_names:
- task = Task(task_name)
- message += " {}".format(task.get_id())
-
- await send_message(message)
-
- async def handle_get(self, no_params: list[str], args: dict): # subtasks
- if args.get(Callback.SUBTASKS_ARG) is not None:
- await self.handle_get_with_subtasks(no_params, args)
- else:
- await self.handle_get_without_subtasks(no_params, args)
-
- async def handle_get_without_subtasks(self, no_params: list[str], args: dict):
- task_ids = args.get(Callback.ID_ARG)
- tasks = self._get_tasks_from_ids(task_ids)
-
- if tasks is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- message = """<h2>List Tasks</h2>
-<table>
- <tr>
- <th>Task ID</th>
- <th>Task name</th>
- <th>Timer count</th>
- <th>Subtask count</th>
- <th>State</th>
- </tr>
- """
-
- with Task.tasks_lock:
- for task in tasks:
- message += "<tr><td>{}</td><td>{}</td><td>{}</td><td>{}</td><td>{}</td></tr>"\
- .format(task.get_id(), task.get_name(), len(task.get_timers()), len(task.get_subtasks()),
- Task.task_state_to_html(task.get_state()))
-
- message += "</table>"
-
- await send_html(message)
-
- async def handle_get_with_subtasks(self, no_params: list[str], args: dict):
- task_ids = args.get(Callback.ID_ARG)
- if task_ids is None or not task_ids:
- await send_html("<code>{} {}</code> with param <code>{}</code> needs arg <code>{}</code>".format(TaskCallback.ACTION_NAME, Callback.GET_PARAM, Callback.ID_ARG))
- return
-
- tasks: list[Task] = self._get_tasks_from_ids(task_ids)
- if tasks is None:
- await send_html(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- message = """<h2>List Tasks with Subtasks</h2>
-<ul>
- """
-
- for task in tasks:
- message += self.get_subtasks_str(task)
-
- message += "</ul>"
-
- await send_html(message)
-
- async def handle_delete(self, no_params: list[str], args: dict):
- pre_command = "{} {}".format(TaskCallback.ACTION_NAME, Callback.DELETE_PARAM)
- task_ids = await callback_helper.get_multi_params(args, Callback.ID_ARG, pre_command)
-
- tasks: list[Task] = []
- for task_id in task_ids:
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
- tasks.append(task)
-
- message = "deleted tasks"
- for task in tasks:
- message += " {}".format(task.get_id())
- task.remove()
-
- await send_message(message)
-
- async def handle_timer(self, no_params: list[str], args: dict):
- no_wrong_param_message = "<code>{} {}</code> needs <code>{}</code>, <code>{}</code> or <code>{}</code>".format(TaskCallback.ACTION_NAME, Callback.TIMER_PARAM, Callback.CREATE_PARAM, Callback.LINK_PARAM, Callback.GET_PARAM)
- if not no_params:
- await send_html(no_wrong_param_message)
- timer_action = no_params.pop(0)
-
- if timer_action == Callback.CREATE_PARAM:
- await self.handle_timer_create(no_params, args)
- elif timer_action == Callback.LINK_PARAM:
- await self.handle_timer_link(no_params, args)
- elif timer_action == Callback.GET_PARAM:
- await self.handle_timer_get(no_params, args)
- else:
- await send_html(no_wrong_param_message)
-
- async def handle_timer_create(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskCallback.ACTION_NAME, Callback.TIMER_PARAM, Callback.CREATE_PARAM)
- timer_text = await callback_helper.get_single_param(args, Callback.TEXT_ARG, pre_command, required=False)
- timer_duration = await callback_helper.get_single_param(args, Callback.DURATION_ARG, pre_command, float)
- task_id = await callback_helper.get_single_param(args, Callback.TASK_ID_ARG, pre_command)
-
- if timer_duration is None or task_id is None:
- return
-
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- timer = task.add_timer(timer_duration, timer_text)
- await send_message("created timer {} and added it to task {}".format(timer.get_id(), task.get_id()))
-
- async def handle_timer_link(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskCallback.ACTION_NAME, Callback.TIMER_PARAM, Callback.LINK_PARAM)
- task_id = await callback_helper.get_single_param(args, Callback.TASK_ID_ARG, pre_command)
- timer_ids = await callback_helper.get_multi_params(args, Callback.TIMER_ID_ARG, pre_command)
-
- if task_id is None or timer_ids is None:
- return
-
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- timers: list[Timer] = []
- for timer_id in timer_ids:
- timer = Timer.get_from_id(timer_id)
- if timer is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- timers.append(timer)
-
- message = "linked timers"
- for timer in timers:
- task.link_timer(timer)
- message += " {}".format(timer.get_id())
-
- message += " to task {}".format(task.get_id())
-
- await send_message(message)
-
- async def handle_timer_get(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskCallback.ACTION_NAME, Callback.TIMER_PARAM, Callback.GET_PARAM)
- task_id = await callback_helper.get_single_param(args, Callback.TASK_ID_ARG, pre_command)
-
- if task_id is None:
- return
-
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- message = """<h2>List Timers of Task "{}"</h2>
-<table>
- <tr>
- <th>Timer ID</th>
- <th>remaining</th>
- </tr>
- """.format(task.get_name())
-
- for timer in task.get_timers():
- message += "<tr><td>{}</td><td>{}</td></tr>".format(timer.get_id(), str(timer.remaining()))
-
- message += "<table>"
- await send_html(message)
-
- async def handle_subtask(self, no_params: list[str], args: dict):
- no_wrong_param_message = "<code>{} {}</code> needs <code>{}</code>, <code>{}</code>, <code>{}</code> or <code>{}</code>".format(
- TaskCallback.ACTION_NAME, Callback.SUBTASK_PARAM, Callback.CREATE_PARAM, Callback.LINK_PARAM, Callback.UNLINK_PARAM, Callback.GET_PARAM)
- if not no_params:
- await send_html(no_wrong_param_message)
- subtask_action = no_params.pop(0)
-
- if subtask_action == Callback.CREATE_PARAM:
- await self.handle_subtask_create(no_params, args)
- elif subtask_action == Callback.LINK_PARAM:
- await self.handle_subtask_link(no_params, args)
- elif subtask_action == Callback.GET_PARAM:
- await self.handle_subtask_get(no_params, args)
- elif subtask_action == Callback.UNLINK_PARAM:
- await self.handle_subtask_unlink(no_params, args)
- else:
- await send_html(no_wrong_param_message)
-
- async def handle_subtask_create(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskCallback.ACTION_NAME, Callback.SUBTASK_PARAM, Callback.CREATE_PARAM)
- task_id = await callback_helper.get_single_param(args, Callback.TASK_ID_ARG, pre_command)
- subtask_names = await callback_helper.get_multi_params(args, Callback.NAME_ARG, pre_command)
-
- if task_id is None or subtask_names is None:
- return
-
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- message = "created subtasks"
- for subtask_name in subtask_names:
- subtask = task.add_subtask(subtask_name)
- message += " {}".format(subtask.get_id())
-
- message += " and added them to task {}".format(task.get_id())
-
- await send_message(message)
-
- async def handle_subtask_link(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskCallback.ACTION_NAME, Callback.SUBTASK_PARAM, Callback.LINK_PARAM)
- task_id = await callback_helper.get_single_param(args, Callback.TASK_ID_ARG, pre_command)
- subtask_ids = await callback_helper.get_multi_params(args, Callback.SUBTASK_ID_ARG, pre_command)
-
- if task_id is None or subtask_ids is None:
- return
-
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- subtasks: list[Task] = []
- for subtask_id in subtask_ids:
- subtask = Task.get_from_id(subtask_id)
- if subtask is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
-
- subtasks.append(subtask)
-
- message = "linked subtasks"
- for subtask in subtasks:
- task.link_subtask(subtask)
- message += " {}".format(subtask.get_id())
-
- message += " to task {}".format(task.get_id())
-
- await send_message(message)
-
- async def handle_subtask_get(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskCallback.ACTION_NAME, Callback.SUBTASK_PARAM, Callback.GET_PARAM)
- task_id = await callback_helper.get_single_param(args, Callback.TASK_ID_ARG, pre_command)
-
- if task_id is None:
- return
-
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- message = """<h2>List Subtasks of Task "{}"
-<table>
- <tr>
- <th>Subtask ID</th>
- <th>Name</th>
- <th>Has Subtasks</th>
- <th>Has Timers</th>
- <th>State</th>
- </tr>
- """.format(task.get_name())
-
- for subtask in task.get_subtasks():
- message += "<tr><td>{}</td><td>{}</td><td>{}</td><td>{}</td><td>{}</td></tr>".format(
- subtask.get_id(), str(subtask.get_name()), bool(task.get_subtasks()), bool(task.get_timers()), Task.task_state_to_html(task.get_state()))
-
- message += "<table>"
- await send_html(message)
-
- async def handle_subtask_unlink(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskCallback.ACTION_NAME, Callback.SUBTASK_PARAM, Callback.UNLINK_PARAM)
- task_id = await callback_helper.get_single_param(args, Callback.TASK_ID_ARG, pre_command)
- subtask_ids = await callback_helper.get_multi_params(args, Callback.SUBTASK_ID_ARG, pre_command)
-
- if task_id is None or subtask_ids is None:
- return
-
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- subtasks: list[Task] = []
- for subtask_id in subtask_ids:
- subtask = Task.get_from_id(subtask_id)
- if subtask is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
-
- subtasks.append(subtask)
-
- message = "unlinked subtasks"
- for subtask in subtasks:
- task.unlink_subtask(subtask)
- message += " {}".format(subtask.get_id())
-
- message += " from task {}. remove them manually if you want to".format(task.get_id())
-
- await send_message(message)
-
- async def handle_tick(self, no_params: list[str], args: dict):
- pre_command = "{} {}".format(TaskCallback.ACTION_NAME, Callback.TICK_PARAM)
- task_ids = await callback_helper.get_multi_params(args, Callback.ID_ARG, pre_command)
-
- if task_ids is None:
- return
-
- message = "ticked tasks"
- for task_id in task_ids:
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- task.tick()
- message += " {}".format(task.get_id())
-
- await send_message(message)
-
- async def handle_untick(self, no_params: list[str], args: dict):
- pre_command = "{} {}".format(TaskCallback.ACTION_NAME, Callback.UNTICK_PARAM)
- task_ids = await callback_helper.get_multi_params(args, Callback.ID_ARG, pre_command)
-
- if task_ids is None:
- return
-
- message = "unticked tasks"
- for task_id in task_ids:
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskCallback.WRONG_ID_MESSAGE)
- return
-
- task.untick()
- message += " {}".format(task.get_id())
-
- await send_message(message)
-
- async def handle_dump(self, no_params: list[str], args: dict):
- Task.dump_all()
-
- def get_subtasks_str(self, task: Task):
- subtasks = task.get_subtasks()
- message = "<li>{} {}: {}".format(Task.task_state_to_html(task.get_state()), task.get_name(), task.get_id())
- for subtask in subtasks:
- message += "<ul>{}</ul>".format(self.get_subtasks_str(subtask))
-
- message += "</li>"
- return message
-
- def _get_tasks_from_ids(self, task_ids: list[str]) -> list[Task]:
- tasks = []
- if task_ids is not None:
- for task_id in task_ids:
- task = Task.get_from_id(task_id)
- if task is None:
- return None
-
- tasks.append(task)
-
- else:
- with Task.tasks_lock:
- tasks = Task.tasks
-
- return tasks
-
diff --git a/images/my_bot/scripts/callback/callbacks/TaskGroupCallback.py b/images/my_bot/scripts/callback/callbacks/TaskGroupCallback.py
deleted file mode 100644
index 4f8db5451239a38ff7e1a8b7f411d6a15c231501..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/callback/callbacks/TaskGroupCallback.py
+++ /dev/null
@@ -1,420 +0,0 @@
-from TaskGroup import TaskGroup
-from Task import Task
-from callback.callbacks import TaskGroupCallback
-from callback.callbacks.TaskCallback import TaskCallback
-from callback.Callback import Callback
-from callback import callback_helper
-from matrix_wrapper import *
-
-class TaskGroupCallback(Callback):
- ACTION_NAME = "tgroup"
- WRONG_ID_MESSAGE = "there was a wrong id"
-
- PATH: list[TaskGroup] = []
- CURRENT_TASKGROUP: TaskGroup = None
-
- async def run(self, args: dict):
- actions: list[str] = await callback_helper.get_multi_params(args, Callback.NO_PARAM, TaskGroupCallback.ACTION_NAME)
- if actions is None: # actions is at least an empty list; actually not needed, but leaved for simplicity
- return
- elif not actions:
- await send_html("<code>{}</code> needs <code>{}</code>, <code>{}</code>, <code>{}</code>, <code>{}</code>, <code>{}</code>, <code>{}</code> or <code>{}</code>".format(
- TaskGroupCallback.ACTION_NAME, Callback.CREATE_PARAM, Callback.GET_PARAM, Callback.DELETE_PARAM, Callback.TIMER_PARAM,
- Callback.SUBTASK_PARAM, Callback.TICK_PARAM, Callback.UNTICK_PARAM
- ))
- return
-
- ## todo
- if callback_helper._interactive:
- args.update({Callback.ID_ARG: [TaskGroupCallback.CURRENT_TASKGROUP.get_id(),]})
-
- action = actions.pop(0)
-
- if action == Callback.CREATE_PARAM:
- await self.handle_create(actions, args)
-
- elif action == Callback.GET_PARAM:
- await self.handle_get(actions, args)
-
- elif action == Callback.DELETE_PARAM:
- await self.handle_delete(actions, args)
-
- elif action == Callback.TASK_PARAM:
- await self.handle_task(actions, args)
-
- elif action == Callback.SUBTASKGROUP_PARAM:
- await self.handle_subtaskgroup(actions, args)
-
- elif action == Callback.DUMP_PARAM:
- await self.handle_dump(actions, args)
-
- # elif action == Callback.INTERACTIVE_PARAM:
- # await self.handle_interactive_set(actions, args)
-
- else:
- await send_message("unknown param {}".format(action))
-
- return await super().run(args)
-
- async def handle_create(self, no_params: list[str], args: dict):
- pre_command = "{} {}".format(TaskGroupCallback.ACTION_NAME, Callback.CREATE_PARAM)
- group_names = await callback_helper.get_multi_params(args, Callback.NAME_ARG, pre_command)
- if group_names is None:
- return
-
- message = "created taskgroups"
- for group_name in group_names:
- taskGroup = TaskGroup(group_name)
- message += " {}".format(taskGroup.get_id())
-
- await send_message(message)
-
- async def handle_get(self, no_params: list[str], args: dict):
- if args.get(Callback.SUBGROUPS_ARG) is not None:
- await self.handle_get_with_subgroups(no_params, args)
- else:
- await self.handle_get_without_subgroups(no_params, args)
-
- async def handle_get_with_subgroups(self, no_params: list[str], args: dict):
- pre_command = "{} {}".format(TaskGroupCallback.ACTION_NAME, Callback.GET_PARAM)
- group_ids = await callback_helper.get_multi_params(args, Callback.ID_ARG, pre_command)
- subtask_arg = await callback_helper.get_multi_params(args, Callback.SUBTASKS_ARG, pre_command, False)
- with_tasks = subtask_arg is not None
- if group_ids is None:
- return
-
- groups = self._get_taskgroup_from_id(group_ids)
- if groups is None:
- await send_html(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- message = """<h2>List TaskGroups with Subgroups</h2>
-<ul>
- """
-
- for taskGroup in groups:
- message += self.get_subtasks_group_str(taskGroup, with_tasks)
-
- message += "</ul>"
- await send_html(message)
-
- async def handle_get_without_subgroups(self, no_params: list[str], args: dict):
- pre_command = "{} {}".format(TaskGroupCallback.ACTION_NAME, Callback.GET_PARAM)
- taskgroup_ids = await callback_helper.get_multi_params(args, Callback.ID_ARG, pre_command, False)
- taskgroups = self._get_taskgroup_from_id(taskgroup_ids)
-
- message = """<h2>List TaskGroups</h2>
-<table>
- <tr>
- <th>TaskGroup ID</th>
- <th>TaskGroup Name</th>
- <th>SubTaskGroup count</th>
- <th>Task count</th>
- </tr>
- """
-
- for taskgroup in taskgroups:
- message += "<tr><td>{}</td><td>{}</td><td>{}</td><td>{}</td></tr>"\
- .format(taskgroup.get_id(), taskgroup.get_name(), len(taskgroup.get_subTaskGroups()), len(taskgroup.get_tasks()))
-
- message += "</table>"
- await send_html(message)
-
- async def handle_delete(self, no_params: list[str], args: dict):
- pre_command = "{} {}".format(TaskGroupCallback.ACTION_NAME, Callback.DELETE_PARAM)
- taskgroup_ids = await callback_helper.get_multi_params(args, Callback.ID_ARG, pre_command, False)
-
- message = "deleted TaskGroups"
- taskgroups: list[TaskGroup] = []
- for taskgroup_id in taskgroup_ids:
- taskgroup = TaskGroup.get_from_id(taskgroup_id)
- if taskgroup is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
- taskgroups.append(taskgroup)
-
- message = "deleted TaskGroups"
- for taskgroup in taskgroups:
- message += " {}".format(taskgroup.get_id())
- taskgroup.remove()
-
- await send_message(message)
-
- async def handle_task(self, no_params: list[str], args: dict):
- if not no_params:
- await send_html("<code>{} {}</code> needs <code>{}</code>, <code>{}</code>, <code>{}</code> or <code>{}</code>".format(
- TaskGroupCallback.ACTION_NAME, Callback.TASK_PARAM, Callback.CREATE_PARAM, Callback.GET_PARAM, Callback.LINK_PARAM, Callback.UNLINK_PARAM
- ))
- return
-
- action = no_params.pop(0)
-
- if action == Callback.CREATE_PARAM:
- await self.handle_task_create(no_params, args)
- elif action == Callback.GET_PARAM:
- await self.handle_task_get(no_params, args)
- elif action == Callback.LINK_PARAM:
- await self.handle_task_link(no_params, args)
- elif action == Callback.UNLINK_PARAM:
- await self.handle_task_unlink(no_params, args)
- else:
- await send_message("unknown param {}".format(action))
-
-
- async def handle_task_create(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskGroupCallback.ACTION_NAME, Callback.TASK_PARAM, Callback.CREATE_PARAM)
- group_id = await callback_helper.get_single_param(args, Callback.TASKGROUP_ID_ARG, pre_command)
- task_names = await callback_helper.get_multi_params(args, Callback.NAME_ARG, pre_command)
-
- group = TaskGroup.get_from_id(group_id)
- if group is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- message = "created tasks"
- for task_name in task_names:
- task = group.add_task(task_name)
- message += " {}".format(task.get_id())
-
- message += " and added them to TaskGroup {}".format(group.get_id())
- await send_message(message)
-
- async def handle_task_get(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskGroupCallback.ACTION_NAME, Callback.TASK_PARAM, Callback.GET_PARAM)
- group_id = await callback_helper.get_single_param(args, Callback.TASKGROUP_ID_ARG, pre_command)
- if group_id is None:
- return
-
- group = TaskGroup.get_from_id(group_id)
- if group is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
-
- message="""<h2>Tasks of TaskGroup "{}"</h2>
-<ul>
- """.format(group.get_name())
-
- for task in group.get_tasks():
- message += TaskCallback().get_subtasks_str(task)
-
- message += "</ul>"
- await send_html(message)
-
- async def handle_task_link(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskGroupCallback.ACTION_NAME, Callback.TASK_PARAM, Callback.LINK_PARAM)
- group_id = await callback_helper.get_single_param(args, Callback.TASKGROUP_ID_ARG, pre_command)
- task_ids = await callback_helper.get_multi_params(args, Callback.TASK_ID_ARG, pre_command)
-
- if group_id is None or task_ids is None:
- return
-
- group = TaskGroup.get_from_id(group_id)
- if group is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- tasks: list[Task] = []
- for task_id in task_ids:
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
- tasks.append(task)
-
- message = "linked tasks"
- for task in tasks:
- group.link_task(task)
- message += " {}".format(task.get_id())
-
- message += " to TaskGroup {}".format(group.get_id())
- await send_message(message)
-
- async def handle_task_unlink(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskGroupCallback.ACTION_NAME, Callback.TASK_PARAM, Callback.UNLINK_PARAM)
- group_id = await callback_helper.get_single_param(args, Callback.TASKGROUP_ID_ARG, pre_command)
- task_ids = await callback_helper.get_multi_params(args, Callback.TASK_ID_ARG, pre_command)
-
- if group_id is None or task_ids is None:
- return
-
- group = TaskGroup.get_from_id(group_id)
- if group is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- tasks: list[Task] = []
- for task_id in task_ids:
- task = Task.get_from_id(task_id)
- if task is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- tasks.append(task)
-
- message = "unlinked tasks"
- for task in tasks:
- message += " {}".format(task.get_id())
- group.unlink_task(task)
-
- message += " from TaskGroup {}".format(group.get_id())
- await send_message(message)
-
- async def handle_subtaskgroup(self, no_params: list[str], args: dict):
- if not no_params:
- await send_html("<code>{} {}</code> needs <code>{}</code>, <code>{}</code>, <code>{}</code> or <code>{}</code>".format(
- TaskGroupCallback.ACTION_NAME, Callback.SUBTASKGROUP_PARAM, Callback.CREATE_PARAM, Callback.GET_PARAM, Callback.LINK_PARAM, Callback.UNLINK_PARAM
- ))
- return
-
- action = no_params.pop(0)
-
- if action == Callback.CREATE_PARAM:
- await self.handle_subtaskgroup_create(no_params, args)
- elif action == Callback.GET_PARAM:
- await self.handle_subtaskgroup_get(no_params, args)
- elif action == Callback.LINK_PARAM:
- await self.handle_subtaskgroup_link(no_params, args)
- elif action == Callback.UNLINK_PARAM:
- await self.handle_subtaskgroup_unlink(no_params, args)
- else:
- await send_message("unknown param {}".format(action))
-
- async def handle_subtaskgroup_create(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskGroupCallback.ACTION_NAME, Callback.SUBTASKGROUP_PARAM, Callback.CREATE_PARAM)
- group_id = await callback_helper.get_single_param(args, Callback.TASKGROUP_ID_ARG, pre_command)
- subgroup_names = await callback_helper.get_multi_params(args, Callback.NAME_ARG, pre_command)
-
- group = TaskGroup.get_from_id(group_id)
- if group is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- message = "created subgroups"
- for subgroup_name in subgroup_names:
- subgroup = group.add_subTaskGroup(subgroup_name)
- message += " {}".format(subgroup.get_id())
-
- message += " and added them to TaskGroup {}".format(group.get_id())
- await send_message(message)
-
- async def handle_subtaskgroup_get(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskGroupCallback.ACTION_NAME, Callback.SUBTASKGROUP_PARAM, Callback.GET_PARAM)
- group_id = await callback_helper.get_single_param(args, Callback.TASKGROUP_ID_ARG, pre_command)
- if group_id is None:
- return
-
- group = TaskGroup.get_from_id(group_id)
- if group is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- message = """<h2>SubGroups of TaskGroup "{}"</h2>
-<table>
- <tr>
- <th>SubGroup ID</th>
- <th>Name</th>
- <th>Has Tasks</th>
- <th>Has SubGroup</th>
- </tr>
- """.format(group.get_name())
-
- for subgroup in group.get_subTaskGroups():
- message += "<tr><td>{}</td><td>{}</td><td>{}</td><td>{}</td></tr>".format(
- subgroup.get_id(), subgroup.get_name(), bool(subgroup.get_tasks()), bool(subgroup.get_subTaskGroups()))
-
- message += "</table>"
- await send_html(message)
-
- async def handle_subtaskgroup_link(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskGroupCallback.ACTION_NAME, Callback.SUBTASKGROUP_PARAM, Callback.LINK_PARAM)
- group_id = await callback_helper.get_single_param(args, Callback.TASKGROUP_ID_ARG, pre_command)
- subgroup_ids = await callback_helper.get_multi_params(args, Callback.SUBTASKGROUP_ID_ARG, pre_command)
-
- if group_id is None or subgroup_ids is None:
- return
-
- group = TaskGroup.get_from_id(group_id)
- if group is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- subgroups: list[TaskGroup] = []
- for subgroup_id in subgroup_ids:
- subgroup = TaskGroup.get_from_id(subgroup_id)
- if subgroup is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- subgroups.append(subgroup)
-
- message = "linked subgroups"
- for subgroup in subgroups:
- group.link_subTaskGroup(subgroup)
- message += " {}".format(subgroup.get_id())
-
- message += " to TaskGroup {}".format(group.get_id())
- await send_message(message)
-
- async def handle_subtaskgroup_unlink(self, no_params: list[str], args: dict):
- pre_command = "{} {} {}".format(TaskGroupCallback.ACTION_NAME, Callback.SUBTASKGROUP_PARAM, Callback.UNLINK_PARAM)
- group_id = await callback_helper.get_single_param(args, Callback.TASKGROUP_ID_ARG, pre_command)
- subgroup_ids = await callback_helper.get_multi_params(args, Callback.SUBTASKGROUP_ID_ARG, pre_command)
-
- if group_id is None or subgroup_ids is None:
- return
-
- group = TaskGroup.get_from_id(group_id)
- if group is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- subgroups: list[TaskGroup] = []
- for subgroup_id in subgroup_ids:
- subgroup = TaskGroup.get_from_id(subgroup_id)
- if subgroup is None:
- await send_message(TaskGroupCallback.WRONG_ID_MESSAGE)
- return
-
- subgroups.append(subgroup)
-
- message = "unlinked subgroups"
- for subgroup in subgroups:
- message += " {}".format(subgroup.get_id())
- group.unlink_subTaskGroup(subgroup)
-
- message += " from TaskGroup {}".format(group.get_id())
- await send_message(message)
-
- async def handle_interactive_set(self, no_params: list[str], args: dict):
- callback_helper.set_interactive(True, TaskGroupCallback)
-
- def _get_taskgroup_from_id(self, taskgroup_ids: list[str]):
- taskgroups = []
- if taskgroup_ids is not None:
- for taskgroup_id in taskgroup_ids:
- taskgroup = TaskGroup.get_from_id(taskgroup_id)
- if taskgroup is None:
- return None
-
- taskgroups.append(taskgroup)
-
- else:
- with TaskGroup.tasksGroups_lock:
- taskgroups = TaskGroup.taskGroups
-
- return taskgroups
-
- def get_subtasks_group_str(self, taskgroup: TaskGroup, with_tasks=False):
- subtaskgroups = taskgroup.get_subTaskGroups()
- tasks = taskgroup.get_tasks()
- message = "<li>{}: {}".format(taskgroup.get_name(), taskgroup.get_id())
- if with_tasks:
- for task in tasks:
- message += "<br/>{} {}, subtasks={}: {}".format(Task.task_state_to_html(task.get_state()), task.get_name(), bool(task.get_subtasks()), task.get_id())
- for subtaskgroup in subtaskgroups:
- message += "<ul>{}</ul>".format(self.get_subtasks_group_str(subtaskgroup, with_tasks))
-
- message += "</li>"
- return message
-
diff --git a/images/my_bot/scripts/callback/callbacks/TimerCallback.py b/images/my_bot/scripts/callback/callbacks/TimerCallback.py
deleted file mode 100644
index 236c4d531444211080efb187e37ff3ee5e1e2ca1..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/callback/callbacks/TimerCallback.py
+++ /dev/null
@@ -1,69 +0,0 @@
-from callback.Callback import Callback
-from Timer import Timer
-from matrix_wrapper import *
-from callback.callbacks import TimerCallback
-from callback.callbacks.HelpCallback import HelpCallback
-from callback import callback_helper
-
-class TimerCallback(Callback):
- ACTION_NAME = "timer"
-
- async def run(self, args: dict):
- timer_actions = args.get(Callback.NO_PARAM)
-
- if not timer_actions:
- await help()
- return
-
- timer_action = timer_actions.pop(0)
- if timer_action == Callback.GET_PARAM:
- message = """<h2>List Timers</h2>
-<table>
- <tr>
- <th>Timer ID</th>
- <th>Message</th>
- <th>State</th>
- <th>Remaining time</th>
- </tr>
- """
- with Timer.timers_lock:
- for timer in Timer.timers:
- timer_state = timer.get_state()
- message += "<tr><td>{}</td><td>{}</td><td>{}</td><td>".format(timer.get_id(), timer.get_callback_message(), timer_state)
-
- if timer_state == Timer.STATE_RUNNING:
- message += str(timer.remaining())
- message += "</td></tr>"
- message += "</table>"
-
- await send_html(message)
-
- elif timer_action == Callback.CREATE_PARAM:
- pre_command = "{} {}".format(Callback.TIMER_PARAM, Callback.CREATE_PARAM)
- callback_message = await callback_helper.get_single_param(args, Callback.TEXT_ARG, pre_command, required=False)
- duration = await callback_helper.get_single_param(args, Callback.DURATION_ARG, pre_command, cast_class=float)
-
- if duration is None:
- return
-
- timer = Timer(duration, callback_message)
- timer.start()
- await send_message("created and started timer {}".format(timer.get_id()))
-
- elif timer_action == Callback.CANCEL_PARAM:
- pre_command = "{} {}".format(Callback.TIMER_PARAM, Callback.CANCEL_PARAM)
- timer_id = await callback_helper.get_single_param(args, Callback.ID_ARG, pre_command)
-
- if timer_id is None:
- return
-
- timer: Timer = Timer.get_from_id(timer_id)
- if timer is None:
- await send_html("timer not found, call <code>{} {}</code> for all available Timers".format(TimerCallback.ACTION_NAME, Callback.GET_PARAM))
- return
-
- timer.cancel()
- await send_message("timer {} cancelled".format(timer.get_id()))
-
- else:
- await send_message("unknown parameter {}".format(timer_action))
diff --git a/images/my_bot/scripts/main.py b/images/my_bot/scripts/main.py
deleted file mode 100644
index 218d2968eb2df32a34a1aba936071a04016da28e..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/main.py
+++ /dev/null
@@ -1,39 +0,0 @@
-import matrix_wrapper
-import asyncio
-from Timer import Timer
-from Task import Task
-from TaskGroup import TaskGroup
-from callback import callback_helper
-from callback.callbacks.HelpCallback import HelpCallback
-from callback.callbacks.DiskUsageCallback import DiskUsageCallback
-from callback.callbacks.ListDirectoriesCallback import ListDirectoriesCallback
-from callback.callbacks.TimerCallback import TimerCallback
-from callback.callbacks.TaskCallback import TaskCallback
-from callback.callbacks.TaskGroupCallback import TaskGroupCallback
-
-
-async def main():
- # callbacks
-
- callback_helper.register(DiskUsageCallback.ACTION_NAME, DiskUsageCallback)
- callback_helper.register(HelpCallback.ACTION_NAME, HelpCallback)
- callback_helper.register(ListDirectoriesCallback.ACTION_NAME, ListDirectoriesCallback)
- callback_helper.register(TimerCallback.ACTION_NAME, TimerCallback)
- callback_helper.register(TaskCallback.ACTION_NAME, TaskCallback)
- callback_helper.register(TaskGroupCallback.ACTION_NAME, TaskGroupCallback)
-
- # setup communication
- await matrix_wrapper.init()
- await matrix_wrapper.login()
-
- # restore backups
- await Timer.restartExisting()
- await Task.restartExisting()
- await TaskGroup.restartExisting()
-
- await matrix_wrapper.listen_messages()
-
-
-if __name__ == "__main__":
- asyncio.get_event_loop().run_until_complete(main())
-
\ No newline at end of file
diff --git a/images/my_bot/scripts/matrix_wrapper.py b/images/my_bot/scripts/matrix_wrapper.py
deleted file mode 100644
index 393d6ace9350a9351ea6cbc15348eaec8428a0a8..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/matrix_wrapper.py
+++ /dev/null
@@ -1,104 +0,0 @@
-from email import message
-import os
-from nio import AsyncClient, MatrixRoom, RoomMessageText, Event
-from nio.responses import SyncResponse
-from callback import callback_helper
-
-
-
-NEXT_BATCH_FILE = os.environ["NEXT_BATCH_PATH"]
-STORE_PATH = os.environ["STORE_PATH"]
-LOG_PATH = os.environ["LOG_PATH"]
-
-BASE_URL = os.environ["BASE_URL"]
-HOMESERVER_URL = "https://{}".format(BASE_URL)
-ROOM_ID = "{}:{}".format(os.environ["ROOM_ID"], BASE_URL)
-# DEVICE_ID = "wrapper_{}".format(str(uuid.uuid4()))
-
-USERNAME = os.environ["USERNAME"]
-PASSWORD = os.environ["PASSWORD"]
-
-MIMETYPE_PLAIN = "text/plain"
-MIMETYPE_HTML = "text/html"
-
-M_ROOM_PREFIX = "m.room"
-MESSAGE_TYPE_MESSAGE = "{}.message".format(M_ROOM_PREFIX)
-# MESSAGE_TYPE_NOTICE = "{}.notice".format(M_ROOM_PREFIX)
-
-_client: AsyncClient = None
-
-async def message_callback(room: MatrixRoom, event: RoomMessageText) -> None:
- if room.room_id != ROOM_ID or event.sender == _client.user_id: #ignore other rooms and my messages
- return
-
- await callback_helper.exec(callback_helper.unpack(event.body))
-
-async def sync_response_callback(response: SyncResponse) -> None:
- if isinstance(response, SyncResponse):
- await set_next_batch(response.next_batch)
-
-async def default_callback(room: MatrixRoom, event: Event): # not sure if needed
- log("unhandled {} {} in room {}", event.__class__, event.event_id, room.room_id)
-
-async def init():
- global _client
- _client = AsyncClient(HOMESERVER_URL, USERNAME, store_path=STORE_PATH)
- if not os.path.exists(STORE_PATH):
- os.mkdir(STORE_PATH)
-
-async def send_message(content: str, mimetype: str=MIMETYPE_PLAIN):
- await _room_send(content, mimetype=mimetype)
-
-async def send_html(content: str, sender=send_message):
- await sender(content, MIMETYPE_HTML)
-
-async def _room_send(content: str, room_id: str=ROOM_ID, mimetype: str=MIMETYPE_PLAIN):
- global _client
-
- await _client.room_send(room_id, MESSAGE_TYPE_MESSAGE, {"msgtype": "m.text", "body": "", "mimetype": mimetype, "format": "org.matrix.custom.html", "formatted_body": content}, ignore_unverified_devices=True)
-
-async def listen_messages():
- global _client
- next_batch = await get_next_batch() # must be called before callback registering
-
- _client.add_event_callback(message_callback, RoomMessageText)
- _client.add_response_callback(sync_response_callback)
-
- while True:
- try:
- await _client.sync_forever(timeout=1000, since=next_batch)
- except Exception as e:
- log(str(e))
-
-async def set_next_batch(next_batch: str):
- with open(NEXT_BATCH_FILE, "w+") as f:
- f.write(next_batch)
-
-async def get_next_batch():
- global _client
- next_batch = ""
-
- if os.path.exists(NEXT_BATCH_FILE):
- with open(NEXT_BATCH_FILE, "r+") as f:
- next_batch = f.readline()
-
- if next_batch == "":
- sync_response = await _client.sync(full_state=True)
- return sync_response.next_batch
-
- return next_batch
-
-async def login():
- global _client
- await _client.login(PASSWORD)
- await _client.sync(full_state=True)
-
-async def logout():
- global _client
- await _client.logout()
-
-def log(content: str, *args):
- content = content.format(*args)
- with open("log.txt", "a+") as f:
- f.write("{}\n".format(content))
-
diff --git a/images/my_bot/scripts/requirements.txt b/images/my_bot/scripts/requirements.txt
deleted file mode 100644
index 331f9239110465715d7f775a77c8fb9fe4b1c30c..0000000000000000000000000000000000000000
--- a/images/my_bot/scripts/requirements.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-matrix-nio[e2e]
-python-olm
\ No newline at end of file
diff --git a/images/python_pyyaml/Dockerfile b/images/python_pyyaml/Dockerfile
deleted file mode 100644
index 81143091dba825411956b5409a998f6495c10608..0000000000000000000000000000000000000000
--- a/images/python_pyyaml/Dockerfile
+++ /dev/null
@@ -1,9 +0,0 @@
-ARG PYTHON=python:3.10.0
-FROM ${PYTHON} AS python
-
-RUN set -eux; \
- apt-get update -q \
- && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
- python3-pip
-
-RUN python3 -m pip install --upgrade pip && pip3 install pyyaml --no-input
diff --git a/images/streama/Dockerfile b/images/streama/Dockerfile
deleted file mode 100644
index 9b0e16c179ecb9151ce9c8687a46ce0acb717a07..0000000000000000000000000000000000000000
--- a/images/streama/Dockerfile
+++ /dev/null
@@ -1,14 +0,0 @@
-FROM openjdk:8-jdk AS alpine
-ARG VERSION=1.10.4
-# COPY application.yml /app/streama/bin/
-WORKDIR /app/streama/bin/
-ADD https://github.com/streamaserver/streama/releases/download/v${VERSION}/streama-${VERSION}.jar streama.jar
-RUN set -x \
- && chmod +x streama.jar
-
-EXPOSE 8080
-VOLUME /config
-VOLUME /media
-# ENTRYPOINT ["java -jar /app/streama/bin/streama.jar"]
-# ENTRYPOINT ["java --version"]
-CMD ["java", "-jar", "streama.jar"]
diff --git a/images/ubuntu/Dockerfile b/images/ubuntu/Dockerfile
deleted file mode 100644
index e9e7b7a6a7a16876819cefc3401513f0eb7e6552..0000000000000000000000000000000000000000
--- a/images/ubuntu/Dockerfile
+++ /dev/null
@@ -1 +0,0 @@
-FROM ubuntu:22.04
diff --git a/ingress/nginx-ingress-v0.44.0.yaml b/ingress/nginx-ingress-v0.44.0.yaml
deleted file mode 100644
index 736d435abb6fc078592658b235630468d7f48435..0000000000000000000000000000000000000000
--- a/ingress/nginx-ingress-v0.44.0.yaml
+++ /dev/null
@@ -1,2074 +0,0 @@
-
-apiVersion: v1
-kind: Namespace
-metadata:
- name: ingress-nginx
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
-
----
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
-data:
----
-# Source: ingress-nginx/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- name: ingress-nginx
-rules:
- - apiGroups:
- - ''
- resources:
- - configmaps
- - endpoints
- - nodes
- - pods
- - secrets
- verbs:
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - get
- - apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - extensions
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - extensions
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
----
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- name: ingress-nginx
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: ingress-nginx
-subjects:
- - kind: ServiceAccount
- name: ingress-nginx
- namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
-rules:
- - apiGroups:
- - ''
- resources:
- - namespaces
- verbs:
- - get
- - apiGroups:
- - ''
- resources:
- - configmaps
- - pods
- - secrets
- - endpoints
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - extensions
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - extensions
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - networking.k8s.io # k8s 1.14+
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - configmaps
- resourceNames:
- - ingress-controller-leader-nginx
- verbs:
- - get
- - update
- - apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - create
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
----
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: ingress-nginx
-subjects:
- - kind: ServiceAccount
- name: ingress-nginx
- namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller-admission
- namespace: ingress-nginx
-spec:
- type: ClusterIP
- ports:
- - name: https-webhook
- port: 443
- targetPort: webhook
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
----
-# Source: ingress-nginx/templates/controller-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
-spec:
- type: LoadBalancer
- externalTrafficPolicy: Local
- ports:
- - name: http
- port: 80
- protocol: TCP
- targetPort: http
- - name: https
- port: 443
- protocol: TCP
- targetPort: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
----
-# Source: ingress-nginx/templates/controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- revisionHistoryLimit: 10
- minReadySeconds: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- spec:
- dnsPolicy: ClusterFirst
- containers:
- - name: controller
- image: k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
- args:
- - /nginx-ingress-controller
- - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- - --election-id=ingress-controller-leader
- - --ingress-class=nginx
- - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- - --validating-webhook=:8443
- - --validating-webhook-certificate=/usr/local/certificates/cert
- - --validating-webhook-key=/usr/local/certificates/key
- securityContext:
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- runAsUser: 101
- allowPrivilegeEscalation: true
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LD_PRELOAD
- value: /usr/local/lib/libmimalloc.so
- livenessProbe:
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 5
- readinessProbe:
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- ports:
- - name: http
- containerPort: 80
- protocol: TCP
- - name: https
- containerPort: 443
- protocol: TCP
- - name: webhook
- containerPort: 8443
- protocol: TCP
- volumeMounts:
- - name: webhook-cert
- mountPath: /usr/local/certificates/
- readOnly: true
- - name: nginx-config
- mountPath: /etc/nginx/template
- resources:
- requests:
- cpu: 100m
- memory: 90Mi
- nodeSelector:
- kubernetes.io/os: linux
- serviceAccountName: ingress-nginx
- terminationGracePeriodSeconds: 300
- volumes:
- - name: webhook-cert
- secret:
- secretName: ingress-nginx-admission
- - name: nginx-config
- configMap:
- name: nginx-config
----
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-# before changing this value, check the required kubernetes version
-# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- name: ingress-nginx-admission
-webhooks:
- - name: validate.nginx.ingress.kubernetes.io
- matchPolicy: Equivalent
- rules:
- - apiGroups:
- - networking.k8s.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ingresses
- failurePolicy: Fail
- sideEffects: None
- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- namespace: ingress-nginx
- name: ingress-nginx-controller-admission
- path: /networking/v1beta1/ingresses
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
- - apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: ingress-nginx-admission
-subjects:
- - kind: ServiceAccount
- name: ingress-nginx-admission
- namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
-rules:
- - apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - create
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: ingress-nginx-admission
-subjects:
- - kind: ServiceAccount
- name: ingress-nginx-admission
- namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: ingress-nginx-admission-create
- annotations:
- helm.sh/hook: pre-install,pre-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
-spec:
- template:
- metadata:
- name: ingress-nginx-admission-create
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: create
- image: docker.io/jettech/kube-webhook-certgen:v1.5.1
- imagePullPolicy: IfNotPresent
- args:
- - create
- - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=ingress-nginx-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- restartPolicy: OnFailure
- serviceAccountName: ingress-nginx-admission
- securityContext:
- runAsNonRoot: true
- runAsUser: 2000
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: ingress-nginx-admission-patch
- annotations:
- helm.sh/hook: post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- namespace: ingress-nginx
-spec:
- template:
- metadata:
- name: ingress-nginx-admission-patch
- labels:
- helm.sh/chart: ingress-nginx-3.23.0
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 0.44.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: patch
- image: docker.io/jettech/kube-webhook-certgen:v1.5.1
- imagePullPolicy: IfNotPresent
- args:
- - patch
- - --webhook-name=ingress-nginx-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --secret-name=ingress-nginx-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- restartPolicy: OnFailure
- serviceAccountName: ingress-nginx-admission
- securityContext:
- runAsNonRoot: true
- runAsUser: 2000
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: nginx-config
- namespace: ingress-nginx
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
-data:
- nginx.tmpl: |
- {{ $all := . }}
- {{ $servers := .Servers }}
- {{ $cfg := .Cfg }}
- {{ $IsIPV6Enabled := .IsIPV6Enabled }}
- {{ $healthzURI := .HealthzURI }}
- {{ $backends := .Backends }}
- {{ $proxyHeaders := .ProxySetHeaders }}
- {{ $addHeaders := .AddHeaders }}
-
- # Configuration checksum: {{ $all.Cfg.Checksum }}
-
- # setup custom paths that do not require root access
- pid {{ .PID }};
-
- {{ if $cfg.UseGeoIP2 }}
- load_module /etc/nginx/modules/ngx_http_geoip2_module.so;
- {{ end }}
-
- {{ if $cfg.EnableBrotli }}
- load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;
- load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
- {{ end }}
-
- {{ if (shouldLoadInfluxDBModule $servers) }}
- load_module /etc/nginx/modules/ngx_http_influxdb_module.so;
- {{ end }}
-
- {{ if (shouldLoadAuthDigestModule $servers) }}
- load_module /etc/nginx/modules/ngx_http_auth_digest_module.so;
- {{ end }}
-
- {{ if (shouldLoadModSecurityModule $cfg $servers) }}
- load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
- {{ end }}
-
- {{ if (shouldLoadOpentracingModule $cfg $servers) }}
- load_module /etc/nginx/modules/ngx_http_opentracing_module.so;
- {{ end }}
-
- daemon off;
-
- worker_processes {{ $cfg.WorkerProcesses }};
- {{ if gt (len $cfg.WorkerCPUAffinity) 0 }}
- worker_cpu_affinity {{ $cfg.WorkerCPUAffinity }};
- {{ end }}
-
- worker_rlimit_nofile {{ $cfg.MaxWorkerOpenFiles }};
-
- {{/* http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout 1*/}}
- {{/* avoid waiting too long during a reload */}}
- worker_shutdown_timeout {{ $cfg.WorkerShutdownTimeout }} ;
-
- {{ if not (empty $cfg.MainSnippet) }}
- {{ $cfg.MainSnippet }}
- {{ end }}
-
- events {
- multi_accept {{ if $cfg.EnableMultiAccept }}on{{ else }}off{{ end }};
- worker_connections {{ $cfg.MaxWorkerConnections }};
- use epoll;
- }
-
- http {
- lua_package_path "/etc/nginx/lua/?.lua;;";
-
- {{ buildLuaSharedDictionaries $cfg $servers }}
-
- init_by_lua_block {
- collectgarbage("collect")
-
- -- init modules
- local ok, res
-
- ok, res = pcall(require, "lua_ingress")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- lua_ingress = res
- lua_ingress.set_config({{ configForLua $all }})
- end
-
- ok, res = pcall(require, "configuration")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- configuration = res
- end
-
- ok, res = pcall(require, "balancer")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- balancer = res
- end
-
- {{ if $all.EnableMetrics }}
- ok, res = pcall(require, "monitor")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- monitor = res
- end
- {{ end }}
-
- ok, res = pcall(require, "certificate")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- certificate = res
- certificate.is_ocsp_stapling_enabled = {{ $cfg.EnableOCSP }}
- end
-
- ok, res = pcall(require, "plugins")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- plugins = res
- end
- -- load all plugins that'll be used here
- plugins.init({ {{ range $idx, $plugin := $cfg.Plugins }}{{ if $idx }},{{ end }}{{ $plugin | quote }}{{ end }} })
- }
-
- init_worker_by_lua_block {
- lua_ingress.init_worker()
- balancer.init_worker()
- {{ if $all.EnableMetrics }}
- monitor.init_worker({{ $all.MonitorMaxBatchSize }})
- {{ end }}
-
- plugins.run()
- }
-
- {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
- {{/* we use the value of the real IP for the geo_ip module */}}
- {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIp }}
- {{ if $cfg.UseProxyProtocol }}
- real_ip_header proxy_protocol;
- {{ else }}
- real_ip_header {{ $cfg.ForwardedForHeader }};
- {{ end }}
-
- real_ip_recursive on;
- {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
- set_real_ip_from {{ $trusted_ip }};
- {{ end }}
- {{ end }}
-
- {{ if $all.Cfg.EnableModsecurity }}
- modsecurity on;
-
- modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
-
- {{ if $all.Cfg.EnableOWASPCoreRules }}
- modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
- {{ else if (not (empty $all.Cfg.ModsecuritySnippet)) }}
- modsecurity_rules '
- {{ $all.Cfg.ModsecuritySnippet }}
- ';
- {{ end }}
-
- {{ end }}
-
- {{ if $cfg.UseGeoIP }}
- {{/* databases used to determine the country depending on the client IP address */}}
- {{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}}
- {{/* this is require to calculate traffic for individual country using GeoIP in the status page */}}
- geoip_country /etc/nginx/geoip/GeoIP.dat;
- geoip_city /etc/nginx/geoip/GeoLiteCity.dat;
- geoip_org /etc/nginx/geoip/GeoIPASNum.dat;
- geoip_proxy_recursive on;
- {{ end }}
-
- {{ if $cfg.UseGeoIP2 }}
- # https://github.com/leev/ngx_http_geoip2_module#example-usage
-
- {{ range $index, $file := $all.MaxmindEditionFiles }}
- {{ if eq $file "GeoLite2-Country.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb {
- $geoip2_country_code source=$remote_addr country iso_code;
- $geoip2_country_name source=$remote_addr country names en;
- $geoip2_continent_name source=$remote_addr continent names en;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-Country.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-Country.mmdb {
- $geoip2_country_code source=$remote_addr country iso_code;
- $geoip2_country_name source=$remote_addr country names en;
- $geoip2_continent_name source=$remote_addr continent names en;
- }
- {{ end }}
-
- {{ if eq $file "GeoLite2-City.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoLite2-City.mmdb {
- $geoip2_city_country_code source=$remote_addr country iso_code;
- $geoip2_city_country_name source=$remote_addr country names en;
- $geoip2_city source=$remote_addr city names en;
- $geoip2_postal_code source=$remote_addr postal code;
- $geoip2_dma_code source=$remote_addr location metro_code;
- $geoip2_latitude source=$remote_addr location latitude;
- $geoip2_longitude source=$remote_addr location longitude;
- $geoip2_time_zone source=$remote_addr location time_zone;
- $geoip2_region_code source=$remote_addr subdivisions 0 iso_code;
- $geoip2_region_name source=$remote_addr subdivisions 0 names en;
- $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code;
- $geoip2_subregion_name source=$remote_addr subdivisions 1 names en;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-City.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-City.mmdb {
- $geoip2_city_country_code source=$remote_addr country iso_code;
- $geoip2_city_country_name source=$remote_addr country names en;
- $geoip2_city source=$remote_addr city names en;
- $geoip2_postal_code source=$remote_addr postal code;
- $geoip2_dma_code source=$remote_addr location metro_code;
- $geoip2_latitude source=$remote_addr location latitude;
- $geoip2_longitude source=$remote_addr location longitude;
- $geoip2_time_zone source=$remote_addr location time_zone;
- $geoip2_region_code source=$remote_addr subdivisions 0 iso_code;
- $geoip2_region_name source=$remote_addr subdivisions 0 names en;
- $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code;
- $geoip2_subregion_name source=$remote_addr subdivisions 1 names en;
- }
- {{ end }}
-
- {{ if eq $file "GeoLite2-ASN.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoLite2-ASN.mmdb {
- $geoip2_asn source=$remote_addr autonomous_system_number;
- $geoip2_org source=$remote_addr autonomous_system_organization;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-ASN.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-ASN.mmdb {
- $geoip2_asn source=$remote_addr autonomous_system_number;
- $geoip2_org source=$remote_addr autonomous_system_organization;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-ISP.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-ISP.mmdb {
- $geoip2_isp isp;
- $geoip2_isp_org organization;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-Connection-Type.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-Connection-Type.mmdb {
- $geoip2_connection_type connection_type;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-Anonymous-IP.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-Anonymous-IP.mmdb {
- $geoip2_is_anon source=$remote_addr is_anonymous;
- $geoip2_is_hosting_provider source=$remote_addr is_hosting_provider;
- $geoip2_is_public_proxy source=$remote_addr is_public_proxy;
- }
- {{ end }}
-
- {{ end }}
-
- {{ end }}
-
- aio threads;
- aio_write on;
-
- tcp_nopush on;
- tcp_nodelay on;
-
- log_subrequest on;
-
- reset_timedout_connection on;
-
- keepalive_timeout {{ $cfg.KeepAlive }}s;
- keepalive_requests {{ $cfg.KeepAliveRequests }};
-
- client_body_temp_path /tmp/client-body;
- fastcgi_temp_path /tmp/fastcgi-temp;
- proxy_temp_path /tmp/proxy-temp;
- ajp_temp_path /tmp/ajp-temp;
-
- client_header_buffer_size {{ $cfg.ClientHeaderBufferSize }};
- client_header_timeout {{ $cfg.ClientHeaderTimeout }}s;
- large_client_header_buffers {{ $cfg.LargeClientHeaderBuffers }};
- client_body_buffer_size {{ $cfg.ClientBodyBufferSize }};
- client_body_timeout {{ $cfg.ClientBodyTimeout }}s;
-
- http2_max_field_size {{ $cfg.HTTP2MaxFieldSize }};
- http2_max_header_size {{ $cfg.HTTP2MaxHeaderSize }};
- http2_max_requests {{ $cfg.HTTP2MaxRequests }};
- http2_max_concurrent_streams {{ $cfg.HTTP2MaxConcurrentStreams }};
-
- types_hash_max_size 2048;
- server_names_hash_max_size {{ $cfg.ServerNameHashMaxSize }};
- server_names_hash_bucket_size {{ $cfg.ServerNameHashBucketSize }};
- map_hash_bucket_size {{ $cfg.MapHashBucketSize }};
-
- proxy_headers_hash_max_size {{ $cfg.ProxyHeadersHashMaxSize }};
- proxy_headers_hash_bucket_size {{ $cfg.ProxyHeadersHashBucketSize }};
-
- variables_hash_bucket_size {{ $cfg.VariablesHashBucketSize }};
- variables_hash_max_size {{ $cfg.VariablesHashMaxSize }};
-
- underscores_in_headers {{ if $cfg.EnableUnderscoresInHeaders }}on{{ else }}off{{ end }};
- ignore_invalid_headers {{ if $cfg.IgnoreInvalidHeaders }}on{{ else }}off{{ end }};
-
- limit_req_status {{ $cfg.LimitReqStatusCode }};
- limit_conn_status {{ $cfg.LimitConnStatusCode }};
-
- {{ buildOpentracing $cfg $servers }}
-
- include /etc/nginx/mime.types;
- default_type {{ $cfg.DefaultType }};
-
- {{ if $cfg.EnableBrotli }}
- brotli on;
- brotli_comp_level {{ $cfg.BrotliLevel }};
- brotli_types {{ $cfg.BrotliTypes }};
- {{ end }}
-
- {{ if $cfg.UseGzip }}
- gzip on;
- gzip_comp_level {{ $cfg.GzipLevel }};
- gzip_http_version 1.1;
- gzip_min_length {{ $cfg.GzipMinLength}};
- gzip_types {{ $cfg.GzipTypes }};
- gzip_proxied any;
- gzip_vary on;
- {{ end }}
-
- # Custom headers for response
- {{ range $k, $v := $addHeaders }}
- more_set_headers {{ printf "%s: %s" $k $v | quote }};
- {{ end }}
-
- server_tokens {{ if $cfg.ShowServerTokens }}on{{ else }}off{{ end }};
- {{ if not $cfg.ShowServerTokens }}
- more_clear_headers Server;
- {{ end }}
-
- # disable warnings
- uninitialized_variable_warn off;
-
- # Additional available variables:
- # $namespace
- # $ingress_name
- # $service_name
- # $service_port
- # cli_max_body_size
- log_format upstreaminfo {{ if $cfg.LogFormatEscapeJSON }}escape=json {{ end }}'{{ $cfg.LogFormatUpstream }}';
-
- {{/* map urls that should not appear in access.log */}}
- {{/* http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log */}}
- map $request_uri $loggable {
- {{ range $reqUri := $cfg.SkipAccessLogURLs }}
- {{ $reqUri }} 0;{{ end }}
- default 1;
- }
-
- {{ if or $cfg.DisableAccessLog $cfg.DisableHTTPAccessLog }}
- access_log off;
- {{ else }}
- {{ if $cfg.EnableSyslog }}
- access_log syslog:server={{ $cfg.SyslogHost }}:{{ $cfg.SyslogPort }} upstreaminfo if=$loggable;
- {{ else }}
- access_log {{ or $cfg.HttpAccessLogPath $cfg.AccessLogPath }} upstreaminfo {{ $cfg.AccessLogParams }} if=$loggable;
- {{ end }}
- {{ end }}
-
- {{ if $cfg.EnableSyslog }}
- error_log syslog:server={{ $cfg.SyslogHost }}:{{ $cfg.SyslogPort }} {{ $cfg.ErrorLogLevel }};
- {{ else }}
- error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
- {{ end }}
-
- {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
-
- # See https://www.nginx.com/blog/websocket-nginx
- map $http_upgrade $connection_upgrade {
- default upgrade;
- {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
- # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
- '' '';
- {{ else }}
- '' close;
- {{ end }}
- }
-
- # Reverse proxies can detect if a client provides a X-Request-ID header, and pass it on to the backend server.
- # If no such header is provided, it can provide a random value.
- map $http_x_request_id $req_id {
- default $http_x_request_id;
- {{ if $cfg.GenerateRequestID }}
- "" $request_id;
- {{ end }}
- }
-
- {{ if and $cfg.UseForwardedHeaders $cfg.ComputeFullForwardedFor }}
- # We can't use $proxy_add_x_forwarded_for because the realip module
- # replaces the remote_addr too soon
- map $http_x_forwarded_for $full_x_forwarded_for {
- {{ if $all.Cfg.UseProxyProtocol }}
- default "$http_x_forwarded_for, $proxy_protocol_addr";
- '' "$proxy_protocol_addr";
- {{ else }}
- default "$http_x_forwarded_for, $realip_remote_addr";
- '' "$realip_remote_addr";
- {{ end}}
- }
-
- {{ end }}
-
- # Create a variable that contains the literal $ character.
- # This works because the geo module will not resolve variables.
- geo $literal_dollar {
- default "$";
- }
-
- server_name_in_redirect off;
- port_in_redirect off;
-
- ssl_protocols {{ $cfg.SSLProtocols }};
-
- ssl_early_data {{ if $cfg.SSLEarlyData }}on{{ else }}off{{ end }};
-
- # turn on session caching to drastically improve performance
- {{ if $cfg.SSLSessionCache }}
- ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.SSLSessionCacheSize }};
- ssl_session_timeout {{ $cfg.SSLSessionTimeout }};
- {{ end }}
-
- # allow configuring ssl session tickets
- ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }};
-
- {{ if not (empty $cfg.SSLSessionTicketKey ) }}
- ssl_session_ticket_key /etc/nginx/tickets.key;
- {{ end }}
-
- # slightly reduce the time-to-first-byte
- ssl_buffer_size {{ $cfg.SSLBufferSize }};
-
- {{ if not (empty $cfg.SSLCiphers) }}
- # allow configuring custom ssl ciphers
- ssl_ciphers '{{ $cfg.SSLCiphers }}';
- ssl_prefer_server_ciphers on;
- {{ end }}
-
- {{ if not (empty $cfg.SSLDHParam) }}
- # allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
- ssl_dhparam {{ $cfg.SSLDHParam }};
- {{ end }}
-
- ssl_ecdh_curve {{ $cfg.SSLECDHCurve }};
-
- # PEM sha: {{ $cfg.DefaultSSLCertificate.PemSHA }}
- ssl_certificate {{ $cfg.DefaultSSLCertificate.PemFileName }};
- ssl_certificate_key {{ $cfg.DefaultSSLCertificate.PemFileName }};
-
- {{ if gt (len $cfg.CustomHTTPErrors) 0 }}
- proxy_intercept_errors on;
- {{ end }}
-
- {{ range $errCode := $cfg.CustomHTTPErrors }}
- error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }}
-
- proxy_ssl_session_reuse on;
-
- {{ if $cfg.AllowBackendServerHeader }}
- proxy_pass_header Server;
- {{ end }}
-
- {{ range $header := $cfg.HideHeaders }}proxy_hide_header {{ $header }};
- {{ end }}
-
- {{ if not (empty $cfg.HTTPSnippet) }}
- # Custom code snippet configured in the configuration configmap
- {{ $cfg.HTTPSnippet }}
- {{ end }}
-
- upstream upstream_balancer {
- ### Attention!!!
- #
- # We no longer create "upstream" section for every backend.
- # Backends are handled dynamically using Lua. If you would like to debug
- # and see what backends ingress-nginx has in its memory you can
- # install our kubectl plugin https://kubernetes.github.io/ingress-nginx/kubectl-plugin.
- # Once you have the plugin you can use "kubectl ingress-nginx backends" command to
- # inspect current backends.
- #
- ###
-
- server 0.0.0.1; # placeholder
-
- balancer_by_lua_block {
- balancer.balance()
- }
-
- {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
- keepalive {{ $cfg.UpstreamKeepaliveConnections }};
-
- keepalive_timeout {{ $cfg.UpstreamKeepaliveTimeout }}s;
- keepalive_requests {{ $cfg.UpstreamKeepaliveRequests }};
- {{ end }}
- }
-
- {{ range $rl := (filterRateLimits $servers ) }}
- # Ratelimit {{ $rl.Name }}
- geo $remote_addr $whitelist_{{ $rl.ID }} {
- default 0;
- {{ range $ip := $rl.Whitelist }}
- {{ $ip }} 1;{{ end }}
- }
-
- # Ratelimit {{ $rl.Name }}
- map $whitelist_{{ $rl.ID }} $limit_{{ $rl.ID }} {
- 0 {{ $cfg.LimitConnZoneVariable }};
- 1 "";
- }
- {{ end }}
-
- {{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
- {{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
- {{ range $zone := (buildRateLimitZones $servers) }}
- {{ $zone }}
- {{ end }}
-
- # Cache for internal auth checks
- proxy_cache_path /tmp/nginx-cache-auth levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
-
- # Global filters
- {{ range $ip := $cfg.BlockCIDRs }}deny {{ trimSpace $ip }};
- {{ end }}
-
- {{ if gt (len $cfg.BlockUserAgents) 0 }}
- map $http_user_agent $block_ua {
- default 0;
-
- {{ range $ua := $cfg.BlockUserAgents }}{{ trimSpace $ua }} 1;
- {{ end }}
- }
- {{ end }}
-
- {{ if gt (len $cfg.BlockReferers) 0 }}
- map $http_referer $block_ref {
- default 0;
-
- {{ range $ref := $cfg.BlockReferers }}{{ trimSpace $ref }} 1;
- {{ end }}
- }
- {{ end }}
-
- {{/* Build server redirects (from/to www) */}}
- {{ range $redirect := .RedirectServers }}
- ## start server {{ $redirect.From }}
- server {
- server_name {{ $redirect.From }};
-
- {{ buildHTTPListener $all $redirect.From }}
- {{ buildHTTPSListener $all $redirect.From }}
-
- ssl_certificate_by_lua_block {
- certificate.call()
- }
-
- {{ if gt (len $cfg.BlockUserAgents) 0 }}
- if ($block_ua) {
- return 403;
- }
- {{ end }}
- {{ if gt (len $cfg.BlockReferers) 0 }}
- if ($block_ref) {
- return 403;
- }
- {{ end }}
-
- set_by_lua_block $redirect_to {
- local request_uri = ngx.var.request_uri
- if string.sub(request_uri, -1) == "/" then
- request_uri = string.sub(request_uri, 1, -2)
- end
-
- {{ if ne $all.ListenPorts.HTTPS 443 }}
- {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
- return string.format("%s://%s%s%s", ngx.var.scheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri)
- {{ else }}
- return string.format("%s://%s%s", ngx.var.scheme, "{{ $redirect.To }}", request_uri)
- {{ end }}
- }
-
- return {{ $all.Cfg.HTTPRedirectCode }} $redirect_to;
- }
- ## end server {{ $redirect.From }}
- {{ end }}
-
- {{ range $server := $servers }}
-
- ## start server {{ $server.Hostname }}
- server {
- server_name {{ buildServerName $server.Hostname }} {{range $server.Aliases }}{{ . }} {{ end }};
-
- {{ if gt (len $cfg.BlockUserAgents) 0 }}
- if ($block_ua) {
- return 403;
- }
- {{ end }}
- {{ if gt (len $cfg.BlockReferers) 0 }}
- if ($block_ref) {
- return 403;
- }
- {{ end }}
-
- {{ template "SERVER" serverConfig $all $server }}
-
- {{ if not (empty $cfg.ServerSnippet) }}
- # Custom code snippet configured in the configuration configmap
- {{ $cfg.ServerSnippet }}
- {{ end }}
-
- {{ template "CUSTOM_ERRORS" (buildCustomErrorDeps "upstream-default-backend" $cfg.CustomHTTPErrors $all.EnableMetrics) }}
- }
- ## end server {{ $server.Hostname }}
-
- {{ end }}
-
- # backend for when default-backend-service is not configured or it does not have endpoints
- server {
- listen {{ $all.ListenPorts.Default }} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }};
- {{ if $IsIPV6Enabled }}listen [::]:{{ $all.ListenPorts.Default }} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }};{{ end }}
- set $proxy_upstream_name "internal";
-
- access_log off;
-
- location / {
- return 404;
- }
- }
-
- # default server, used for NGINX healthcheck and access to nginx stats
- server {
- listen 127.0.0.1:{{ .StatusPort }};
- set $proxy_upstream_name "internal";
-
- keepalive_timeout 0;
- gzip off;
-
- access_log off;
-
- {{ if $cfg.EnableOpentracing }}
- opentracing off;
- {{ end }}
-
- location {{ $healthzURI }} {
- return 200;
- }
-
- location /is-dynamic-lb-initialized {
- content_by_lua_block {
- local configuration = require("configuration")
- local backend_data = configuration.get_backends_data()
- if not backend_data then
- ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
- return
- end
-
- ngx.say("OK")
- ngx.exit(ngx.HTTP_OK)
- }
- }
-
- location {{ .StatusPath }} {
- stub_status on;
- }
-
- location /configuration {
- client_max_body_size {{ luaConfigurationRequestBodySize $cfg }}m;
- client_body_buffer_size {{ luaConfigurationRequestBodySize $cfg }}m;
- proxy_buffering off;
-
- content_by_lua_block {
- configuration.call()
- }
- }
-
- location / {
- content_by_lua_block {
- ngx.exit(ngx.HTTP_NOT_FOUND)
- }
- }
- }
- }
-
- stream {
- lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;";
-
- lua_shared_dict tcp_udp_configuration_data 5M;
-
- init_by_lua_block {
- collectgarbage("collect")
-
- -- init modules
- local ok, res
-
- ok, res = pcall(require, "configuration")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- configuration = res
- end
-
- ok, res = pcall(require, "tcp_udp_configuration")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- tcp_udp_configuration = res
- end
-
- ok, res = pcall(require, "tcp_udp_balancer")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- tcp_udp_balancer = res
- end
- }
-
- init_worker_by_lua_block {
- tcp_udp_balancer.init_worker()
- }
-
- lua_add_variable $proxy_upstream_name;
-
- log_format log_stream '{{ $cfg.LogFormatStream }}';
-
- {{ if or $cfg.DisableAccessLog $cfg.DisableStreamAccessLog }}
- access_log off;
- {{ else }}
- access_log {{ or $cfg.StreamAccessLogPath $cfg.AccessLogPath }} log_stream {{ $cfg.AccessLogParams }};
- {{ end }}
-
- error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
-
- {{ if $cfg.EnableRealIp }}
- {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
- set_real_ip_from {{ $trusted_ip }};
- {{ end }}
- {{ end }}
-
- upstream upstream_balancer {
- server 0.0.0.1:1234; # placeholder
-
- balancer_by_lua_block {
- tcp_udp_balancer.balance()
- }
- }
-
- server {
- listen 127.0.0.1:{{ .StreamPort }};
-
- access_log off;
-
- content_by_lua_block {
- tcp_udp_configuration.call()
- }
- }
-
- # TCP services
- {{ range $tcpServer := .TCPBackends }}
- server {
- preread_by_lua_block {
- ngx.var.proxy_upstream_name="tcp-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }}";
- }
-
- {{ range $address := $all.Cfg.BindAddressIpv4 }}
- listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
- {{ else }}
- listen {{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
- {{ end }}
- {{ if $IsIPV6Enabled }}
- {{ range $address := $all.Cfg.BindAddressIpv6 }}
- listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
- {{ else }}
- listen [::]:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
- {{ end }}
- {{ end }}
- proxy_timeout {{ $cfg.ProxyStreamTimeout }};
- proxy_next_upstream {{ if $cfg.ProxyStreamNextUpstream }}on{{ else }}off{{ end }};
- proxy_next_upstream_timeout {{ $cfg.ProxyStreamNextUpstreamTimeout }};
- proxy_next_upstream_tries {{ $cfg.ProxyStreamNextUpstreamTries }};
-
- proxy_pass upstream_balancer;
- {{ if $tcpServer.Backend.ProxyProtocol.Encode }}
- proxy_protocol on;
- {{ end }}
- }
- {{ end }}
-
- # UDP services
- {{ range $udpServer := .UDPBackends }}
- server {
- preread_by_lua_block {
- ngx.var.proxy_upstream_name="udp-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }}";
- }
-
- {{ range $address := $all.Cfg.BindAddressIpv4 }}
- listen {{ $address }}:{{ $udpServer.Port }} udp;
- {{ else }}
- listen {{ $udpServer.Port }} udp;
- {{ end }}
- {{ if $IsIPV6Enabled }}
- {{ range $address := $all.Cfg.BindAddressIpv6 }}
- listen {{ $address }}:{{ $udpServer.Port }} udp;
- {{ else }}
- listen [::]:{{ $udpServer.Port }} udp;
- {{ end }}
- {{ end }}
- proxy_responses {{ $cfg.ProxyStreamResponses }};
- proxy_timeout {{ $cfg.ProxyStreamTimeout }};
- proxy_next_upstream {{ if $cfg.ProxyStreamNextUpstream }}on{{ else }}off{{ end }};
- proxy_next_upstream_timeout {{ $cfg.ProxyStreamNextUpstreamTimeout }};
- proxy_next_upstream_tries {{ $cfg.ProxyStreamNextUpstreamTries }};
- proxy_pass upstream_balancer;
- }
- {{ end }}
- }
-
- {{/* definition of templates to avoid repetitions */}}
- {{ define "CUSTOM_ERRORS" }}
- {{ $enableMetrics := .EnableMetrics }}
- {{ $upstreamName := .UpstreamName }}
- {{ range $errCode := .ErrorCodes }}
- location @custom_{{ $upstreamName }}_{{ $errCode }} {
- internal;
-
- proxy_intercept_errors off;
-
- proxy_set_header X-Code {{ $errCode }};
- proxy_set_header X-Format $http_accept;
- proxy_set_header X-Original-URI $request_uri;
- proxy_set_header X-Namespace $namespace;
- proxy_set_header X-Ingress-Name $ingress_name;
- proxy_set_header X-Service-Name $service_name;
- proxy_set_header X-Service-Port $service_port;
- proxy_set_header X-Request-ID $req_id;
- proxy_set_header Host $best_http_host;
-
- set $proxy_upstream_name {{ $upstreamName | quote }};
-
- rewrite (.*) / break;
-
- proxy_pass http://upstream_balancer;
- log_by_lua_block {
- {{ if $enableMetrics }}
- monitor.call()
- {{ end }}
- }
- }
- {{ end }}
- {{ end }}
-
- {{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}}
- {{ define "CORS" }}
- {{ $cors := .CorsConfig }}
- # Cors Preflight methods needs additional options and different Return Code
- if ($request_method = 'OPTIONS') {
- more_set_headers 'Access-Control-Allow-Origin: {{ $cors.CorsAllowOrigin }}';
- {{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }}
- more_set_headers 'Access-Control-Allow-Methods: {{ $cors.CorsAllowMethods }}';
- more_set_headers 'Access-Control-Allow-Headers: {{ $cors.CorsAllowHeaders }}';
- {{ if not (empty $cors.CorsExposeHeaders) }} more_set_headers 'Access-Control-Expose-Headers: {{ $cors.CorsExposeHeaders }}'; {{ end }}
- more_set_headers 'Access-Control-Max-Age: {{ $cors.CorsMaxAge }}';
- more_set_headers 'Content-Type: text/plain charset=UTF-8';
- more_set_headers 'Content-Length: 0';
- return 204;
- }
-
- more_set_headers 'Access-Control-Allow-Origin: {{ $cors.CorsAllowOrigin }}';
- {{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }}
- {{ if not (empty $cors.CorsExposeHeaders) }} more_set_headers 'Access-Control-Expose-Headers: {{ $cors.CorsExposeHeaders }}'; {{ end }}
-
- {{ end }}
-
- {{/* definition of server-template to avoid repetitions with server-alias */}}
- {{ define "SERVER" }}
- {{ $all := .First }}
- {{ $server := .Second }}
-
- {{ buildHTTPListener $all $server.Hostname }}
- {{ buildHTTPSListener $all $server.Hostname }}
-
- set $proxy_upstream_name "-";
-
- ssl_certificate_by_lua_block {
- certificate.call()
- }
-
- {{ if not (empty $server.AuthTLSError) }}
- # {{ $server.AuthTLSError }}
- return 403;
- {{ else }}
-
- {{ if not (empty $server.CertificateAuth.CAFileName) }}
- # PEM sha: {{ $server.CertificateAuth.CASHA }}
- ssl_client_certificate {{ $server.CertificateAuth.CAFileName }};
- ssl_verify_client {{ $server.CertificateAuth.VerifyClient }};
- ssl_verify_depth {{ $server.CertificateAuth.ValidationDepth }};
-
- {{ if not (empty $server.CertificateAuth.CRLFileName) }}
- # PEM sha: {{ $server.CertificateAuth.CRLSHA }}
- ssl_crl {{ $server.CertificateAuth.CRLFileName }};
- {{ end }}
-
- {{ if not (empty $server.CertificateAuth.ErrorPage)}}
- error_page 495 496 = {{ $server.CertificateAuth.ErrorPage }};
- {{ end }}
- {{ end }}
-
- {{ if not (empty $server.ProxySSL.CAFileName) }}
- # PEM sha: {{ $server.ProxySSL.CASHA }}
- proxy_ssl_trusted_certificate {{ $server.ProxySSL.CAFileName }};
- proxy_ssl_ciphers {{ $server.ProxySSL.Ciphers }};
- proxy_ssl_protocols {{ $server.ProxySSL.Protocols }};
- proxy_ssl_verify {{ $server.ProxySSL.Verify }};
- proxy_ssl_verify_depth {{ $server.ProxySSL.VerifyDepth }};
- {{ if not (empty $server.ProxySSL.ProxySSLName) }}
- proxy_ssl_name {{ $server.ProxySSL.ProxySSLName }};
- proxy_ssl_server_name {{ $server.ProxySSL.ProxySSLServerName }};
- {{ end }}
- {{ end }}
-
- {{ if not (empty $server.ProxySSL.PemFileName) }}
- proxy_ssl_certificate {{ $server.ProxySSL.PemFileName }};
- proxy_ssl_certificate_key {{ $server.ProxySSL.PemFileName }};
- {{ end }}
-
- {{ if not (empty $server.SSLCiphers) }}
- ssl_ciphers {{ $server.SSLCiphers }};
- {{ end }}
-
- {{ if not (empty $server.SSLPreferServerCiphers) }}
- ssl_prefer_server_ciphers {{ $server.SSLPreferServerCiphers }};
- {{ end }}
-
- {{ if not (empty $server.ServerSnippet) }}
- # Custom code snippet configured for host {{ $server.Hostname }}
- {{ $server.ServerSnippet }}
- {{ end }}
-
- {{ range $errorLocation := (buildCustomErrorLocationsPerServer $server) }}
- {{ template "CUSTOM_ERRORS" (buildCustomErrorDeps $errorLocation.UpstreamName $errorLocation.Codes $all.EnableMetrics) }}
- {{ end }}
-
- {{ buildMirrorLocations $server.Locations }}
-
- {{ $enforceRegex := enforceRegexModifier $server.Locations }}
- {{ range $location := $server.Locations }}
- {{ $path := buildLocation $location $enforceRegex }}
- {{ $proxySetHeader := proxySetHeader $location }}
- {{ $authPath := buildAuthLocation $location $all.Cfg.GlobalExternalAuth.URL }}
- {{ $applyGlobalAuth := shouldApplyGlobalAuth $location $all.Cfg.GlobalExternalAuth.URL }}
-
- {{ $externalAuth := $location.ExternalAuth }}
- {{ if eq $applyGlobalAuth true }}
- {{ $externalAuth = $all.Cfg.GlobalExternalAuth }}
- {{ end }}
-
- {{ if not (empty $location.Rewrite.AppRoot) }}
- if ($uri = /) {
- return 302 $scheme://$http_host{{ $location.Rewrite.AppRoot }};
- }
- {{ end }}
-
- {{ if $authPath }}
- location = {{ $authPath }} {
- internal;
-
- {{ if (or $all.Cfg.EnableOpentracing $location.Opentracing.Enabled) }}
- opentracing on;
- opentracing_propagate_context;
- {{ end }}
-
- {{ if $externalAuth.AuthCacheKey }}
- set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}';
- set $cache_key '';
-
- rewrite_by_lua_block {
- ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key))
- }
-
- proxy_cache auth_cache;
-
- {{- range $dur := $externalAuth.AuthCacheDuration }}
- proxy_cache_valid {{ $dur }};
- {{- end }}
-
- proxy_cache_key "$cache_key";
- {{ end }}
-
- # ngx_auth_request module overrides variables in the parent request,
- # therefore we have to explicitly set this variable again so that when the parent request
- # resumes it has the correct value set for this variable so that Lua can pick backend correctly
- set $proxy_upstream_name {{ buildUpstreamName $location | quote }};
-
- proxy_pass_request_body off;
- proxy_set_header Content-Length "";
- proxy_set_header X-Forwarded-Proto "";
- proxy_set_header X-Request-ID $req_id;
-
- {{ if $externalAuth.Method }}
- proxy_method {{ $externalAuth.Method }};
- proxy_set_header X-Original-URI $request_uri;
- proxy_set_header X-Scheme $pass_access_scheme;
- {{ end }}
-
- proxy_set_header Host {{ $externalAuth.Host }};
- proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
- proxy_set_header X-Original-Method $request_method;
- proxy_set_header X-Sent-From "nginx-ingress-controller";
- proxy_set_header X-Real-IP $remote_addr;
- {{ if and $all.Cfg.UseForwardedHeaders $all.Cfg.ComputeFullForwardedFor }}
- proxy_set_header X-Forwarded-For $full_x_forwarded_for;
- {{ else }}
- proxy_set_header X-Forwarded-For $remote_addr;
- {{ end }}
-
- {{ if $externalAuth.RequestRedirect }}
- proxy_set_header X-Auth-Request-Redirect {{ $externalAuth.RequestRedirect }};
- {{ else }}
- proxy_set_header X-Auth-Request-Redirect $request_uri;
- {{ end }}
-
- {{ if $externalAuth.AuthCacheKey }}
- proxy_buffering "on";
- {{ else }}
- proxy_buffering {{ $location.Proxy.ProxyBuffering }};
- {{ end }}
- proxy_buffer_size {{ $location.Proxy.BufferSize }};
- proxy_buffers {{ $location.Proxy.BuffersNumber }} {{ $location.Proxy.BufferSize }};
- proxy_request_buffering {{ $location.Proxy.RequestBuffering }};
- proxy_http_version {{ $location.Proxy.ProxyHTTPVersion }};
-
- proxy_ssl_server_name on;
- proxy_pass_request_headers on;
- {{ if isValidByteSize $location.Proxy.BodySize true }}
- client_max_body_size {{ $location.Proxy.BodySize }};
- {{ end }}
- {{ if isValidByteSize $location.ClientBodyBufferSize false }}
- client_body_buffer_size {{ $location.ClientBodyBufferSize }};
- {{ end }}
-
- # Pass the extracted client certificate to the auth provider
- {{ if not (empty $server.CertificateAuth.CAFileName) }}
- {{ if $server.CertificateAuth.PassCertToUpstream }}
- proxy_set_header ssl-client-cert $ssl_client_escaped_cert;
- {{ end }}
- proxy_set_header ssl-client-verify $ssl_client_verify;
- proxy_set_header ssl-client-subject-dn $ssl_client_s_dn;
- proxy_set_header ssl-client-issuer-dn $ssl_client_i_dn;
- {{ end }}
-
- {{- range $line := buildAuthProxySetHeaders $externalAuth.ProxySetHeaders}}
- {{ $line }}
- {{- end }}
-
- {{ if not (empty $externalAuth.AuthSnippet) }}
- {{ $externalAuth.AuthSnippet }}
- {{ end }}
-
- set $target {{ $externalAuth.URL }};
- proxy_pass $target;
- }
- {{ end }}
-
- {{ if isLocationAllowed $location }}
- {{ if $externalAuth.SigninURL }}
- location {{ buildAuthSignURLLocation $location.Path $externalAuth.SigninURL }} {
- internal;
-
- add_header Set-Cookie $auth_cookie;
-
- return 302 {{ buildAuthSignURL $externalAuth.SigninURL $externalAuth.SigninURLRedirectParam }};
- }
- {{ end }}
- {{ end }}
-
- location {{ $path }} {
- {{ $ing := (getIngressInformation $location.Ingress $server.Hostname $location.IngressPath) }}
- set $namespace {{ $ing.Namespace | quote}};
- set $ingress_name {{ $ing.Rule | quote }};
- set $service_name {{ $ing.Service | quote }};
- set $service_port {{ $ing.ServicePort | quote }};
- set $location_path {{ $ing.Path | escapeLiteralDollar | quote }};
- set $global_rate_limit_exceeding n;
-
- {{ buildOpentracingForLocation $all.Cfg.EnableOpentracing $location }}
-
- {{ if $location.Mirror.Source }}
- mirror {{ $location.Mirror.Source }};
- mirror_request_body {{ $location.Mirror.RequestBody }};
- {{ end }}
-
- rewrite_by_lua_block {
- lua_ingress.rewrite({{ locationConfigForLua $location $all }})
- balancer.rewrite()
- plugins.run()
- }
-
- # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
- # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
- # other authentication method such as basic auth or external auth useless - all requests will be allowed.
- #access_by_lua_block {
- #}
-
- header_filter_by_lua_block {
- lua_ingress.header()
- plugins.run()
- }
-
- body_filter_by_lua_block {
- plugins.run()
- }
-
- log_by_lua_block {
- balancer.log()
- {{ if $all.EnableMetrics }}
- monitor.call()
- {{ end }}
-
- plugins.run()
- }
-
- {{ if not $location.Logs.Access }}
- access_log off;
- {{ end }}
-
- {{ if $location.Logs.Rewrite }}
- rewrite_log on;
- {{ end }}
-
- {{ if $location.HTTP2PushPreload }}
- http2_push_preload on;
- {{ end }}
-
- port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
-
- set $balancer_ewma_score -1;
- set $proxy_upstream_name {{ buildUpstreamName $location | quote }};
- set $proxy_host $proxy_upstream_name;
- set $pass_access_scheme $scheme;
-
- {{ if $all.Cfg.UseProxyProtocol }}
- set $pass_server_port $proxy_protocol_server_port;
- {{ else }}
- set $pass_server_port $server_port;
- {{ end }}
-
- set $best_http_host $http_host;
- set $pass_port $pass_server_port;
-
- set $proxy_alternative_upstream_name "";
-
- {{ buildModSecurityForLocation $all.Cfg $location }}
-
- {{ if isLocationAllowed $location }}
- {{ if gt (len $location.Whitelist.CIDR) 0 }}
- {{ range $ip := $location.Whitelist.CIDR }}
- allow {{ $ip }};{{ end }}
- deny all;
- {{ end }}
-
- {{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }}
- {{ if $authPath }}
- # this location requires authentication
- auth_request {{ $authPath }};
- auth_request_set $auth_cookie $upstream_http_set_cookie;
- add_header Set-Cookie $auth_cookie;
- {{- range $line := buildAuthResponseHeaders $externalAuth.ResponseHeaders }}
- {{ $line }}
- {{- end }}
- {{ end }}
-
- {{ if $externalAuth.SigninURL }}
- set_escape_uri $escaped_request_uri $request_uri;
- error_page 401 = {{ buildAuthSignURLLocation $location.Path $externalAuth.SigninURL }};
- {{ end }}
-
- {{ if $location.BasicDigestAuth.Secured }}
- {{ if eq $location.BasicDigestAuth.Type "basic" }}
- auth_basic {{ $location.BasicDigestAuth.Realm | quote }};
- auth_basic_user_file {{ $location.BasicDigestAuth.File }};
- {{ else }}
- auth_digest {{ $location.BasicDigestAuth.Realm | quote }};
- auth_digest_user_file {{ $location.BasicDigestAuth.File }};
- {{ end }}
- proxy_set_header Authorization "";
- {{ end }}
- {{ end }}
-
- {{/* if the location contains a rate limit annotation, create one */}}
- {{ $limits := buildRateLimit $location }}
- {{ range $limit := $limits }}
- {{ $limit }}{{ end }}
-
- {{ if $location.CorsConfig.CorsEnabled }}
- {{ template "CORS" $location }}
- {{ end }}
-
- {{ buildInfluxDB $location.InfluxDB }}
-
-
- {{ if isValidByteSize $location.ClientBodyBufferSize false }}
- client_body_buffer_size {{ $location.ClientBodyBufferSize }};
- {{ end }}
-
- {{/* By default use vhost as Host to upstream, but allow overrides */}}
- {{ if not (eq $proxySetHeader "grpc_set_header") }}
- {{ if not (empty $location.UpstreamVhost) }}
- {{ $proxySetHeader }} Host {{ $location.UpstreamVhost | quote }};
- {{ else }}
- {{ $proxySetHeader }} Host $best_http_host;
- {{ end }}
- {{ end }}
-
- # Pass the extracted client certificate to the backend
- {{ if not (empty $server.CertificateAuth.CAFileName) }}
- {{ if $server.CertificateAuth.PassCertToUpstream }}
- {{ $proxySetHeader }} ssl-client-cert $ssl_client_escaped_cert;
- {{ end }}
- {{ $proxySetHeader }} ssl-client-verify $ssl_client_verify;
- {{ $proxySetHeader }} ssl-client-subject-dn $ssl_client_s_dn;
- {{ $proxySetHeader }} ssl-client-issuer-dn $ssl_client_i_dn;
- {{ end }}
-
- # Allow websocket connections
- {{ $proxySetHeader }} Upgrade $http_upgrade;
- {{ if $location.Connection.Enabled}}
- {{ $proxySetHeader }} Connection {{ $location.Connection.Header }};
- {{ else }}
- {{ $proxySetHeader }} Connection $connection_upgrade;
- {{ end }}
-
- {{ $proxySetHeader }} X-Request-ID $req_id;
- {{ $proxySetHeader }} X-Real-IP $remote_addr;
- {{ if and $all.Cfg.UseForwardedHeaders $all.Cfg.ComputeFullForwardedFor }}
- {{ $proxySetHeader }} X-Forwarded-For $full_x_forwarded_for;
- {{ else }}
- {{ $proxySetHeader }} X-Forwarded-For $remote_addr;
- {{ end }}
- {{ $proxySetHeader }} X-Forwarded-Host $best_http_host;
- {{ $proxySetHeader }} X-Forwarded-Port $pass_port;
- {{ $proxySetHeader }} X-Forwarded-Proto $pass_access_scheme;
- {{ if $all.Cfg.ProxyAddOriginalURIHeader }}
- {{ $proxySetHeader }} X-Original-URI $request_uri;
- {{ end }}
- {{ $proxySetHeader }} X-Scheme $pass_access_scheme;
-
- # Pass the original X-Forwarded-For
- {{ $proxySetHeader }} X-Original-Forwarded-For {{ buildForwardedFor $all.Cfg.ForwardedForHeader }};
-
- # mitigate HTTPoxy Vulnerability
- # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
- {{ $proxySetHeader }} Proxy "";
-
- # Custom headers to proxied server
- {{ range $k, $v := $all.ProxySetHeaders }}
- {{ $proxySetHeader }} {{ $k }} {{ $v | quote }};
- {{ end }}
-
- proxy_connect_timeout {{ $location.Proxy.ConnectTimeout }}s;
- proxy_send_timeout {{ $location.Proxy.SendTimeout }}s;
- proxy_read_timeout {{ $location.Proxy.ReadTimeout }}s;
-
- proxy_buffering {{ $location.Proxy.ProxyBuffering }};
- proxy_buffer_size {{ $location.Proxy.BufferSize }};
- proxy_buffers {{ $location.Proxy.BuffersNumber }} {{ $location.Proxy.BufferSize }};
- {{ if isValidByteSize $location.Proxy.ProxyMaxTempFileSize true }}
- proxy_max_temp_file_size {{ $location.Proxy.ProxyMaxTempFileSize }};
- {{ end }}
- proxy_request_buffering {{ $location.Proxy.RequestBuffering }};
- proxy_http_version {{ $location.Proxy.ProxyHTTPVersion }};
-
- proxy_cookie_domain {{ $location.Proxy.CookieDomain }};
- proxy_cookie_path {{ $location.Proxy.CookiePath }};
-
- # In case of errors try the next upstream server before returning an error
- proxy_next_upstream {{ buildNextUpstream $location.Proxy.NextUpstream $all.Cfg.RetryNonIdempotent }};
- proxy_next_upstream_timeout {{ $location.Proxy.NextUpstreamTimeout }};
- proxy_next_upstream_tries {{ $location.Proxy.NextUpstreamTries }};
-
- {{/* Add any additional configuration defined */}}
- {{ $location.ConfigurationSnippet }}
-
- {{ if not (empty $all.Cfg.LocationSnippet) }}
- # Custom code snippet configured in the configuration configmap
- {{ $all.Cfg.LocationSnippet }}
- {{ end }}
-
- {{/* if we are sending the request to a custom default backend, we add the required headers */}}
- {{ if (hasPrefix $location.Backend "custom-default-backend-") }}
- proxy_set_header X-Code 503;
- proxy_set_header X-Format $http_accept;
- proxy_set_header X-Namespace $namespace;
- proxy_set_header X-Ingress-Name $ingress_name;
- proxy_set_header X-Service-Name $service_name;
- proxy_set_header X-Service-Port $service_port;
- proxy_set_header X-Request-ID $req_id;
- {{ end }}
-
- {{ if $location.Satisfy }}
- satisfy {{ $location.Satisfy }};
- {{ end }}
-
- {{/* if a location-specific error override is set, add the proxy_intercept here */}}
- {{ if $location.CustomHTTPErrors }}
- # Custom error pages per ingress
- proxy_intercept_errors on;
- {{ end }}
-
- {{ range $errCode := $location.CustomHTTPErrors }}
- error_page {{ $errCode }} = @custom_{{ $location.DefaultBackendUpstreamName }}_{{ $errCode }};{{ end }}
-
- {{ if (eq $location.BackendProtocol "FCGI") }}
- include /etc/nginx/fastcgi_params;
- {{ end }}
- {{- if $location.FastCGI.Index -}}
- fastcgi_index {{ $location.FastCGI.Index | quote }};
- {{- end -}}
- {{ range $k, $v := $location.FastCGI.Params }}
- fastcgi_param {{ $k }} {{ $v | quote }};
- {{ end }}
-
- {{ if not (empty $location.Redirect.URL) }}
- return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }};
- {{ end }}
-
- {{ buildProxyPass $server.Hostname $all.Backends $location }}
- {{ if (or (eq $location.Proxy.ProxyRedirectFrom "default") (eq $location.Proxy.ProxyRedirectFrom "off")) }}
- proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }};
- {{ else if not (eq $location.Proxy.ProxyRedirectTo "off") }}
- proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }} {{ $location.Proxy.ProxyRedirectTo }};
- {{ end }}
- {{ else }}
- # Location denied. Reason: {{ $location.Denied | quote }}
- return 503;
- {{ end }}
- {{ if not (empty $location.ProxySSL.CAFileName) }}
- # PEM sha: {{ $location.ProxySSL.CASHA }}
- proxy_ssl_trusted_certificate {{ $location.ProxySSL.CAFileName }};
- proxy_ssl_ciphers {{ $location.ProxySSL.Ciphers }};
- proxy_ssl_protocols {{ $location.ProxySSL.Protocols }};
- proxy_ssl_verify {{ $location.ProxySSL.Verify }};
- proxy_ssl_verify_depth {{ $location.ProxySSL.VerifyDepth }};
- {{ end }}
-
- {{ if not (empty $location.ProxySSL.ProxySSLName) }}
- proxy_ssl_name {{ $location.ProxySSL.ProxySSLName }};
- {{ end }}
- {{ if not (empty $location.ProxySSL.ProxySSLServerName) }}
- proxy_ssl_server_name {{ $location.ProxySSL.ProxySSLServerName }};
- {{ end }}
-
- {{ if not (empty $location.ProxySSL.PemFileName) }}
- proxy_ssl_certificate {{ $location.ProxySSL.PemFileName }};
- proxy_ssl_certificate_key {{ $location.ProxySSL.PemFileName }};
- {{ end }}
- }
- {{ end }}
- {{ end }}
-
- {{ if eq $server.Hostname "_" }}
- # health checks in cloud providers require the use of port {{ $all.ListenPorts.HTTP }}
- location {{ $all.HealthzURI }} {
- {{ if $all.Cfg.EnableOpentracing }}
- opentracing off;
- {{ end }}
-
- access_log off;
- return 200;
- }
-
- # this is required to avoid error if nginx is being monitored
- # with an external software (like sysdig)
- location /nginx_status {
- {{ if $all.Cfg.EnableOpentracing }}
- opentracing off;
- {{ end }}
-
- {{ range $v := $all.NginxStatusIpv4Whitelist }}
- allow {{ $v }};
- {{ end }}
- {{ if $all.IsIPV6Enabled -}}
- {{ range $v := $all.NginxStatusIpv6Whitelist }}
- allow {{ $v }};
- {{ end }}
- {{ end -}}
- deny all;
-
- access_log off;
- stub_status on;
- }
-
- {{ end }}
-
- {{ end }}
diff --git a/ingress/nginx-ingress-v1.1.0.yaml b/ingress/nginx-ingress-v1.1.0.yaml
deleted file mode 100644
index 094ace53eade931eb7a45f69fd95653c1d9d30ed..0000000000000000000000000000000000000000
--- a/ingress/nginx-ingress-v1.1.0.yaml
+++ /dev/null
@@ -1,687 +0,0 @@
-
-apiVersion: v1
-kind: Namespace
-metadata:
- name: ingress-nginx
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
-
----
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
-automountServiceAccountToken: true
----
-# Source: ingress-nginx/templates/controller-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
-data:
- allow-snippet-annotations: 'true'
- use-proxy-protocol: 'true'
----
-# Source: ingress-nginx/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- name: ingress-nginx
-rules:
- - apiGroups:
- - ''
- resources:
- - configmaps
- - endpoints
- - nodes
- - pods
- - secrets
- - namespaces
- verbs:
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - get
- - apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
----
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- name: ingress-nginx
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: ingress-nginx
-subjects:
- - kind: ServiceAccount
- name: ingress-nginx
- namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
-rules:
- - apiGroups:
- - ''
- resources:
- - namespaces
- verbs:
- - get
- - apiGroups:
- - ''
- resources:
- - configmaps
- - pods
- - secrets
- - endpoints
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - configmaps
- resourceNames:
- - ingress-controller-leader
- verbs:
- - get
- - update
- - apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - create
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
----
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: ingress-nginx
-subjects:
- - kind: ServiceAccount
- name: ingress-nginx
- namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller-admission
- namespace: ingress-nginx
-spec:
- type: ClusterIP
- ports:
- - name: https-webhook
- port: 443
- targetPort: webhook
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
----
-# Source: ingress-nginx/templates/controller-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
-spec:
- type: LoadBalancer
- externalTrafficPolicy: Local
- ipFamilyPolicy: SingleStack
- ipFamilies:
- - IPv4
- ports:
- - name: http
- port: 80
- protocol: TCP
- targetPort: http
- appProtocol: http
- - name: https
- port: 443
- protocol: TCP
- targetPort: https
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
----
-# Source: ingress-nginx/templates/controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- revisionHistoryLimit: 10
- minReadySeconds: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- spec:
- dnsPolicy: ClusterFirst
- containers:
- - name: controller
- image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
- args:
- - /nginx-ingress-controller
- - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- - --election-id=ingress-controller-leader
- - --controller-class=k8s.io/ingress-nginx
- - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- - --validating-webhook=:8443
- - --validating-webhook-certificate=/usr/local/certificates/cert
- - --validating-webhook-key=/usr/local/certificates/key
- securityContext:
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- runAsUser: 101
- allowPrivilegeEscalation: true
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LD_PRELOAD
- value: /usr/local/lib/libmimalloc.so
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- ports:
- - name: http
- containerPort: 80
- protocol: TCP
- - name: https
- containerPort: 443
- protocol: TCP
- - name: webhook
- containerPort: 8443
- protocol: TCP
- volumeMounts:
- - name: webhook-cert
- mountPath: /usr/local/certificates/
- readOnly: true
- resources:
- requests:
- cpu: 100m
- memory: 90Mi
- nodeSelector:
- kubernetes.io/os: linux
- serviceAccountName: ingress-nginx
- terminationGracePeriodSeconds: 300
- volumes:
- - name: webhook-cert
- secret:
- secretName: ingress-nginx-admission
----
-# Source: ingress-nginx/templates/controller-ingressclass.yaml
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx
- namespace: ingress-nginx
-spec:
- controller: k8s.io/ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-# before changing this value, check the required kubernetes version
-# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- name: ingress-nginx-admission
-webhooks:
- - name: validate.nginx.ingress.kubernetes.io
- matchPolicy: Equivalent
- rules:
- - apiGroups:
- - networking.k8s.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ingresses
- failurePolicy: Fail
- sideEffects: None
- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- namespace: ingress-nginx
- name: ingress-nginx-controller-admission
- path: /networking/v1/ingresses
- timeoutSeconds: 29
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: ingress-nginx-admission
- namespace: ingress-nginx
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
- - apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: ingress-nginx-admission
-subjects:
- - kind: ServiceAccount
- name: ingress-nginx-admission
- namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: ingress-nginx-admission
- namespace: ingress-nginx
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
- - apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - create
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: ingress-nginx-admission
- namespace: ingress-nginx
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: ingress-nginx-admission
-subjects:
- - kind: ServiceAccount
- name: ingress-nginx-admission
- namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: ingress-nginx-admission-create
- namespace: ingress-nginx
- annotations:
- helm.sh/hook: pre-install,pre-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: ingress-nginx-admission-create
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: create
- image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
- imagePullPolicy: IfNotPresent
- args:
- - create
- - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=ingress-nginx-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- restartPolicy: OnFailure
- serviceAccountName: ingress-nginx-admission
- nodeSelector:
- kubernetes.io/os: linux
- securityContext:
- runAsNonRoot: true
- runAsUser: 2000
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: ingress-nginx-admission-patch
- namespace: ingress-nginx
- annotations:
- helm.sh/hook: post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: ingress-nginx-admission-patch
- labels:
- helm.sh/chart: ingress-nginx-4.0.10
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.1.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: patch
- image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
- imagePullPolicy: IfNotPresent
- args:
- - patch
- - --webhook-name=ingress-nginx-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --secret-name=ingress-nginx-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- restartPolicy: OnFailure
- serviceAccountName: ingress-nginx-admission
- nodeSelector:
- kubernetes.io/os: linux
- securityContext:
- runAsNonRoot: true
- runAsUser: 2000
diff --git a/ingress/nginx.tmpl b/ingress/nginx.tmpl
deleted file mode 100755
index d25d4090c7a225767227a671aa657a752a2f49c0..0000000000000000000000000000000000000000
--- a/ingress/nginx.tmpl
+++ /dev/null
@@ -1,1423 +0,0 @@
-{{ $all := . }}
-{{ $servers := .Servers }}
-{{ $cfg := .Cfg }}
-{{ $IsIPV6Enabled := .IsIPV6Enabled }}
-{{ $healthzURI := .HealthzURI }}
-{{ $backends := .Backends }}
-{{ $proxyHeaders := .ProxySetHeaders }}
-{{ $addHeaders := .AddHeaders }}
-
-# Configuration checksum: {{ $all.Cfg.Checksum }}
-
-# setup custom paths that do not require root access
-pid {{ .PID }};
-
-{{ if $cfg.UseGeoIP2 }}
-load_module /etc/nginx/modules/ngx_http_geoip2_module.so;
-{{ end }}
-
-{{ if $cfg.EnableBrotli }}
-load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;
-load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
-{{ end }}
-
-{{ if (shouldLoadInfluxDBModule $servers) }}
-load_module /etc/nginx/modules/ngx_http_influxdb_module.so;
-{{ end }}
-
-{{ if (shouldLoadAuthDigestModule $servers) }}
-load_module /etc/nginx/modules/ngx_http_auth_digest_module.so;
-{{ end }}
-
-{{ if (shouldLoadModSecurityModule $cfg $servers) }}
-load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
-{{ end }}
-
-{{ if (shouldLoadOpentracingModule $cfg $servers) }}
-load_module /etc/nginx/modules/ngx_http_opentracing_module.so;
-{{ end }}
-
-daemon off;
-
-worker_processes {{ $cfg.WorkerProcesses }};
-{{ if gt (len $cfg.WorkerCPUAffinity) 0 }}
-worker_cpu_affinity {{ $cfg.WorkerCPUAffinity }};
-{{ end }}
-
-worker_rlimit_nofile {{ $cfg.MaxWorkerOpenFiles }};
-
-{{/* http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout */}}
-{{/* avoid waiting too long during a reload */}}
-worker_shutdown_timeout {{ $cfg.WorkerShutdownTimeout }} ;
-
-{{ if not (empty $cfg.MainSnippet) }}
-{{ $cfg.MainSnippet }}
-{{ end }}
-
-events {
- multi_accept {{ if $cfg.EnableMultiAccept }}on{{ else }}off{{ end }};
- worker_connections {{ $cfg.MaxWorkerConnections }};
- use epoll;
-}
-
-http {
- lua_package_path "/etc/nginx/lua/?.lua;;";
-
- {{ buildLuaSharedDictionaries $cfg $servers }}
-
- init_by_lua_block {
- collectgarbage("collect")
-
- -- init modules
- local ok, res
-
- ok, res = pcall(require, "lua_ingress")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- lua_ingress = res
- lua_ingress.set_config({{ configForLua $all }})
- end
-
- ok, res = pcall(require, "configuration")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- configuration = res
- configuration.prohibited_localhost_port = '{{ .StatusPort }}'
- end
-
- ok, res = pcall(require, "balancer")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- balancer = res
- end
-
- {{ if $all.EnableMetrics }}
- ok, res = pcall(require, "monitor")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- monitor = res
- end
- {{ end }}
-
- ok, res = pcall(require, "certificate")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- certificate = res
- certificate.is_ocsp_stapling_enabled = {{ $cfg.EnableOCSP }}
- end
-
- ok, res = pcall(require, "plugins")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- plugins = res
- end
- -- load all plugins that'll be used here
- plugins.init({ {{ range $idx, $plugin := $cfg.Plugins }}{{ if $idx }},{{ end }}{{ $plugin | quote }}{{ end }} })
- }
-
- init_worker_by_lua_block {
- lua_ingress.init_worker()
- balancer.init_worker()
- {{ if $all.EnableMetrics }}
- monitor.init_worker({{ $all.MonitorMaxBatchSize }})
- {{ end }}
-
- plugins.run()
- }
-
- {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
- {{/* we use the value of the real IP for the geo_ip module */}}
- {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIp }}
- {{ if $cfg.UseProxyProtocol }}
- real_ip_header proxy_protocol;
- {{ else }}
- real_ip_header {{ $cfg.ForwardedForHeader }};
- {{ end }}
-
- real_ip_recursive on;
- {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
- set_real_ip_from {{ $trusted_ip }};
- {{ end }}
- {{ end }}
-
- {{ if $all.Cfg.EnableModsecurity }}
- modsecurity on;
-
- {{ if (not (empty $all.Cfg.ModsecuritySnippet)) }}
- modsecurity_rules '
- {{ $all.Cfg.ModsecuritySnippet }}
- ';
- {{ end }}
-
- modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
-
- {{ if $all.Cfg.EnableOWASPCoreRules }}
- modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
- {{ end }}
-
- {{ end }}
-
- {{ if $cfg.UseGeoIP }}
- {{/* databases used to determine the country depending on the client IP address */}}
- {{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}}
- {{/* this is require to calculate traffic for individual country using GeoIP in the status page */}}
- geoip_country /etc/nginx/geoip/GeoIP.dat;
- geoip_city /etc/nginx/geoip/GeoLiteCity.dat;
- geoip_org /etc/nginx/geoip/GeoIPASNum.dat;
- geoip_proxy_recursive on;
- {{ end }}
-
- {{ if $cfg.UseGeoIP2 }}
- # https://github.com/leev/ngx_http_geoip2_module#example-usage
-
- {{ range $index, $file := $all.MaxmindEditionFiles }}
- {{ if eq $file "GeoLite2-Country.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb {
- $geoip2_country_code source=$remote_addr country iso_code;
- $geoip2_country_name source=$remote_addr country names en;
- $geoip2_continent_name source=$remote_addr continent names en;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-Country.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-Country.mmdb {
- $geoip2_country_code source=$remote_addr country iso_code;
- $geoip2_country_name source=$remote_addr country names en;
- $geoip2_continent_name source=$remote_addr continent names en;
- }
- {{ end }}
-
- {{ if eq $file "GeoLite2-City.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoLite2-City.mmdb {
- $geoip2_city_country_code source=$remote_addr country iso_code;
- $geoip2_city_country_name source=$remote_addr country names en;
- $geoip2_city source=$remote_addr city names en;
- $geoip2_postal_code source=$remote_addr postal code;
- $geoip2_dma_code source=$remote_addr location metro_code;
- $geoip2_latitude source=$remote_addr location latitude;
- $geoip2_longitude source=$remote_addr location longitude;
- $geoip2_time_zone source=$remote_addr location time_zone;
- $geoip2_region_code source=$remote_addr subdivisions 0 iso_code;
- $geoip2_region_name source=$remote_addr subdivisions 0 names en;
- $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code;
- $geoip2_subregion_name source=$remote_addr subdivisions 1 names en;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-City.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-City.mmdb {
- $geoip2_city_country_code source=$remote_addr country iso_code;
- $geoip2_city_country_name source=$remote_addr country names en;
- $geoip2_city source=$remote_addr city names en;
- $geoip2_postal_code source=$remote_addr postal code;
- $geoip2_dma_code source=$remote_addr location metro_code;
- $geoip2_latitude source=$remote_addr location latitude;
- $geoip2_longitude source=$remote_addr location longitude;
- $geoip2_time_zone source=$remote_addr location time_zone;
- $geoip2_region_code source=$remote_addr subdivisions 0 iso_code;
- $geoip2_region_name source=$remote_addr subdivisions 0 names en;
- $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code;
- $geoip2_subregion_name source=$remote_addr subdivisions 1 names en;
- }
- {{ end }}
-
- {{ if eq $file "GeoLite2-ASN.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoLite2-ASN.mmdb {
- $geoip2_asn source=$remote_addr autonomous_system_number;
- $geoip2_org source=$remote_addr autonomous_system_organization;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-ASN.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-ASN.mmdb {
- $geoip2_asn source=$remote_addr autonomous_system_number;
- $geoip2_org source=$remote_addr autonomous_system_organization;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-ISP.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-ISP.mmdb {
- $geoip2_isp isp;
- $geoip2_isp_org organization;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-Connection-Type.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-Connection-Type.mmdb {
- $geoip2_connection_type connection_type;
- }
- {{ end }}
-
- {{ if eq $file "GeoIP2-Anonymous-IP.mmdb" }}
- geoip2 /etc/nginx/geoip/GeoIP2-Anonymous-IP.mmdb {
- $geoip2_is_anon source=$remote_addr is_anonymous;
- $geoip2_is_hosting_provider source=$remote_addr is_hosting_provider;
- $geoip2_is_public_proxy source=$remote_addr is_public_proxy;
- }
- {{ end }}
-
- {{ end }}
-
- {{ end }}
-
- aio threads;
- aio_write on;
-
- tcp_nopush on;
- tcp_nodelay on;
-
- log_subrequest on;
-
- reset_timedout_connection on;
-
- keepalive_timeout {{ $cfg.KeepAlive }}s;
- keepalive_requests {{ $cfg.KeepAliveRequests }};
-
- client_body_temp_path /tmp/client-body;
- fastcgi_temp_path /tmp/fastcgi-temp;
- proxy_temp_path /tmp/proxy-temp;
- ajp_temp_path /tmp/ajp-temp;
-
- client_header_buffer_size {{ $cfg.ClientHeaderBufferSize }};
- client_header_timeout {{ $cfg.ClientHeaderTimeout }}s;
- large_client_header_buffers {{ $cfg.LargeClientHeaderBuffers }};
- client_body_buffer_size {{ $cfg.ClientBodyBufferSize }};
- client_body_timeout {{ $cfg.ClientBodyTimeout }}s;
-
- http2_max_field_size {{ $cfg.HTTP2MaxFieldSize }};
- http2_max_header_size {{ $cfg.HTTP2MaxHeaderSize }};
- http2_max_requests {{ $cfg.HTTP2MaxRequests }};
- http2_max_concurrent_streams {{ $cfg.HTTP2MaxConcurrentStreams }};
-
- types_hash_max_size 2048;
- server_names_hash_max_size {{ $cfg.ServerNameHashMaxSize }};
- server_names_hash_bucket_size {{ $cfg.ServerNameHashBucketSize }};
- map_hash_bucket_size {{ $cfg.MapHashBucketSize }};
-
- proxy_headers_hash_max_size {{ $cfg.ProxyHeadersHashMaxSize }};
- proxy_headers_hash_bucket_size {{ $cfg.ProxyHeadersHashBucketSize }};
-
- variables_hash_bucket_size {{ $cfg.VariablesHashBucketSize }};
- variables_hash_max_size {{ $cfg.VariablesHashMaxSize }};
-
- underscores_in_headers {{ if $cfg.EnableUnderscoresInHeaders }}on{{ else }}off{{ end }};
- ignore_invalid_headers {{ if $cfg.IgnoreInvalidHeaders }}on{{ else }}off{{ end }};
-
- limit_req_status {{ $cfg.LimitReqStatusCode }};
- limit_conn_status {{ $cfg.LimitConnStatusCode }};
-
- {{ buildOpentracing $cfg $servers }}
-
- include /etc/nginx/mime.types;
- default_type {{ $cfg.DefaultType }};
-
- {{ if $cfg.EnableBrotli }}
- brotli on;
- brotli_comp_level {{ $cfg.BrotliLevel }};
- brotli_min_length {{ $cfg.BrotliMinLength }};
- brotli_types {{ $cfg.BrotliTypes }};
- {{ end }}
-
- {{ if $cfg.UseGzip }}
- gzip on;
- gzip_comp_level {{ $cfg.GzipLevel }};
- gzip_http_version 1.1;
- gzip_min_length {{ $cfg.GzipMinLength}};
- gzip_types {{ $cfg.GzipTypes }};
- gzip_proxied any;
- gzip_vary on;
- {{ end }}
-
- # Custom headers for response
- {{ range $k, $v := $addHeaders }}
- more_set_headers {{ printf "%s: %s" $k $v | quote }};
- {{ end }}
-
- server_tokens {{ if $cfg.ShowServerTokens }}on{{ else }}off{{ end }};
- {{ if not $cfg.ShowServerTokens }}
- more_clear_headers Server;
- {{ end }}
-
- # disable warnings
- uninitialized_variable_warn off;
-
- # Additional available variables:
- # $namespace
- # $ingress_name
- # $service_name
- # $service_port
- log_format upstreaminfo {{ if $cfg.LogFormatEscapeJSON }}escape=json {{ end }}'{{ $cfg.LogFormatUpstream }}';
-
- {{/* map urls that should not appear in access.log */}}
- {{/* http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log */}}
- map $request_uri $loggable {
- {{ range $reqUri := $cfg.SkipAccessLogURLs }}
- {{ $reqUri }} 0;{{ end }}
- default 1;
- }
-
- {{ if or $cfg.DisableAccessLog $cfg.DisableHTTPAccessLog }}
- access_log off;
- {{ else }}
- {{ if $cfg.EnableSyslog }}
- access_log syslog:server={{ $cfg.SyslogHost }}:{{ $cfg.SyslogPort }} upstreaminfo if=$loggable;
- {{ else }}
- access_log {{ or $cfg.HttpAccessLogPath $cfg.AccessLogPath }} upstreaminfo {{ $cfg.AccessLogParams }} if=$loggable;
- {{ end }}
- {{ end }}
-
- {{ if $cfg.EnableSyslog }}
- error_log syslog:server={{ $cfg.SyslogHost }}:{{ $cfg.SyslogPort }} {{ $cfg.ErrorLogLevel }};
- {{ else }}
- error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
- {{ end }}
-
- {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
-
- # See https://www.nginx.com/blog/websocket-nginx
- map $http_upgrade $connection_upgrade {
- default upgrade;
- {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
- # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
- '' '';
- {{ else }}
- '' close;
- {{ end }}
- }
-
- # Reverse proxies can detect if a client provides a X-Request-ID header, and pass it on to the backend server.
- # If no such header is provided, it can provide a random value.
- map $http_x_request_id $req_id {
- default $http_x_request_id;
- {{ if $cfg.GenerateRequestID }}
- "" $request_id;
- {{ end }}
- }
-
- {{ if and $cfg.UseForwardedHeaders $cfg.ComputeFullForwardedFor }}
- # We can't use $proxy_add_x_forwarded_for because the realip module
- # replaces the remote_addr too soon
- map $http_x_forwarded_for $full_x_forwarded_for {
- {{ if $all.Cfg.UseProxyProtocol }}
- default "$http_x_forwarded_for, $proxy_protocol_addr";
- '' "$proxy_protocol_addr";
- {{ else }}
- default "$http_x_forwarded_for, $realip_remote_addr";
- '' "$realip_remote_addr";
- {{ end}}
- }
-
- {{ end }}
-
- # Create a variable that contains the literal $ character.
- # This works because the geo module will not resolve variables.
- geo $literal_dollar {
- default "$";
- }
-
- server_name_in_redirect off;
- port_in_redirect off;
-
- ssl_protocols {{ $cfg.SSLProtocols }};
-
- ssl_early_data {{ if $cfg.SSLEarlyData }}on{{ else }}off{{ end }};
-
- # turn on session caching to drastically improve performance
- {{ if $cfg.SSLSessionCache }}
- ssl_session_cache shared:SSL:{{ $cfg.SSLSessionCacheSize }};
- ssl_session_timeout {{ $cfg.SSLSessionTimeout }};
- {{ end }}
-
- # allow configuring ssl session tickets
- ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }};
-
- {{ if not (empty $cfg.SSLSessionTicketKey ) }}
- ssl_session_ticket_key /etc/nginx/tickets.key;
- {{ end }}
-
- # slightly reduce the time-to-first-byte
- ssl_buffer_size {{ $cfg.SSLBufferSize }};
-
- {{ if not (empty $cfg.SSLCiphers) }}
- # allow configuring custom ssl ciphers
- ssl_ciphers '{{ $cfg.SSLCiphers }}';
- ssl_prefer_server_ciphers on;
- {{ end }}
-
- {{ if not (empty $cfg.SSLDHParam) }}
- # allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
- ssl_dhparam {{ $cfg.SSLDHParam }};
- {{ end }}
-
- ssl_ecdh_curve {{ $cfg.SSLECDHCurve }};
-
- # PEM sha: {{ $cfg.DefaultSSLCertificate.PemSHA }}
- ssl_certificate {{ $cfg.DefaultSSLCertificate.PemFileName }};
- ssl_certificate_key {{ $cfg.DefaultSSLCertificate.PemFileName }};
-
- {{ if gt (len $cfg.CustomHTTPErrors) 0 }}
- proxy_intercept_errors on;
- {{ end }}
-
- {{ range $errCode := $cfg.CustomHTTPErrors }}
- error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }}
-
- proxy_ssl_session_reuse on;
-
- {{ if $cfg.AllowBackendServerHeader }}
- proxy_pass_header Server;
- {{ end }}
-
- {{ range $header := $cfg.HideHeaders }}proxy_hide_header {{ $header }};
- {{ end }}
-
- {{ if not (empty $cfg.HTTPSnippet) }}
- # Custom code snippet configured in the configuration configmap
- {{ $cfg.HTTPSnippet }}
- {{ end }}
-
- upstream upstream_balancer {
- ### Attention!!!
- #
- # We no longer create "upstream" section for every backend.
- # Backends are handled dynamically using Lua. If you would like to debug
- # and see what backends ingress-nginx has in its memory you can
- # install our kubectl plugin https://kubernetes.github.io/ingress-nginx/kubectl-plugin.
- # Once you have the plugin you can use "kubectl ingress-nginx backends" command to
- # inspect current backends.
- #
- ###
-
- server 0.0.0.1; # placeholder
-
- balancer_by_lua_block {
- balancer.balance()
- }
-
- {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
- keepalive {{ $cfg.UpstreamKeepaliveConnections }};
-
- keepalive_timeout {{ $cfg.UpstreamKeepaliveTimeout }}s;
- keepalive_requests {{ $cfg.UpstreamKeepaliveRequests }};
- {{ end }}
- }
-
- {{ range $rl := (filterRateLimits $servers ) }}
- # Ratelimit {{ $rl.Name }}
- geo $remote_addr $whitelist_{{ $rl.ID }} {
- default 0;
- {{ range $ip := $rl.Whitelist }}
- {{ $ip }} 1;{{ end }}
- }
-
- # Ratelimit {{ $rl.Name }}
- map $whitelist_{{ $rl.ID }} $limit_{{ $rl.ID }} {
- 0 {{ $cfg.LimitConnZoneVariable }};
- 1 "";
- }
- {{ end }}
-
- {{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
- {{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
- {{ range $zone := (buildRateLimitZones $servers) }}
- {{ $zone }}
- {{ end }}
-
- # Cache for internal auth checks
- proxy_cache_path /tmp/nginx-cache-auth levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
-
- # Global filters
- {{ range $ip := $cfg.BlockCIDRs }}deny {{ trimSpace $ip }};
- {{ end }}
-
- {{ if gt (len $cfg.BlockUserAgents) 0 }}
- map $http_user_agent $block_ua {
- default 0;
-
- {{ range $ua := $cfg.BlockUserAgents }}{{ trimSpace $ua }} 1;
- {{ end }}
- }
- {{ end }}
-
- {{ if gt (len $cfg.BlockReferers) 0 }}
- map $http_referer $block_ref {
- default 0;
-
- {{ range $ref := $cfg.BlockReferers }}{{ trimSpace $ref }} 1;
- {{ end }}
- }
- {{ end }}
-
- {{/* Build server redirects (from/to www) */}}
- {{ range $redirect := .RedirectServers }}
- ## start server {{ $redirect.From }}
- server {
- server_name {{ $redirect.From }};
-
- {{ buildHTTPListener $all $redirect.From }}
- {{ buildHTTPSListener $all $redirect.From }}
-
- ssl_certificate_by_lua_block {
- certificate.call()
- }
-
- {{ if gt (len $cfg.BlockUserAgents) 0 }}
- if ($block_ua) {
- return 403;
- }
- {{ end }}
- {{ if gt (len $cfg.BlockReferers) 0 }}
- if ($block_ref) {
- return 403;
- }
- {{ end }}
-
- set_by_lua_block $redirect_to {
- local request_uri = ngx.var.request_uri
- if string.sub(request_uri, -1) == "/" then
- request_uri = string.sub(request_uri, 1, -2)
- end
-
- {{ if ne $all.ListenPorts.HTTPS 443 }}
- {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
- return string.format("%s://%s%s%s", ngx.var.scheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri)
- {{ else }}
- return string.format("%s://%s%s", ngx.var.scheme, "{{ $redirect.To }}", request_uri)
- {{ end }}
- }
-
- return {{ $all.Cfg.HTTPRedirectCode }} $redirect_to;
- }
- ## end server {{ $redirect.From }}
- {{ end }}
-
- {{ range $server := $servers }}
-
- ## start server {{ $server.Hostname }}
- server {
- server_name {{ buildServerName $server.Hostname }} {{range $server.Aliases }}{{ . }} {{ end }};
-
- {{ if gt (len $cfg.BlockUserAgents) 0 }}
- if ($block_ua) {
- return 403;
- }
- {{ end }}
- {{ if gt (len $cfg.BlockReferers) 0 }}
- if ($block_ref) {
- return 403;
- }
- {{ end }}
-
- {{ template "SERVER" serverConfig $all $server }}
-
- {{ if not (empty $cfg.ServerSnippet) }}
- # Custom code snippet configured in the configuration configmap
- {{ $cfg.ServerSnippet }}
- {{ end }}
-
- {{ template "CUSTOM_ERRORS" (buildCustomErrorDeps "upstream-default-backend" $cfg.CustomHTTPErrors $all.EnableMetrics) }}
- }
- ## end server {{ $server.Hostname }}
-
- {{ end }}
-
- # backend for when default-backend-service is not configured or it does not have endpoints
- server {
- listen {{ $all.ListenPorts.Default }} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }};
- {{ if $IsIPV6Enabled }}listen [::]:{{ $all.ListenPorts.Default }} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }};{{ end }}
- set $proxy_upstream_name "internal";
-
- access_log off;
-
- location / {
- return 404;
- }
- }
-
- # default server, used for NGINX healthcheck and access to nginx stats
- server {
- listen 127.0.0.1:{{ .StatusPort }};
- set $proxy_upstream_name "internal";
-
- keepalive_timeout 0;
- gzip off;
-
- access_log off;
-
- {{ if $cfg.EnableOpentracing }}
- opentracing off;
- {{ end }}
-
- location {{ $healthzURI }} {
- return 200;
- }
-
- location /is-dynamic-lb-initialized {
- content_by_lua_block {
- local configuration = require("configuration")
- local backend_data = configuration.get_backends_data()
- if not backend_data then
- ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
- return
- end
-
- ngx.say("OK")
- ngx.exit(ngx.HTTP_OK)
- }
- }
-
- location {{ .StatusPath }} {
- stub_status on;
- }
-
- location /configuration {
- client_max_body_size {{ luaConfigurationRequestBodySize $cfg }};
- client_body_buffer_size {{ luaConfigurationRequestBodySize $cfg }};
- proxy_buffering off;
-
- content_by_lua_block {
- configuration.call()
- }
- }
-
- location / {
- content_by_lua_block {
- ngx.exit(ngx.HTTP_NOT_FOUND)
- }
- }
- }
-}
-
-stream {
- lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;";
-
- lua_shared_dict tcp_udp_configuration_data 5M;
-
- init_by_lua_block {
- collectgarbage("collect")
-
- -- init modules
- local ok, res
-
- ok, res = pcall(require, "configuration")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- configuration = res
- end
-
- ok, res = pcall(require, "tcp_udp_configuration")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- tcp_udp_configuration = res
- tcp_udp_configuration.prohibited_localhost_port = '{{ .StatusPort }}'
-
- end
-
- ok, res = pcall(require, "tcp_udp_balancer")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- tcp_udp_balancer = res
- end
- }
-
- init_worker_by_lua_block {
- tcp_udp_balancer.init_worker()
- }
-
- lua_add_variable $proxy_upstream_name;
-
- log_format log_stream '{{ $cfg.LogFormatStream }}';
-
- {{ if or $cfg.DisableAccessLog $cfg.DisableStreamAccessLog }}
- access_log off;
- {{ else }}
- access_log {{ or $cfg.StreamAccessLogPath $cfg.AccessLogPath }} log_stream {{ $cfg.AccessLogParams }};
- {{ end }}
-
- error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
-
- {{ if $cfg.EnableRealIp }}
- {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
- set_real_ip_from {{ $trusted_ip }};
- {{ end }}
- {{ end }}
-
- upstream upstream_balancer {
- server 0.0.0.1:1234; # placeholder
-
- balancer_by_lua_block {
- tcp_udp_balancer.balance()
- }
- }
-
- server {
- listen 127.0.0.1:{{ .StreamPort }};
-
- access_log off;
-
- content_by_lua_block {
- tcp_udp_configuration.call()
- }
- }
-
- # TCP services
- {{ range $tcpServer := .TCPBackends }}
- server {
- preread_by_lua_block {
- ngx.var.proxy_upstream_name="tcp-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }}";
- }
-
- {{ range $address := $all.Cfg.BindAddressIpv4 }}
- listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
- {{ else }}
- listen {{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
- {{ end }}
- {{ if $IsIPV6Enabled }}
- {{ range $address := $all.Cfg.BindAddressIpv6 }}
- listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
- {{ else }}
- listen [::]:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
- {{ end }}
- {{ end }}
- proxy_timeout {{ $cfg.ProxyStreamTimeout }};
- proxy_next_upstream {{ if $cfg.ProxyStreamNextUpstream }}on{{ else }}off{{ end }};
- proxy_next_upstream_timeout {{ $cfg.ProxyStreamNextUpstreamTimeout }};
- proxy_next_upstream_tries {{ $cfg.ProxyStreamNextUpstreamTries }};
-
- proxy_pass upstream_balancer;
- {{ if $tcpServer.Backend.ProxyProtocol.Encode }}
- proxy_protocol on;
- {{ end }}
- }
- {{ end }}
-
- # UDP services
- {{ range $udpServer := .UDPBackends }}
- server {
- preread_by_lua_block {
- ngx.var.proxy_upstream_name="udp-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }}";
- }
-
- {{ range $address := $all.Cfg.BindAddressIpv4 }}
- listen {{ $address }}:{{ $udpServer.Port }} udp;
- {{ else }}
- listen {{ $udpServer.Port }} udp;
- {{ end }}
- {{ if $IsIPV6Enabled }}
- {{ range $address := $all.Cfg.BindAddressIpv6 }}
- listen {{ $address }}:{{ $udpServer.Port }} udp;
- {{ else }}
- listen [::]:{{ $udpServer.Port }} udp;
- {{ end }}
- {{ end }}
- proxy_responses {{ $cfg.ProxyStreamResponses }};
- proxy_timeout {{ $cfg.ProxyStreamTimeout }};
- proxy_next_upstream {{ if $cfg.ProxyStreamNextUpstream }}on{{ else }}off{{ end }};
- proxy_next_upstream_timeout {{ $cfg.ProxyStreamNextUpstreamTimeout }};
- proxy_next_upstream_tries {{ $cfg.ProxyStreamNextUpstreamTries }};
- proxy_pass upstream_balancer;
- }
- {{ end }}
-}
-
-{{/* definition of templates to avoid repetitions */}}
-{{ define "CUSTOM_ERRORS" }}
- {{ $enableMetrics := .EnableMetrics }}
- {{ $upstreamName := .UpstreamName }}
- {{ range $errCode := .ErrorCodes }}
- location @custom_{{ $upstreamName }}_{{ $errCode }} {
- internal;
-
- proxy_intercept_errors off;
-
- proxy_set_header X-Code {{ $errCode }};
- proxy_set_header X-Format $http_accept;
- proxy_set_header X-Original-URI $request_uri;
- proxy_set_header X-Namespace $namespace;
- proxy_set_header X-Ingress-Name $ingress_name;
- proxy_set_header X-Service-Name $service_name;
- proxy_set_header X-Service-Port $service_port;
- proxy_set_header X-Request-ID $req_id;
- proxy_set_header Host $best_http_host;
-
- set $proxy_upstream_name {{ $upstreamName | quote }};
-
- rewrite (.*) / break;
-
- proxy_pass http://upstream_balancer;
- log_by_lua_block {
- {{ if $enableMetrics }}
- monitor.call()
- {{ end }}
- }
- }
- {{ end }}
-{{ end }}
-
-{{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}}
-{{ define "CORS" }}
- {{ $cors := .CorsConfig }}
- # Cors Preflight methods needs additional options and different Return Code
- {{ if $cors.CorsAllowOrigin }}
- {{ buildCorsOriginRegex $cors.CorsAllowOrigin }}
- {{ end }}
- if ($request_method = 'OPTIONS') {
- set $cors ${cors}options;
- }
-
- if ($cors = "true") {
- more_set_headers 'Access-Control-Allow-Origin: $http_origin';
- {{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }}
- more_set_headers 'Access-Control-Allow-Methods: {{ $cors.CorsAllowMethods }}';
- more_set_headers 'Access-Control-Allow-Headers: {{ $cors.CorsAllowHeaders }}';
- {{ if not (empty $cors.CorsExposeHeaders) }} more_set_headers 'Access-Control-Expose-Headers: {{ $cors.CorsExposeHeaders }}'; {{ end }}
- more_set_headers 'Access-Control-Max-Age: {{ $cors.CorsMaxAge }}';
- }
-
- if ($cors = "trueoptions") {
- more_set_headers 'Access-Control-Allow-Origin: $http_origin';
- {{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }}
- more_set_headers 'Access-Control-Allow-Methods: {{ $cors.CorsAllowMethods }}';
- more_set_headers 'Access-Control-Allow-Headers: {{ $cors.CorsAllowHeaders }}';
- {{ if not (empty $cors.CorsExposeHeaders) }} more_set_headers 'Access-Control-Expose-Headers: {{ $cors.CorsExposeHeaders }}'; {{ end }}
- more_set_headers 'Access-Control-Max-Age: {{ $cors.CorsMaxAge }}';
- more_set_headers 'Content-Type: text/plain charset=UTF-8';
- more_set_headers 'Content-Length: 0';
- return 204;
- }
-{{ end }}
-
-{{/* definition of server-template to avoid repetitions with server-alias */}}
-{{ define "SERVER" }}
- {{ $all := .First }}
- {{ $server := .Second }}
-
- {{ buildHTTPListener $all $server.Hostname }}
- {{ buildHTTPSListener $all $server.Hostname }}
-
- set $proxy_upstream_name "-";
-
- ssl_certificate_by_lua_block {
- certificate.call()
- }
-
- {{ if not (empty $server.AuthTLSError) }}
- # {{ $server.AuthTLSError }}
- return 403;
- {{ else }}
-
- {{ if not (empty $server.CertificateAuth.CAFileName) }}
- # PEM sha: {{ $server.CertificateAuth.CASHA }}
- ssl_client_certificate {{ $server.CertificateAuth.CAFileName }};
- ssl_verify_client {{ $server.CertificateAuth.VerifyClient }};
- ssl_verify_depth {{ $server.CertificateAuth.ValidationDepth }};
-
- {{ if not (empty $server.CertificateAuth.CRLFileName) }}
- # PEM sha: {{ $server.CertificateAuth.CRLSHA }}
- ssl_crl {{ $server.CertificateAuth.CRLFileName }};
- {{ end }}
-
- {{ if not (empty $server.CertificateAuth.ErrorPage)}}
- error_page 495 496 = {{ $server.CertificateAuth.ErrorPage }};
- {{ end }}
- {{ end }}
-
- {{ if not (empty $server.ProxySSL.CAFileName) }}
- # PEM sha: {{ $server.ProxySSL.CASHA }}
- proxy_ssl_trusted_certificate {{ $server.ProxySSL.CAFileName }};
- proxy_ssl_ciphers {{ $server.ProxySSL.Ciphers }};
- proxy_ssl_protocols {{ $server.ProxySSL.Protocols }};
- proxy_ssl_verify {{ $server.ProxySSL.Verify }};
- proxy_ssl_verify_depth {{ $server.ProxySSL.VerifyDepth }};
- {{ if not (empty $server.ProxySSL.ProxySSLName) }}
- proxy_ssl_name {{ $server.ProxySSL.ProxySSLName }};
- proxy_ssl_server_name {{ $server.ProxySSL.ProxySSLServerName }};
- {{ end }}
- {{ end }}
-
- {{ if not (empty $server.ProxySSL.PemFileName) }}
- proxy_ssl_certificate {{ $server.ProxySSL.PemFileName }};
- proxy_ssl_certificate_key {{ $server.ProxySSL.PemFileName }};
- {{ end }}
-
- {{ if not (empty $server.SSLCiphers) }}
- ssl_ciphers {{ $server.SSLCiphers }};
- {{ end }}
-
- {{ if not (empty $server.SSLPreferServerCiphers) }}
- ssl_prefer_server_ciphers {{ $server.SSLPreferServerCiphers }};
- {{ end }}
-
- {{ if not (empty $server.ServerSnippet) }}
- # Custom code snippet configured for host {{ $server.Hostname }}
- {{ $server.ServerSnippet }}
- {{ end }}
-
- {{ range $errorLocation := (buildCustomErrorLocationsPerServer $server) }}
- {{ template "CUSTOM_ERRORS" (buildCustomErrorDeps $errorLocation.UpstreamName $errorLocation.Codes $all.EnableMetrics) }}
- {{ end }}
-
- {{ buildMirrorLocations $server.Locations }}
-
- {{ $enforceRegex := enforceRegexModifier $server.Locations }}
- {{ range $location := $server.Locations }}
- {{ $path := buildLocation $location $enforceRegex }}
- {{ $proxySetHeader := proxySetHeader $location }}
- {{ $authPath := buildAuthLocation $location $all.Cfg.GlobalExternalAuth.URL }}
- {{ $applyGlobalAuth := shouldApplyGlobalAuth $location $all.Cfg.GlobalExternalAuth.URL }}
-
- {{ $externalAuth := $location.ExternalAuth }}
- {{ if eq $applyGlobalAuth true }}
- {{ $externalAuth = $all.Cfg.GlobalExternalAuth }}
- {{ end }}
-
- {{ if not (empty $location.Rewrite.AppRoot) }}
- if ($uri = /) {
- return 302 $scheme://$http_host{{ $location.Rewrite.AppRoot }};
- }
- {{ end }}
-
- {{ if $authPath }}
- location = {{ $authPath }} {
- internal;
-
- {{ if (or $all.Cfg.EnableOpentracing $location.Opentracing.Enabled) }}
- opentracing on;
- opentracing_propagate_context;
- {{ end }}
-
- {{ if $externalAuth.AuthCacheKey }}
- set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}';
- set $cache_key '';
-
- rewrite_by_lua_block {
- ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key))
- }
-
- proxy_cache auth_cache;
-
- {{- range $dur := $externalAuth.AuthCacheDuration }}
- proxy_cache_valid {{ $dur }};
- {{- end }}
-
- proxy_cache_key "$cache_key";
- {{ end }}
-
- # ngx_auth_request module overrides variables in the parent request,
- # therefore we have to explicitly set this variable again so that when the parent request
- # resumes it has the correct value set for this variable so that Lua can pick backend correctly
- set $proxy_upstream_name {{ buildUpstreamName $location | quote }};
-
- proxy_pass_request_body off;
- proxy_set_header Content-Length "";
- proxy_set_header X-Forwarded-Proto "";
- proxy_set_header X-Request-ID $req_id;
-
- {{ if $externalAuth.Method }}
- proxy_method {{ $externalAuth.Method }};
- proxy_set_header X-Original-URI $request_uri;
- proxy_set_header X-Scheme $pass_access_scheme;
- {{ end }}
-
- proxy_set_header Host {{ $externalAuth.Host }};
- proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
- proxy_set_header X-Original-Method $request_method;
- proxy_set_header X-Sent-From "nginx-ingress-controller";
- proxy_set_header X-Real-IP $remote_addr;
- {{ if and $all.Cfg.UseForwardedHeaders $all.Cfg.ComputeFullForwardedFor }}
- proxy_set_header X-Forwarded-For $full_x_forwarded_for;
- {{ else }}
- proxy_set_header X-Forwarded-For $remote_addr;
- {{ end }}
-
- {{ if $externalAuth.RequestRedirect }}
- proxy_set_header X-Auth-Request-Redirect {{ $externalAuth.RequestRedirect }};
- {{ else }}
- proxy_set_header X-Auth-Request-Redirect $request_uri;
- {{ end }}
-
- {{ if $externalAuth.AuthCacheKey }}
- proxy_buffering "on";
- {{ else }}
- proxy_buffering {{ $location.Proxy.ProxyBuffering }};
- {{ end }}
- proxy_buffer_size {{ $location.Proxy.BufferSize }};
- proxy_buffers {{ $location.Proxy.BuffersNumber }} {{ $location.Proxy.BufferSize }};
- proxy_request_buffering {{ $location.Proxy.RequestBuffering }};
- proxy_http_version {{ $location.Proxy.ProxyHTTPVersion }};
-
- proxy_ssl_server_name on;
- proxy_pass_request_headers on;
- {{ if isValidByteSize $location.Proxy.BodySize true }}
- client_max_body_size {{ $location.Proxy.BodySize }};
- {{ end }}
- {{ if isValidByteSize $location.ClientBodyBufferSize false }}
- client_body_buffer_size {{ $location.ClientBodyBufferSize }};
- {{ end }}
-
- # Pass the extracted client certificate to the auth provider
- {{ if not (empty $server.CertificateAuth.CAFileName) }}
- {{ if $server.CertificateAuth.PassCertToUpstream }}
- proxy_set_header ssl-client-cert $ssl_client_escaped_cert;
- {{ end }}
- proxy_set_header ssl-client-verify $ssl_client_verify;
- proxy_set_header ssl-client-subject-dn $ssl_client_s_dn;
- proxy_set_header ssl-client-issuer-dn $ssl_client_i_dn;
- {{ end }}
-
- {{- range $line := buildAuthProxySetHeaders $externalAuth.ProxySetHeaders}}
- {{ $line }}
- {{- end }}
-
- {{ if not (empty $externalAuth.AuthSnippet) }}
- {{ $externalAuth.AuthSnippet }}
- {{ end }}
-
- set $target {{ $externalAuth.URL }};
- proxy_pass $target;
- }
- {{ end }}
-
- {{ if isLocationAllowed $location }}
- {{ if $externalAuth.SigninURL }}
- location {{ buildAuthSignURLLocation $location.Path $externalAuth.SigninURL }} {
- internal;
-
- add_header Set-Cookie $auth_cookie;
-
- return 302 {{ buildAuthSignURL $externalAuth.SigninURL $externalAuth.SigninURLRedirectParam }};
- }
- {{ end }}
- {{ end }}
-
- location {{ $path }} {
- {{ $ing := (getIngressInformation $location.Ingress $server.Hostname $location.IngressPath) }}
- set $namespace {{ $ing.Namespace | quote}};
- set $ingress_name {{ $ing.Rule | quote }};
- set $service_name {{ $ing.Service | quote }};
- set $service_port {{ $ing.ServicePort | quote }};
- set $location_path {{ $ing.Path | escapeLiteralDollar | quote }};
- set $global_rate_limit_exceeding n;
-
- {{ buildOpentracingForLocation $all.Cfg.EnableOpentracing $all.Cfg.OpentracingTrustIncomingSpan $location }}
-
- {{ if $location.Mirror.Source }}
- mirror {{ $location.Mirror.Source }};
- mirror_request_body {{ $location.Mirror.RequestBody }};
- {{ end }}
-
- rewrite_by_lua_block {
- lua_ingress.rewrite({{ locationConfigForLua $location $all }})
- balancer.rewrite()
- plugins.run()
- }
-
- # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
- # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
- # other authentication method such as basic auth or external auth useless - all requests will be allowed.
- #access_by_lua_block {
- #}
-
- header_filter_by_lua_block {
- lua_ingress.header()
- plugins.run()
- }
-
- body_filter_by_lua_block {
- plugins.run()
- }
-
- log_by_lua_block {
- balancer.log()
- {{ if $all.EnableMetrics }}
- monitor.call()
- {{ end }}
-
- plugins.run()
- }
-
- {{ if not $location.Logs.Access }}
- access_log off;
- {{ end }}
-
- {{ if $location.Logs.Rewrite }}
- rewrite_log on;
- {{ end }}
-
- {{ if $location.HTTP2PushPreload }}
- http2_push_preload on;
- {{ end }}
-
- port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
-
- set $balancer_ewma_score -1;
- set $proxy_upstream_name {{ buildUpstreamName $location | quote }};
- set $proxy_host $proxy_upstream_name;
- set $pass_access_scheme $scheme;
-
- {{ if $all.Cfg.UseProxyProtocol }}
- set $pass_server_port $proxy_protocol_server_port;
- {{ else }}
- set $pass_server_port $server_port;
- {{ end }}
-
- set $best_http_host $http_host;
- set $pass_port $pass_server_port;
-
- set $proxy_alternative_upstream_name "";
-
- {{ buildModSecurityForLocation $all.Cfg $location }}
-
- {{ if isLocationAllowed $location }}
- {{ if gt (len $location.Whitelist.CIDR) 0 }}
- {{ range $ip := $location.Whitelist.CIDR }}
- allow {{ $ip }};{{ end }}
- deny all;
- {{ end }}
-
- {{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }}
- {{ if $authPath }}
- # this location requires authentication
- auth_request {{ $authPath }};
- auth_request_set $auth_cookie $upstream_http_set_cookie;
- add_header Set-Cookie $auth_cookie;
- {{- range $line := buildAuthResponseHeaders $proxySetHeader $externalAuth.ResponseHeaders }}
- {{ $line }}
- {{- end }}
- {{ end }}
-
- {{ if $externalAuth.SigninURL }}
- set_escape_uri $escaped_request_uri $request_uri;
- error_page 401 = {{ buildAuthSignURLLocation $location.Path $externalAuth.SigninURL }};
- {{ end }}
-
- {{ if $location.BasicDigestAuth.Secured }}
- {{ if eq $location.BasicDigestAuth.Type "basic" }}
- auth_basic {{ $location.BasicDigestAuth.Realm | quote }};
- auth_basic_user_file {{ $location.BasicDigestAuth.File }};
- {{ else }}
- auth_digest {{ $location.BasicDigestAuth.Realm | quote }};
- auth_digest_user_file {{ $location.BasicDigestAuth.File }};
- {{ end }}
- {{ $proxySetHeader }} Authorization "";
- {{ end }}
- {{ end }}
-
- {{/* if the location contains a rate limit annotation, create one */}}
- {{ $limits := buildRateLimit $location }}
- {{ range $limit := $limits }}
- {{ $limit }}{{ end }}
-
- {{ if $location.CorsConfig.CorsEnabled }}
- {{ template "CORS" $location }}
- {{ end }}
-
- {{ buildInfluxDB $location.InfluxDB }}
-
- #custom_max_client_body_size_definitions_here
-
-
- {{ if isValidByteSize $location.ClientBodyBufferSize false }}
- client_body_buffer_size {{ $location.ClientBodyBufferSize }};
- {{ end }}
-
- {{/* By default use vhost as Host to upstream, but allow overrides */}}
- {{ if not (eq $proxySetHeader "grpc_set_header") }}
- {{ if not (empty $location.UpstreamVhost) }}
- {{ $proxySetHeader }} Host {{ $location.UpstreamVhost | quote }};
- {{ else }}
- {{ $proxySetHeader }} Host $best_http_host;
- {{ end }}
- {{ end }}
-
- # Pass the extracted client certificate to the backend
- {{ if not (empty $server.CertificateAuth.CAFileName) }}
- {{ if $server.CertificateAuth.PassCertToUpstream }}
- {{ $proxySetHeader }} ssl-client-cert $ssl_client_escaped_cert;
- {{ end }}
- {{ $proxySetHeader }} ssl-client-verify $ssl_client_verify;
- {{ $proxySetHeader }} ssl-client-subject-dn $ssl_client_s_dn;
- {{ $proxySetHeader }} ssl-client-issuer-dn $ssl_client_i_dn;
- {{ end }}
-
- # Allow websocket connections
- {{ $proxySetHeader }} Upgrade $http_upgrade;
- {{ if $location.Connection.Enabled}}
- {{ $proxySetHeader }} Connection {{ $location.Connection.Header }};
- {{ else }}
- {{ $proxySetHeader }} Connection $connection_upgrade;
- {{ end }}
-
- {{ $proxySetHeader }} X-Request-ID $req_id;
- {{ $proxySetHeader }} X-Real-IP $remote_addr;
- {{ if and $all.Cfg.UseForwardedHeaders $all.Cfg.ComputeFullForwardedFor }}
- {{ $proxySetHeader }} X-Forwarded-For $full_x_forwarded_for;
- {{ else }}
- {{ $proxySetHeader }} X-Forwarded-For $remote_addr;
- {{ end }}
- {{ $proxySetHeader }} X-Forwarded-Host $best_http_host;
- {{ $proxySetHeader }} X-Forwarded-Port $pass_port;
- {{ $proxySetHeader }} X-Forwarded-Proto $pass_access_scheme;
- {{ $proxySetHeader }} X-Forwarded-Scheme $pass_access_scheme;
- {{ if $all.Cfg.ProxyAddOriginalURIHeader }}
- {{ $proxySetHeader }} X-Original-URI $request_uri;
- {{ end }}
- {{ $proxySetHeader }} X-Scheme $pass_access_scheme;
-
- # Pass the original X-Forwarded-For
- {{ $proxySetHeader }} X-Original-Forwarded-For {{ buildForwardedFor $all.Cfg.ForwardedForHeader }};
-
- # mitigate HTTPoxy Vulnerability
- # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
- {{ $proxySetHeader }} Proxy "";
-
- # Custom headers to proxied server
- {{ range $k, $v := $all.ProxySetHeaders }}
- {{ $proxySetHeader }} {{ $k }} {{ $v | quote }};
- {{ end }}
-
- proxy_connect_timeout {{ $location.Proxy.ConnectTimeout }}s;
- proxy_send_timeout {{ $location.Proxy.SendTimeout }}s;
- proxy_read_timeout {{ $location.Proxy.ReadTimeout }}s;
-
- proxy_buffering {{ $location.Proxy.ProxyBuffering }};
- proxy_buffer_size {{ $location.Proxy.BufferSize }};
- proxy_buffers {{ $location.Proxy.BuffersNumber }} {{ $location.Proxy.BufferSize }};
- {{ if isValidByteSize $location.Proxy.ProxyMaxTempFileSize true }}
- proxy_max_temp_file_size {{ $location.Proxy.ProxyMaxTempFileSize }};
- {{ end }}
- proxy_request_buffering {{ $location.Proxy.RequestBuffering }};
- proxy_http_version {{ $location.Proxy.ProxyHTTPVersion }};
-
- proxy_cookie_domain {{ $location.Proxy.CookieDomain }};
- proxy_cookie_path {{ $location.Proxy.CookiePath }};
-
- # In case of errors try the next upstream server before returning an error
- proxy_next_upstream {{ buildNextUpstream $location.Proxy.NextUpstream $all.Cfg.RetryNonIdempotent }};
- proxy_next_upstream_timeout {{ $location.Proxy.NextUpstreamTimeout }};
- proxy_next_upstream_tries {{ $location.Proxy.NextUpstreamTries }};
-
- {{/* Add any additional configuration defined */}}
- {{ $location.ConfigurationSnippet }}
-
- {{ if not (empty $all.Cfg.LocationSnippet) }}
- # Custom code snippet configured in the configuration configmap
- {{ $all.Cfg.LocationSnippet }}
- {{ end }}
-
- {{/* if we are sending the request to a custom default backend, we add the required headers */}}
- {{ if (hasPrefix $location.Backend "custom-default-backend-") }}
- proxy_set_header X-Code 503;
- proxy_set_header X-Format $http_accept;
- proxy_set_header X-Namespace $namespace;
- proxy_set_header X-Ingress-Name $ingress_name;
- proxy_set_header X-Service-Name $service_name;
- proxy_set_header X-Service-Port $service_port;
- proxy_set_header X-Request-ID $req_id;
- {{ end }}
-
- {{ if $location.Satisfy }}
- satisfy {{ $location.Satisfy }};
- {{ end }}
-
- {{/* if a location-specific error override is set, add the proxy_intercept here */}}
- {{ if $location.CustomHTTPErrors }}
- # Custom error pages per ingress
- proxy_intercept_errors on;
- {{ end }}
-
- {{ range $errCode := $location.CustomHTTPErrors }}
- error_page {{ $errCode }} = @custom_{{ $location.DefaultBackendUpstreamName }}_{{ $errCode }};{{ end }}
-
- {{ if (eq $location.BackendProtocol "FCGI") }}
- include /etc/nginx/fastcgi_params;
- {{ end }}
- {{- if $location.FastCGI.Index -}}
- fastcgi_index {{ $location.FastCGI.Index | quote }};
- {{- end -}}
- {{ range $k, $v := $location.FastCGI.Params }}
- fastcgi_param {{ $k }} {{ $v | quote }};
- {{ end }}
-
- {{ if not (empty $location.Redirect.URL) }}
- return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }};
- {{ end }}
-
- {{ buildProxyPass $server.Hostname $all.Backends $location }}
- {{ if (or (eq $location.Proxy.ProxyRedirectFrom "default") (eq $location.Proxy.ProxyRedirectFrom "off")) }}
- proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }};
- {{ else if not (eq $location.Proxy.ProxyRedirectTo "off") }}
- proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }} {{ $location.Proxy.ProxyRedirectTo }};
- {{ end }}
- {{ else }}
- # Location denied. Reason: {{ $location.Denied | quote }}
- return 503;
- {{ end }}
- {{ if not (empty $location.ProxySSL.CAFileName) }}
- # PEM sha: {{ $location.ProxySSL.CASHA }}
- proxy_ssl_trusted_certificate {{ $location.ProxySSL.CAFileName }};
- proxy_ssl_ciphers {{ $location.ProxySSL.Ciphers }};
- proxy_ssl_protocols {{ $location.ProxySSL.Protocols }};
- proxy_ssl_verify {{ $location.ProxySSL.Verify }};
- proxy_ssl_verify_depth {{ $location.ProxySSL.VerifyDepth }};
- {{ end }}
-
- {{ if not (empty $location.ProxySSL.ProxySSLName) }}
- proxy_ssl_name {{ $location.ProxySSL.ProxySSLName }};
- {{ end }}
- {{ if not (empty $location.ProxySSL.ProxySSLServerName) }}
- proxy_ssl_server_name {{ $location.ProxySSL.ProxySSLServerName }};
- {{ end }}
-
- {{ if not (empty $location.ProxySSL.PemFileName) }}
- proxy_ssl_certificate {{ $location.ProxySSL.PemFileName }};
- proxy_ssl_certificate_key {{ $location.ProxySSL.PemFileName }};
- {{ end }}
- }
- {{ end }}
- {{ end }}
-
- {{ if eq $server.Hostname "_" }}
- # health checks in cloud providers require the use of port {{ $all.ListenPorts.HTTP }}
- location {{ $all.HealthzURI }} {
- {{ if $all.Cfg.EnableOpentracing }}
- opentracing off;
- {{ end }}
-
- access_log off;
- return 200;
- }
-
- # this is required to avoid error if nginx is being monitored
- # with an external software (like sysdig)
- location /nginx_status {
- {{ if $all.Cfg.EnableOpentracing }}
- opentracing off;
- {{ end }}
-
- {{ range $v := $all.NginxStatusIpv4Whitelist }}
- allow {{ $v }};
- {{ end }}
- {{ if $all.IsIPV6Enabled -}}
- {{ range $v := $all.NginxStatusIpv6Whitelist }}
- allow {{ $v }};
- {{ end }}
- {{ end -}}
- deny all;
-
- access_log off;
- stub_status on;
- }
-
- {{ end }}
-
-{{ end }}
diff --git a/ingress/prod_issuer.yaml b/ingress/prod_issuer.yaml
deleted file mode 100644
index 0d04af7d113ab886e0045f454ac447ae6ff0d103..0000000000000000000000000000000000000000
--- a/ingress/prod_issuer.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- name: letsencrypt-prod
- namespace: cert-manager
-spec:
- acme:
- # The ACME server URL
- server: https://acme-v02.api.letsencrypt.org/directory
- # Email address used for ACME registration
- email: andri@joos.io
- # Name of a secret used to store the ACME account private key
- privateKeySecretRef:
- name: letsencrypt-prod
- # Enable the HTTP-01 challenge provider
- solvers:
- - http01:
- ingress:
- class: nginx
diff --git a/ingress/staging_issuer.yaml b/ingress/staging_issuer.yaml
deleted file mode 100644
index 5bcf67f2bff17af73809bc3d4fc8f09c52e71a84..0000000000000000000000000000000000000000
--- a/ingress/staging_issuer.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- name: letsencrypt-staging
- namespace: cert-manager
-spec:
- acme:
- # The ACME server URL
- server: https://acme-staging-v02.api.letsencrypt.org/directory
- # Email address used for ACME registration
- email: andri@joos.io
- # Name of a secret used to store the ACME account private key
- privateKeySecretRef:
- name: letsencrypt-staging
- # Enable the HTTP-01 challenge provider
- solvers:
- - http01:
- ingress:
- class: nginx
diff --git a/joos.io/homepage/assets/assets/favicon/favicon.ico b/joos.io/homepage/assets/assets/favicon/favicon.ico
deleted file mode 100644
index 2ee25c17900a2a4b11b17b1e0cf1194950ef6409..0000000000000000000000000000000000000000
Binary files a/joos.io/homepage/assets/assets/favicon/favicon.ico and /dev/null differ
diff --git a/joos.io/homepage/assets/assets/fonts/nothing.ttf b/joos.io/homepage/assets/assets/fonts/nothing.ttf
deleted file mode 100644
index b8e4a80aa85b654485b5790d7a11340c8db900e9..0000000000000000000000000000000000000000
Binary files a/joos.io/homepage/assets/assets/fonts/nothing.ttf and /dev/null differ
diff --git a/joos.io/homepage/assets/assets/fonts/nothing.woff b/joos.io/homepage/assets/assets/fonts/nothing.woff
deleted file mode 100644
index 11418e2bf95dee9eeb775a23bba733c636176a0e..0000000000000000000000000000000000000000
Binary files a/joos.io/homepage/assets/assets/fonts/nothing.woff and /dev/null differ
diff --git a/joos.io/homepage/assets/css/style.css b/joos.io/homepage/assets/css/style.css
deleted file mode 100644
index 51f87a13e39cbffd28a0a655bac1f15e8ceeef94..0000000000000000000000000000000000000000
--- a/joos.io/homepage/assets/css/style.css
+++ /dev/null
@@ -1,291 +0,0 @@
-body {
- font-family: "Nothing Font (5x7)";
- src: url("assets/fonts/nothing.woff") format("woff"), url("assets/fonts/nothing.ttf") format("truetype");
- color: white;
- background-color: #212121;
- /*background-color: #121212;*/
- font-size: 20px;
-}
-
-h1 {
- font-size: 50px;
- text-align: center;
- font-weight: normal;
-}
-
-* {
- box-sizing: border-box;
-}
-/* Create two equal columns that floats next to each other */
-.column {
- float: left;
- width: 50%;
- padding: 10px;
-}
-
-.column h2 {
- text-align: center;
- font-weight: normal;
- font-size: 45px;
-}
-
-
-/* Clear floats after the columns */
-.row:after {
- content: "";
- display: table;
- clear: both;
-}
-
-.center {
- text-align: center;
-}
-
-/* Responsive layout - makes the two columns stack on top of each other instead of next to each other */
-@media screen and (max-width: 600px) {
- .column {
- width: 100%;
- }
-}
-
-/*@import url('https://fonts.googleapis.com/css2?family=Ubuntu&display=swap');*/
-
-/* General button style */
-.btn {
- font-family: inherit;
- /*font-family: "Ubuntu";*/
- border: none;
- font-size: inherit;
- color: inherit;
- background: none;
- cursor: pointer;
- padding: 25px 80px;
- display: inline-block;
- margin: 15px 30px;
- text-transform: uppercase;
- letter-spacing: 1px;
- font-weight: 700;
- outline: none;
- position: relative;
- -webkit-transition: all 0.3s;
- -moz-transition: all 0.3s;
- transition: all 0.3s;
-}
-
-.btn:after {
- content: '';
- position: absolute;
- z-index: -1;
- -webkit-transition: all 0.3s;
- -moz-transition: all 0.3s;
- transition: all 0.3s;
-}
-
-
-
-/* Element Button */
-.btn-element {
- background: #0dbd8b;
- color: #fff;
-}
-
-.btn-element:hover {
- background: #55d0ad; /*4th tint*/
-}
-
-.btn-element:active {
- background: #098461; /*4th shade*/
- top: 2px;
-}
-
-.btn-element:before {
- position: absolute;
- height: 100%;
- left: 0;
- top: 0;
- line-height: 3;
- font-size: 140%;
- width: 60px;
-}
-
-/* Gitlab Button */
-
-.btn-gitlab {
- background: #fc6d27;
- color: #fff;
-}
-
-.btn-gitlab:hover {
- background: #fca326;
-}
-
-.btn-gitlab:active {
- background: #e2432a;
- top: 2px;
-}
-
-.btn-gitlab:before {
- position: absolute;
- height: 100%;
- left: 0;
- top: 0;
- line-height: 3;
- font-size: 140%;
- width: 60px;
-}
-
-/* Bitwarden Button */
-
-.btn-bitwarden {
- background: #185ddc;
- color: #fff;
-}
-
-.btn-bitwarden:hover {
- background: #5d8de6; /*4th tint*/
-}
-
-.btn-bitwarden:active {
- background: #10419a; /*4th shade*/
- top: 2px;
-}
-
-.btn-bitwarden:before {
- position: absolute;
- height: 100%;
- left: 0;
- top: 0;
- line-height: 3;
- font-size: 140%;
- width: 60px;
-}
-
-/* Cloud Button */
-
-.btn-cloud {
- background: #19a8f6;
- color: #fff;
-}
-
-.btn-cloud:hover {
- background: #5ec2f8; /*4th tint*/
-}
-
-.btn-cloud:active {
- background: #1175ac; /*4th shade*/
- top: 2px;
-}
-
-.btn-cloud:before {
- position: absolute;
- height: 100%;
- left: 0;
- top: 0;
- line-height: 3;
- font-size: 140%;
- width: 60px;
-}
-
-/* Streama Button */
-
-.btn-streama {
- background: #8bb7c9;
- color: #fff;
-}
-
-.btn-streama:hover {
- background: #adccd9; /*4th tint*/
-}
-
-.btn-streama:active {
- background: #61808c; /*4th shade*/
- top: 2px;
-}
-
-.btn-streama:before {
- position: absolute;
- height: 100%;
- left: 0;
- top: 0;
- line-height: 3;
- font-size: 140%;
- width: 60px;
-}
-
-/* Home Button */
-
-.btn-home {
- background: #b07e4b;
- color: #fff;
-}
-
-.btn-home:hover {
- background: #c7a481; /*4th tint*/
-}
-
-.btn-home:active {
- background: #7b5834; /*4th shade*/
- top: 2px;
-}
-
-.btn-home:before {
- position: absolute;
- height: 100%;
- left: 0;
- top: 0;
- line-height: 3;
- font-size: 140%;
- width: 60px;
-}
-
-/* Drawio Button */
-
-.btn-drawio {
- background: #f08805;
- color: #fff;
-}
-
-.btn-drawio:hover {
- background: #f4ab50; /*4th tint*/
-}
-
-.btn-drawio:active {
- background: #a85f03; /*4th shade*/
- top: 2px;
-}
-
-.btn-drawio:before {
- position: absolute;
- height: 100%;
- left: 0;
- top: 0;
- line-height: 3;
- font-size: 140%;
- width: 60px;
-}
-
-/* CodiMD Button */
-
-.btn-codimd {
- background: #000000;
- color: #fff;
-}
-
-.btn-codimd:hover {
- background: #4c4c4c; /*4th tint*/
-}
-
-.btn-codimd:active {
- background: #000000; /*4th shade*/
- top: 2px;
-}
-
-.btn-codimd:before {
- position: absolute;
- height: 100%;
- left: 0;
- top: 0;
- line-height: 3;
- font-size: 140%;
- width: 60px;
-}
diff --git a/joos.io/homepage/assets/index.html b/joos.io/homepage/assets/index.html
deleted file mode 100644
index d5c79b361c32e313f291238324fb81aa2b7f27af..0000000000000000000000000000000000000000
--- a/joos.io/homepage/assets/index.html
+++ /dev/null
@@ -1,68 +0,0 @@
-<!DOCTYPE html>
-<html>
-
-<head>
- <meta charset="utf-8">
- <title>Our services</title>
- <meta name="author" content="Andri & Joel Joos">
- <meta name="viewport" content="width=device-width, initial-scale=1">
-
- <link rel="icon" type="image/x-icon" href="assets/favicon/favicon.ico">
- <link href="css/style.css" rel="stylesheet">
- <script defer src="https://friconix.com/cdn/friconix.js"> </script>
-</head>
-
-<body>
- <h1>Di Besta Links</h1>
- <div class="row">
- <div class="column">
- <h2>Andri</h2>
- <div class="center">
- <div class="row">
- <a href="https://andri.joos.io"><button class="btn btn-home"><i class="fi-xnsuxl-house-solid"></i> Home</button></a>
- </div>
- <div class="row">
- <a href="https://git.420joos.dev"><button class="btn btn-gitlab"><i class="fi-xnsuxl-gitlab-solid"></i> GitLab</button></a>
- </div>
- <div class="row">
- <a href="https://pwm.420joos.dev"><button class="btn btn-bitwarden"><i class="fi-xnsuxl-key-alt-solid"></i> Bitwarden</button></a>
- </div>
- <div class="row">
- <a href="https://element.420joos.dev"><button class="btn btn-element"><i class="fi-xnsuxl-matrix"></i> Element</button></a>
- </div>
- <div class="row">
- <a href="https://cloud.420joos.dev"><button class="btn btn-cloud"><i class="fi-xnsuxl-cloud-solid"></i> Cloud</button></a>
- </div>
- <div class="row">
- <a href="https://streama.420joos.dev"><button class="btn btn-streama"><i class="fi-xwsuxl-youtube"></i> Streama</button></a>
- </div>
- </div>
- </div>
-
-
- <div class="column">
- <h2>Joel</h2>
- <div class="center">
- <div class="row">
- <a href="https://joos.io"><button class="btn btn-home"><i class="fi-xnsuxl-house-solid"></i> Home</button></a>
- </div>
- <div class="row">
- <a href="https://gitlab.joos.io"><button class="btn btn-gitlab"><i class="fi-xnsuxl-gitlab-solid"></i> GitLab</button></a>
- </div>
- <div class="row">
- <a href="https://pwm.joos.io"><button class="btn btn-bitwarden"><i class="fi-xnsuxl-key-alt-solid"></i> Bitwarden</button></a>
- </div>
- <div class="row">
- <a href="https://draw.joos.io"><button class="btn btn-drawio"><i class="fi-xwsuxl-pen"></i> draw.io</button></a>
- </div>
- <div class="row">
- <a href="https://codimd.joos.io"><button class="btn btn-codimd"><i class="fi-xnluxl-code"></i> CodiMD</button></a>
- </div>
- </div>
- </div>
-
- </div>
-
-</body>
-
-</html>
diff --git a/joos.io/homepage/joos.io_small.yaml b/joos.io/homepage/joos.io_small.yaml
deleted file mode 100644
index b0bf250ed0bf455d9370f522c8b44f3f2ffccd99..0000000000000000000000000000000000000000
--- a/joos.io/homepage/joos.io_small.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-apiVersion: v1
-type: nginx
-name: joos-io-homepage
-namespace: joos-io-homepage
-deployments:
-- id: default
- name: nginx
- uri: ${JOOS_IO_BASE_URL}
- imagePullSecrets: []
- volumes:
- index-html:
- content:
- - joos.io/homepage/assets/index.html
- mountPath: /usr/share/nginx/html/
- subPath: true
- type: configMap
- # not possible as configmap due to file size limits
- assets:
- mountPath: /usr/share/nginx/html/assets
- nfs:
- path: /joos.io/homepage/assets
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Mi
- type: pv
- css:
- content:
- - joos.io/homepage/assets/css/style.css
- mountPath: /usr/share/nginx/html/css
- type: configMap
\ No newline at end of file
diff --git a/my_bot/my_bot.yaml b/my_bot/my_bot.yaml
deleted file mode 100644
index 1a57c9aae0d2be38ebf44ded97b08e547efea993..0000000000000000000000000000000000000000
--- a/my_bot/my_bot.yaml
+++ /dev/null
@@ -1,54 +0,0 @@
-apiVersion: v1
-name: my-bot
-namespace: my-bot
-type: none
-deployments:
-- id: default
- env:
- content:
- BASE_DIR: /data
- BASE_URL: matrix.420joos.dev
- ROOM_ID: "!vIyCoGLKXcSWJZMEAN"
- USERNAME: mybot
- PASSWORD: "_fsuxGgSCwmd-STlrzTf33NvatKVV8CU"
- NEXT_BATCH_PATH: /matrix_data/next_batch.txt
- STORE_PATH: /matrix_data/store
- TIMERS_PATH: /backup/timers.txt
- TASKS_PATH: /backup/tasks.txt
- TASKGROUPS_PATH: /backup/taskgroups.json
- LOG_PATH: /matrix_data/log.txt
- image: ${MY_BOT_IMAGE}
- name: my-bot
- privileged: false
- imagePullSecrets:
- - registry-420joos-dev-creds
- volumes:
- backup:
- accessModes:
- - ReadWriteMany
- mountPath: /backup
- nfs:
- path: /my_bot/backup
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 300Mi
- type: pv
- matrix-data:
- accessModes:
- - ReadWriteMany
- mountPath: /matrix_data
- nfs:
- path: /my_bot/matrix_data
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Mi
- type: pv
- data:
- accessModes:
- - ReadWriteOnce
- mountPath: /data
- nfs:
- path: /
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Mi
- type: pv
-
-
diff --git a/nextcloud/nextcloud_small.yaml b/nextcloud/nextcloud_small.yaml
deleted file mode 100644
index d27313b9366d2cf8ec91c1b4f9b1a302a7b22a85..0000000000000000000000000000000000000000
--- a/nextcloud/nextcloud_small.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: v1
-name: nextcloud
-namespace: nextcloud
-type: nextcloud
-deployments:
-- id: default
- env:
- content:
- POSTGRES_DB: nextclouddb
- POSTGRES_USER: 88a16dd8d4bf # nextcloud db user/pw in config/config.php
- POSTGRES_PASSWORD: 0fb01de0cbcf
- NEXTCLOUD_TRUSTED_DOMAINS: "cloud.${BASE_URL}"
- uri:
- - cloud.${BASE_URL}
- - cloud.${JOOS_IO_BASE_URL}
- volumes:
- config:
- nfs:
- path: /nextcloud/config
- data:
- nfs:
- path: /nextcloud/data
- custom-apps:
- nfs:
- path: /nextcloud/custom_apps
- themes:
- nfs:
- path: /nextcloud/themes
-- id: postgres
- env:
- content:
- POSTGRES_DB: nextclouddb
- POSTGRES_USER: 88a16dd8d4bf
- POSTGRES_PASSWORD: 0fb01de0cbcf
- volumes:
- db:
- nfs:
- path: /nextcloud/db
diff --git a/nfs/nfs_small.yaml b/nfs/nfs_small.yaml
deleted file mode 100644
index f396c21e0419e8e71edec2003139e16aa64b7619..0000000000000000000000000000000000000000
--- a/nfs/nfs_small.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: v1
-name: nfs
-namespace: nfs-server
-type: nfs
-deployments:
-- id: nfs-server
- name: nfs-server
- volumes:
- nfs-data:
- size: 1Ti
diff --git a/images/nfs/nfsd.sh b/nfsd.sh
similarity index 100%
rename from images/nfs/nfsd.sh
rename to nfsd.sh
diff --git a/octobot/octobot_small.yaml b/octobot/octobot_small.yaml
deleted file mode 100644
index 547a2d4c50512dd4b77e25b5698cbb03c108730b..0000000000000000000000000000000000000000
--- a/octobot/octobot_small.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: v1
-name: octobot
-namespace: octobot
-type: octobot
-deployments:
-- id: default
- # uri: octobot.${BASE_URL}
- exposedHttpPort: null
- volumes:
- user-config:
- nfs:
- path: /octobot/user
- tentacles:
- nfs:
- path: /octobot/tentacles
diff --git a/sonarqube/sonar.properties b/sonarqube/sonar.properties
deleted file mode 100644
index 7fd39436b55891a30adb5dff9f80f7a9b36fe118..0000000000000000000000000000000000000000
--- a/sonarqube/sonar.properties
+++ /dev/null
@@ -1,12 +0,0 @@
-sonar.jdbc.username=54a6b1a8-63d0-43cb-8de4-110ec1f6bf8f
-sonar.jdbc.password=1782a48c-92ec-485a-bc09-9ab8ae223251
-sonar.jdbc.url=jdbc:postgresql://postgres/sonarqube
-sonar.path.data=/var/sonarqube/data
-sonar.auth.gitlab.enabled=True
-sonar.auth.gitlab.url=https://git.420joos.dev
-sonar.auth.gitlab.applicationId.secured=461e510ad0980681e64df062e544cb3d7f9708e6609a8f07ead57d360f4627c7
-sonar.auth.gitlab.secret.secured=ad777fb8c554be3447dd70689a381bfe09e68b385f536992009a90f64cbf5627
-sonar.auth.gitlab.allowUsersToSignUp=True
-sonar.auth.gitlab.groupsSync=False
-sonar.core.serverBaseURL=https://sonarqube.420joos.dev/
-sonar.projectCreation.mainBranchName=master
diff --git a/sonarqube/sonarqube.yaml b/sonarqube/sonarqube.yaml
deleted file mode 100644
index 6c2ffeb6618d19f955ed06f54456beee0f6a0c35..0000000000000000000000000000000000000000
--- a/sonarqube/sonarqube.yaml
+++ /dev/null
@@ -1,54 +0,0 @@
-apiVersion: v1
-name: sonarqube
-namespace: sonarqube
-type: none
-deployments:
-- id: default
- env:
- content:
- SONAR_ES_BOOTSTRAP_CHECKS_DISABLE: "true"
- exposedHttpPort: 9000
- image: sonarqube:10.0.0-community
- name: sonarqube
- uri: sonarqube.${BASE_URL}
- maxUploadSize: 50m
- volumes:
- data:
- accessModes:
- - ReadWriteMany
- mountPath: /var/sonarqube/data
- nfs:
- path: /sonarqube/data
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 1Gi
- type: pv
- test-back-configmap:
- content:
- - sonarqube/sonar.properties
- mountPath: /opt/sonarqube/conf
- subPath: true
- type: configMap
-- id: postgres
- env:
- content:
- LC_COLLATE: C
- LC_CTYPE: C
- POSTGRES_INITDB_ARGS: "-E utf8"
- POSTGRES_DB: sonarqube
- POSTGRES_USER: 54a6b1a8-63d0-43cb-8de4-110ec1f6bf8f
- POSTGRES_PASSWORD: 1782a48c-92ec-485a-bc09-9ab8ae223251
- image: postgres:15-alpine
- name: postgres
- ports:
- clusterIP:
- - port: 5432
- protocol: TCP
- targetPort: 5432
- volumes:
- db:
- mountPath: /var/lib/postgresql/data
- nfs:
- path: /sonarqube/db
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 2Gi
- type: pv
diff --git a/streama/application.yml b/streama/application.yml
deleted file mode 100644
index 16cfdb2dbd5743bb4c28c2442d9a15b9a5bf9dac..0000000000000000000000000000000000000000
--- a/streama/application.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-environments:
- production:
- dataSource:
- dbCreate: update
- # driverClassName: 'com.mysql.jdbc.Driver' # bug https://github.com/streamaserver/streama/issues/1022 or https://stackoverflow.com/questions/50081527/cant-connect-to-mysql-from-java-nullpointerexception-inside-mysql-driver-conne
- # url: jdbc:mysql://mysql:3306/streama
- driverClassName: 'org.h2.Driver'
- url: jdbc:h2:/db/streama;MVCC=TRUE;LOCK_TIMEOUT=10000;DB_CLOSE_ON_EXIT=FALSE
- username: a5ad751bdec5
- password: fed6b4dd7fb9
- properties:
- jmxEnabled: true
- initialSize: 5
- maxActive: 50
- minIdle: 5
- maxIdle: 25
- maxWait: 10000
- maxAge: 600000
- timeBetweenEvictionRunsMillis: 5000
- minEvictableIdleTimeMillis: 60000
- validationQuery: SELECT 1
- validationQueryTimeout: 3
- validationInterval: 15000
- testOnBorrow: true
- testWhileIdle: true
- testOnReturn: false
- jdbcInterceptors: ConnectionState
- defaultTransactionIsolation: 2 # TRANSACTION_READ_COMMITTED
- server:
- port: 8080
\ No newline at end of file
diff --git a/streama/streama_small.yaml b/streama/streama_small.yaml
deleted file mode 100644
index 55267a802a50b4429b3d2335804342385580c324..0000000000000000000000000000000000000000
--- a/streama/streama_small.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-apiVersion: v1
-name: streama
-namespace: streama
-type: none
-deployments:
-- id: default
- # set env var for application environment
- exposedHttpPort: 8080
- image: ${STREAMA_IMAGE}
- name: streama-server
- uri: streama.${BASE_URL}
- maxUploadSize: 5g
- imagePullSecrets:
- - registry-420joos-dev-creds
- volumes:
- media:
- mountPath: /data/streama
- nfs:
- path: /streama/media
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Gi
- type: pv
- db: # unfortunately, external mysql doesn't work (see in application.yml)
- mountPath: /db
- nfs:
- path: /streama/db
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 1Gi
- type: pv
- application-config:
- content:
- - streama/application.yml
- mountPath: /app/streama/bin/
- subPath: true
- type: configMap
- cloud-sources:
- accessModes:
- - ReadOnlyMany
- mountPath: /cloud_sources
- nfs:
- path: /nextcloud/data/video-store/files/
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 1Gi
- type: pv
-# - id: mysql
-# image: mysql/mysql-server:latest
-# name: mysql
-# env:
-# content:
-# MYSQL_TCP_PORT: "3306"
-# MYSQL_ROOT_PASSWORD: 242a4060cc28
-# MYSQL_DATABASE: streama
-# MYSQL_USER: a5ad751bdec5
-# MYSQL_PASSWORD: fed6b4dd7fb9
-# ports:
-# clusterIP:
-# - port: 3306
-# protocol: TCP
-# targetPort: 3306
-# volumes:
-# mysql-db:
-# mountPath: /var/lib/mysql
-# nfs:
-# server: ${PRODCLUSTER_DEVICE_IP}
-# size: 500Mi
-# type: pv
diff --git a/synapse-admin/synapse_admin_small.yaml b/synapse-admin/synapse_admin_small.yaml
deleted file mode 100644
index 0a4aff60756a6c580bf5cf5208e176e1db8de3fe..0000000000000000000000000000000000000000
--- a/synapse-admin/synapse_admin_small.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-name: synapse-admin
-namespace: synapse-admin
-type: synapse-admin
-deployments:
-- id: default
- uri: synapse-admin.${BASE_URL}
diff --git a/synapse/README.md b/synapse/README.md
deleted file mode 100644
index 2d9ba20570136d40a57172e33c53c4b1b2c8b625..0000000000000000000000000000000000000000
--- a/synapse/README.md
+++ /dev/null
@@ -1,86 +0,0 @@
-# Matrix-Server (Synapse-Server)
-
-
-
-## Anwendung
-
-Vom Server werden sämtliche Applikationen, welche auf dem Matrix-Protokoll aufbauen, unterstützt und können nach Belieben gewählt werden. In diesem Beispiel wird mit Element (ehemalig Riot.im) gearbeitet, da dies der bekannteste Client für einen Matrix-Server ist. Element ist als Weboberfläche und als App verfügbar.
-
-### Anwendung über das Webinterface
-
-Das Webinterface von Element ist via https://app.element.io/ erreichbar.
-
-
-
-#### Sign-Up
-
-Wenn die Registrierung auf dem Standard-Server https://matrix.org erfolgt, ist es möglich dass einige Nutzer und Räume nicht gefunden werden, da diese nur für Benutzer des Servers https://matrix.420joos.dev freigegeben sind.
-
-Deshalb sollte als erstes der Homeserver https://matrix.420joos.dev konfiguriert werden. Dafür die Auswahl der Homeserver öffnen.
-
-
-
-Dann muss der Punkt "Anderer Heimserver" ausgewählt werden. Dort wird die Server-Adresse matrix.420joos.dev eingetragen.
-
-
-
-Der Dialog kann mit "Forfahren" bestätigt und geschlossen werden. Nun kann ein Username und ein Passwort gewählt werden. Dabei ist zu beachten:
-
-- Passwort (erforderliche Zeichen)
- - Minimale Länge: 0 Zeichen (zukünftig 8 Zeichen)
- - (Zukünftig mindestens eine Zahl)
- - (Zukünftig mindestens einen Kleinbuchstaben)
- - (Zukünftig mindestens einen Grossbuchstaben)
-
- Eingeklammerte Spezifikationen sind momentan noch nicht erforderlich, werden aber in einem zeitnahen Upgrade des Servers umgesetzt. Es wird deshalb empfohlen, diese bereits jetzt zu umtzsetzen.
-- Username (erlaubte Zeichen)
- - Kleinbuchstaben
- - Zahlen
- - Bindestrich (-) und Unterstrich (_)
-
-
-
-
-
-#### Sign-In
-
-Beim Homeserver muss die Serveradresse angegeben werden bei welcher die Registrierung erfolgte. Dafür die Auswahl der Homeserver öffnen.
-
-
-
-Dann muss der Punkt "Anderer Heimserver" ausgewählt werden. Dort wird die Server-Adresse des Servers, auf dem die Registrierung erfolgte, z.B. matrix.420joos.dev, eingetragen.
-
-
-
-Der Dialog kann mit "Forfahren" bestätigt und geschlossen werden. Nun nur noch den Usernamen und das Passwort angeben und mit "Anmelden" einloggen.
-
-
-
-Das neue Login sollte mit einem bereits bestehenden Login verifiziert werden, da ansonsten alte Nachrichten nicht mehr entschlüsseln werden können und man den übrigen Usern als unverifiziert angezeigt wird. Zudem sind einige Räume nur verifizierten Sitzungen zugänglich.
-
-*Alternativ kann das Login mittels eines generierten Sicherheitsschlüssels verifiziert werden. Tutorial noch nicht fertig. Benutzung auf eigene Gefahr!*
-
-Die Verifizierung wird mit "Mit anderem Gerät verifizieren" gestartet.
-
-
-
-Nun wird auf allen weiteren angemelteten Sitzungen eine Meldung für die für die Bestätigung der Verifizierung angezeigt.
-
-
-
-<img alt="Sign in verification message app" src="docu_attachments/img/app_element_io_login_verification_client_verify_device.jpg" style="zoom:30%;" />
-
-Wenn eines der beiden Geräte fähig ist, einen QR-Code auf dem anderen Gerät zu lesen, sollte "Ihren Code scannen" ausgewählt werden. Andernfalls kann auch die weniger sichere Methode, Emojis vergleichen, gewählt werden.
-
-
-
-<img alt="Sign in verification scan qr code" src="docu_attachments/img/app_element_io_login_verification_client_verify_device_scan_code_or_other_method.jpeg" style="zoom:30%;" />
-
-Nun noch den QR-Code scannen.
-
-<img alt="Sign in verification scanning qr code" src="docu_attachments/img/app_element_io_login_verification_client_scan_qr.jpg" style="zoom:30%;" />
-
-Wenn die angezeigten Schilder übereinstimmen, den Dialog bestätigen. Die Verifizierung war erfolgreich!
-
-
-
diff --git a/synapse/bridges/mautrix-telegram/config.yaml b/synapse/bridges/mautrix-telegram/config.yaml
deleted file mode 100644
index 5620883e5866aeccd143da7f6bfb428e9ca5da37..0000000000000000000000000000000000000000
--- a/synapse/bridges/mautrix-telegram/config.yaml
+++ /dev/null
@@ -1,545 +0,0 @@
-# Homeserver details
-homeserver:
- # The address that this appservice can use to connect to the homeserver.
- address: https://matrix.420joos.dev
- # The domain of the homeserver (for MXIDs, etc).
- domain: matrix.420joos.dev
- # Whether or not to verify the SSL certificate of the homeserver.
- # Only applies if address starts with https://
- verify_ssl: true
- asmux: false
- # Number of retries for all HTTP requests if the homeserver isn't reachable.
- http_retry_count: 4
- # The URL to push real-time bridge status to.
- # If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
- # The bridge will use the appservice as_token to authorize requests.
- status_endpoint:
- # Endpoint for reporting per-message status.
- message_send_checkpoint_endpoint:
- # Whether asynchronous uploads via MSC2246 should be enabled for media.
- # Requires a media repo that supports MSC2246.
- async_media: false
-
-# Application service host/registration related details
-# Changing these values requires regeneration of the registration.
-appservice:
- # The address that the homeserver can use to connect to this appservice.
- address: http://mautrix-telegram:29317
- # When using https:// the TLS certificate and key files for the address.
- tls_cert: false
- tls_key: false
-
- # The hostname and port where this appservice should listen.
- hostname: 0.0.0.0
- port: 29317
- # The maximum body size of appservice API requests (from the homeserver) in mebibytes
- # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
- max_body_size: 1
-
- # The full URI to the database. SQLite and Postgres are supported.
- # Format examples:
- # SQLite: sqlite:///filename.db
- # Postgres: postgres://username:password@hostname/dbname
- database: postgres://c13603017bd2:c0b8a11d28cc@postgres-mautrix-telegram/mautrixtelegramdb
- # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
- # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
- # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
- # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
- database_opts:
- min_size: 1
- max_size: 10
- public:
- # Whether or not the public-facing endpoints should be enabled.
- enabled: false
- # The prefix to use in the public-facing endpoints.
- prefix: /public
- # The base URL where the public-facing endpoints are available. The prefix is not added
- # implicitly.
- external: https://example.com/public
-
- # Provisioning API part of the web server for automated portal creation and fetching information.
- # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
- provisioning:
- # Whether or not the provisioning API should be enabled.
- enabled: true
- # The prefix to use in the provisioning API endpoints.
- prefix: /_matrix/provision/v1
- # The shared secret to authorize users of the API.
- # Set to "generate" to generate and save a new token.
- shared_secret: ihyN0mfOW5PJHupMcP7VlJ5nTXlnqGzmRR-np_zWt1EDZBvZPVaifQc3CT-dd5QR
-
- # The unique ID of this appservice.
- id: telegram
- # Username of the appservice bot.
- bot_username: telegrambot
- # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
- # to leave display name/avatar as-is.
- bot_displayname: Telegram bridge bot
- bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
-
- # Whether or not to receive ephemeral events via appservice transactions.
- # Requires MSC2409 support (i.e. Synapse 1.22+).
- # You should disable bridge -> sync_with_custom_puppets when this is enabled.
- ephemeral_events: false
-
- # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
- as_token: This value is generated when generating the registration
- hs_token: This value is generated when generating the registration
-
-# Prometheus telemetry config. Requires prometheus-client to be installed.
-metrics:
- enabled: false
- listen_port: 8000
-
-# Manhole config.
-manhole:
- # Whether or not opening the manhole is allowed.
- enabled: false
- # The path for the unix socket.
- path: /var/tmp/mautrix-telegram.manhole
- # The list of UIDs who can be added to the whitelist.
- # If empty, any UIDs can be specified in the open-manhole command.
- whitelist:
- - 0
-bridge:
- # Localpart template of MXIDs for Telegram users.
- # {userid} is replaced with the user ID of the Telegram user.
- username_template: telegram_{userid}
- # Localpart template of room aliases for Telegram portal rooms.
- # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
- alias_template: telegram_{groupname}
- # Displayname template for Telegram users.
- # {displayname} is replaced with the display name of the Telegram user.
- displayname_template: '{displayname} (Telegram)'
-
- # Set the preferred order of user identifiers which to use in the Matrix puppet display name.
- # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
- # ID is used.
- #
- # If the bridge is working properly, a phone number or an username should always be known, but
- # the other one can very well be empty.
- #
- # Valid keys:
- # "full name" (First and/or last name)
- # "full name reversed" (Last and/or first name)
- # "first name"
- # "last name"
- # "username"
- # "phone number"
- displayname_preference:
- - full name
- - username
- - phone number
- displayname_max_length: 100
- # Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
- # as there's no way to determine whether an avatar is removed or just hidden from some users. If
- # you're on a single-user instance, this should be safe to enable.
- allow_avatar_remove: false
-
- # Maximum number of members to sync per portal when starting up. Other members will be
- # synced when they send messages. The maximum is 10000, after which the Telegram server
- # will not send any more members.
- # -1 means no limit (which means it's limited to 10000 by the server)
- max_initial_member_sync: 100
- # Whether or not to sync the member list in channels.
- # If no channel admins have logged into the bridge, the bridge won't be able to sync the member
- # list regardless of this setting.
- sync_channel_members: true
- # Whether or not to skip deleted members when syncing members.
- skip_deleted_members: true
- # Whether or not to automatically synchronize contacts and chats of Matrix users logged into
- # their Telegram account at startup.
- startup_sync: true
- # Number of most recently active dialogs to check when syncing chats.
- # Set to 0 to remove limit.
- sync_update_limit: 0
- # Number of most recently active dialogs to create portals for when syncing chats.
- # Set to 0 to remove limit.
- sync_create_limit: 30
- # Whether or not to sync and create portals for direct chats at startup.
- sync_direct_chats: false
- # The maximum number of simultaneous Telegram deletions to handle.
- # A large number of simultaneous redactions could put strain on your homeserver.
- max_telegram_delete: 10
- # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
- # at startup and when creating a bridge.
- sync_matrix_state: true
- # Allow logging in within Matrix. If false, users can only log in using login-qr or the
- # out-of-Matrix login website (see appservice.public config section)
- allow_matrix_login: true
- # Whether or not to bridge plaintext highlights.
- # Only enable this if your displayname_template has some static part that the bridge can use to
- # reliably identify what is a plaintext highlight.
- plaintext_highlights: false
- # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
- public_portals: true
- # Whether or not to use /sync to get presence, read receipts and typing notifications
- # when double puppeting is enabled
- sync_with_custom_puppets: true
- # Whether or not to update the m.direct account data event when double puppeting is enabled.
- # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
- # and is therefore prone to race conditions.
- sync_direct_chat_list: false
- # Servers to always allow double puppeting from
- double_puppet_server_map:
- example.com: https://example.com
- double_puppet_allow_discovery: false
- # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
- #
- # If set, custom puppets will be enabled automatically for local users
- # instead of users having to find an access token and run `login-matrix`
- # manually.
- # If using this for other servers than the bridge's server,
- # you must also set the URL in the double_puppet_server_map.
- login_shared_secret_map:
- example.com: foobar
- telegram_link_preview: true
- # Whether or not the !tg join command should do a HTTP request
- # to resolve redirects in invite links.
- invite_link_resolve: false
- # Use inline images instead of a separate message for the caption.
- # N.B. Inline images are not supported on all clients (e.g. Element iOS/Android).
- inline_images: false
- # Maximum size of image in megabytes before sending to Telegram as a document.
- image_as_file_size: 10
- # Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 1280x1280 = 1638400.
- image_as_file_pixels: 1638400
- # Enable experimental parallel file transfer, which makes uploads/downloads much faster by
- # streaming from/to Matrix and using many connections for Telegram.
- # Note that generating HQ thumbnails for videos is not possible with streamed transfers.
- # This option uses internal Telethon implementation details and may break with minor updates.
- parallel_file_transfer: false
- # Whether or not created rooms should have federation enabled.
- # If false, created portal rooms will never be federated.
- federate_rooms: true
- # Settings for converting animated stickers.
- animated_sticker:
- # Format to which animated stickers should be converted.
- # disable - No conversion, send as-is (gzipped lottie)
- # png - converts to non-animated png (fastest),
- # gif - converts to animated gif
- # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
- target: gif
- # Arguments for converter. All converters take width and height.
- args:
- width: 256
- height: 256
- fps: 25 # only for webm and gif (2, 5, 10, 20 or 25 recommended)
- # End-to-bridge encryption support options.
- #
- # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
- encryption:
- # Allow encryption, work in group chat rooms with e2ee enabled
- allow: false
- # Default to encryption, force-enable encryption in all portals the bridge creates
- # This will cause the bridge bot to be in private chats for the encryption to work properly.
- default: false
- # Database for the encryption data. If set to `default`, will use the appservice database.
- database: default
- # Options for automatic key sharing.
- key_sharing:
- # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
- # You must use a client that supports requesting keys from other users to use this feature.
- allow: false
- # Require the requesting device to have a valid cross-signing signature?
- # This doesn't require that the bridge has verified the device, only that the user has verified it.
- # Not yet implemented.
- require_cross_signing: false
- # Require devices to be verified by the bridge?
- # Verification by the bridge is not yet implemented.
- require_verification: true
- # Whether or not to explicitly set the avatar and room name for private
- # chat portal rooms. This will be implicitly enabled if encryption.default is true.
- private_chat_portal_meta: false
- # Whether or not the bridge should send a read receipt from the bridge bot when a message has
- # been sent to Telegram.
- delivery_receipts: false
- # Whether or not delivery errors should be reported as messages in the Matrix room.
- delivery_error_reports: false
- # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
- # This field will automatically be changed back to false after it,
- # except if the config file is not writable.
- resend_bridge_info: false
- # When using double puppeting, should muted chats be muted in Matrix?
- mute_bridging: false
- # When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
- # The favorites tag is `m.favourite`.
- pinned_tag:
- # Same as above for archived chats, the low priority tag is `m.lowpriority`.
- archive_tag:
- # Whether or not mute status and tags should only be bridged when the portal room is created.
- tag_only_on_create: true
- # Should leaving the room on Matrix make the user leave on Telegram?
- bridge_matrix_leave: true
- # Should the user be kicked out of all portals when logging out of the bridge?
- kick_on_logout: true
- # Should the "* user joined Telegram" notice always be marked as read automatically?
- always_read_joined_telegram_notice: true
- # Settings for backfilling messages from Telegram.
- backfill:
- # Whether or not the Telegram ghosts of logged in Matrix users should be
- # invited to private chats when backfilling history from Telegram. This is
- # usually needed to prevent rate limits and to allow timestamp massaging.
- invite_own_puppet: true
- # Maximum number of messages to backfill without using a takeout.
- # The first time a takeout is used, the user has to manually approve it from a different
- # device. If initial_limit or missed_limit are higher than this value, the bridge will ask
- # the user to accept the takeout after logging in before syncing any chats.
- takeout_limit: 100
- # Maximum number of messages to backfill initially.
- # Set to 0 to disable backfilling when creating portal, or -1 to disable the limit.
- #
- # N.B. Initial backfill will only start after member sync. Make sure your
- # max_initial_member_sync is set to a low enough value so it doesn't take forever.
- initial_limit: 0
- # Maximum number of messages to backfill if messages were missed while the bridge was
- # disconnected. Note that this only works for logged in users and only if the chat isn't
- # older than sync_update_limit
- # Set to 0 to disable backfilling missed messages.
- missed_limit: 50
- # If using double puppeting, should notifications be disabled
- # while the initial backfill is in progress?
- disable_notifications: false
- # Whether or not to enable backfilling in normal groups.
- # Normal groups have numerous technical problems in Telegram, and backfilling normal groups
- # will likely cause problems if there are multiple Matrix users in the group.
- normal_groups: false
-
- # Overrides for base power levels.
- initial_power_level_overrides:
- user: {}
- group: {}
-
- # Whether to bridge Telegram bot messages as m.notices or m.texts.
- bot_messages_as_notices: true
- bridge_notices:
- # Whether or not Matrix bot messages (type m.notice) should be bridged.
- default: false
- # List of user IDs for whom the previous flag is flipped.
- # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
- # notices from users listed here will be bridged.
- exceptions: []
-
- # An array of possible values for the $distinguisher variable in message formats.
- # Each user gets one of the values here, based on a hash of their user ID.
- # If the array is empty, the $distinguisher variable will also be empty.
- relay_user_distinguishers: [🟦, 🟣, 🟩, â•ï¸, 🔶, ⬛ï¸, 🔵, 🟢]
- # The formats to use when sending messages to Telegram via the relay bot.
- # Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
- #
- # Available variables:
- # $sender_displayname - The display name of the sender (e.g. Example User)
- # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
- # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
- # $distinguisher - A random string from the options in the relay_user_distinguishers array.
- # $message - The message content
- message_formats:
- m.text: '$distinguisher <b>$sender_displayname</b>: $message'
- m.notice: '$distinguisher <b>$sender_displayname</b>: $message'
- m.emote: '* $distinguisher <b>$sender_displayname</b> $message'
- m.file: '$distinguisher <b>$sender_displayname</b> sent a file: $message'
- m.image: '$distinguisher <b>$sender_displayname</b> sent an image: $message'
- m.audio: '$distinguisher <b>$sender_displayname</b> sent an audio file: $message'
- m.video: '$distinguisher <b>$sender_displayname</b> sent a video: $message'
- m.location: '$distinguisher <b>$sender_displayname</b> sent a location: $message'
- # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
- # users are sent to telegram. All fields in message_formats are supported. Additionally, the
- # Telegram user info is available in the following variables:
- # $displayname - Telegram displayname
- # $username - Telegram username (may not exist)
- # $mention - Telegram @username or displayname mention (depending on which exists)
- emote_format: '* $mention $formatted_body'
-
- # The formats to use when sending state events to Telegram via the relay bot.
- #
- # Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
- # In name_change events, `$prev_displayname` is the previous displayname.
- #
- # Set format to an empty string to disable the messages for that event.
- state_event_formats:
- join: $distinguisher <b>$displayname</b> joined the room.
- leave: $distinguisher <b>$displayname</b> left the room.
- name_change: $distinguisher <b>$prev_displayname</b> changed their name to $distinguisher <b>$displayname</b>
-
- # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
- # `filter-mode` management commands.
- #
- # Filters do not affect direct chats.
- # An empty blacklist will essentially disable the filter.
- filter:
- # Filter mode to use. Either "blacklist" or "whitelist".
- # If the mode is "blacklist", the listed chats will never be bridged.
- # If the mode is "whitelist", only the listed chats can be bridged.
- mode: blacklist
- # The list of group/channel IDs to filter.
- list: [
- -1001715327440,
- -1001601423054,
- -1001640788903,
- -1001502631691,
- -1001312251264,
- -1001258339320,
- -1001788406746,
- -1001320287812,
- -1001229445068, # @icfchur
- -1001412428614, # @youthplanetchur
- ]
-
- # The prefix for commands. Only required in non-management rooms.
- command_prefix: '!tg'
-
- # Messages sent upon joining a management room.
- # Markdown is supported. The defaults are listed below.
- management_room_text:
- # Sent when joining a room.
- welcome: Hello, I'm a Telegram bridge bot.
- # Sent when joining a management room and the user is already logged in.
- welcome_connected: Use `help` for help.
- # Sent when joining a management room and the user is not logged in.
- welcome_unconnected: "Use `help` for help or `login` to log in. \n\
- IMPORTANT NOTICE: Before logging in, please make sure you have not joined a group that sends a lot of media, as this requires a lot of storage. \
- You can either opt out of these or you can contact me and I will blacklist them so they are not bridged by the bot. \n\
- If the bot is abused the feature will be discontinued and only made available to paid users. Thanks for your help!"
- # Optional extra text sent when joining a management room.
- additional_help: ''
-
- # Send each message separately (for readability in some clients)
- management_room_multiple_messages: false
-
- # Permissions for using the bridge.
- # Permitted values:
- # relaybot - Only use the bridge via the relaybot, no access to commands.
- # user - Relaybot level + access to commands to create bridges.
- # puppeting - User level + logging in with a Telegram account.
- # full - Full access to use the bridge, i.e. previous levels + Matrix login.
- # admin - Full access to use the bridge and some extra administration commands.
- # Permitted keys:
- # * - All Matrix users
- # domain - All users on that homeserver
- # mxid - Specific user
- permissions:
- # '*': puppeting
- # public.example.com: user
- # example.com: full
- # matrix.420joos.dev: puppeting
- '@andrijoos:matrix.420joos.dev': admin
- '@admin:matrix.420joos.dev': admin
- relaybot:
- private_chat:
- # List of users to invite to the portal when someone starts a private chat with the bot.
- # If empty, private chats with the bot won't create a portal.
- invite: []
- # Whether or not to bridge state change messages in relaybot private chats.
- state_changes: true
- # When private_chat_invite is empty, this message is sent to users /starting the
- # relaybot. Telegram's "markdown" is supported.
- message: This is a Matrix bridge relaybot and does not support direct chats
- # List of users to invite to all group chat portals created by the bridge.
- group_chat_invite: []
- # Whether or not the relaybot should not bridge events in unbridged group chats.
- # If false, portals will be created when the relaybot receives messages, just like normal
- # users. This behavior is usually not desirable, as it interferes with manually bridging
- # the chat to another room.
- ignore_unbridged_group_chat: true
- # Whether or not to allow creating portals from Telegram.
- authless_portals: true
- # Whether or not to allow Telegram group admins to use the bot commands.
- whitelist_group_admins: true
- # Whether or not to ignore incoming events sent by the relay bot.
- ignore_own_incoming_events: true
- # List of usernames/user IDs who are also allowed to use the bot commands.
- whitelist:
- - myusername
- - 12345678
-telegram:
- # Get your own API keys at https://my.telegram.org/apps
- api_id: 4040062
- api_hash: 22f1b3ea495ab191c0098649f8affbe8
- # (Optional) Create your own bot at https://t.me/BotFather
- bot_token: disabled
-
- # Telethon connection options.
- connection:
- # The timeout in seconds to be used when connecting.
- timeout: 120
- # How many times the reconnection should retry, either on the initial connection or when
- # Telegram disconnects us. May be set to a negative or null value for infinite retries, but
- # this is not recommended, since the program can get stuck in an infinite loop.
- retries: 5
- # The delay in seconds to sleep between automatic reconnections.
- retry_delay: 1
- # The threshold below which the library should automatically sleep on flood wait errors
- # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
- # is 20s, the library will sleep automatically. If the error was for 21s, it would raise
- # the error instead. Values larger than a day (86400) will be changed to a day.
- flood_sleep_threshold: 60
- # How many times a request should be retried. Request are retried when Telegram is having
- # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
- # there's a migrate error. May take a negative or null value for infinite retries, but this
- # is not recommended, since some requests can always trigger a call fail (such as searching
- # for messages).
- request_retries: 5
-
- # Device info sent to Telegram.
- device_info:
- # "auto" = OS name+version.
- device_model: auto
- # "auto" = Telethon version.
- system_version: auto
- # "auto" = mautrix-telegram version.
- app_version: auto
- lang_code: en
- system_lang_code: en
-
- # Custom server to connect to.
- server:
- # Set to true to use these server settings. If false, will automatically
- # use production server assigned by Telegram. Set to false in production.
- enabled: false
- # The DC ID to connect to.
- dc: 2
- # The IP to connect to.
- ip: 149.154.167.40
- # The port to connect to. 443 may not work, 80 is better and both are equally secure.
- port: 80
-
- # Telethon proxy configuration.
- # You must install PySocks from pip for proxies to work.
- proxy:
- # Allowed types: disabled, socks4, socks5, http, mtproxy
- type: disabled
- # Proxy IP address and port.
- address: 127.0.0.1
- port: 1080
- # Whether or not to perform DNS resolving remotely. Only for socks/http proxies.
- rdns: true
- # Proxy authentication (optional). Put MTProxy secret in password field.
- username: ''
- password: ''
-
-# Python logging configuration.
-#
-# See section 16.7.2 of the Python documentation for more info:
-# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
-logging:
- version: 1
- formatters:
- colored:
- (): mautrix_telegram.util.ColorFormatter
- format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
- normal:
- format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
- handlers:
- console:
- class: logging.StreamHandler
- formatter: colored
- loggers:
- mau:
- level: DEBUG
- telethon:
- level: INFO
- aiohttp:
- level: INFO
- root:
- level: DEBUG
- handlers: [console]
diff --git a/synapse/bridges/mautrix-telegram/mautrix-telegram.yaml b/synapse/bridges/mautrix-telegram/mautrix-telegram.yaml
deleted file mode 100644
index 7e11b002e3b54091f5bf3346bfd49c0e7fde95b6..0000000000000000000000000000000000000000
--- a/synapse/bridges/mautrix-telegram/mautrix-telegram.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-apiVersion: v1
-name: mautrix-telegram
-namespace: synapse
-type: mautrix-bridge
-deployments:
-- id: default
- image: dock.mau.dev/mautrix/telegram:latest
- name: mautrix-telegram
- volumes:
- synapse-bridges:
- nfs:
- path: /synapse/bridges/telegram/config
-- id: postgres
- env:
- content:
- LC_COLLATE: C
- LC_CTYPE: C
- POSTGRES_DB: mautrixtelegramdb
- POSTGRES_INITDB_ARGS: -E utf8
- POSTGRES_PASSWORD: c0b8a11d28cc
- POSTGRES_USER: c13603017bd2
- name: postgres-mautrix-telegram
- volumes:
- mautrix-db:
- nfs:
- path: /synapse/bridges/telegram/db
diff --git a/synapse/bridges/mautrix-whatsapp/config.yaml b/synapse/bridges/mautrix-whatsapp/config.yaml
deleted file mode 100644
index ee3abefc0ec99a5ad49f7b74ddefe6c0e8571e2c..0000000000000000000000000000000000000000
--- a/synapse/bridges/mautrix-whatsapp/config.yaml
+++ /dev/null
@@ -1,311 +0,0 @@
-# Homeserver details.
-homeserver:
- # The address that this appservice can use to connect to the homeserver.
- address: https://matrix.420joos.dev
- # The domain of the homeserver (for MXIDs, etc).
- domain: matrix.420joos.dev
-
- # Is the homeserver actually mautrix-asmux?
- asmux: false
- # The URL to push real-time bridge status to.
- # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes.
- # The bridge will use the appservice as_token to authorize requests.
- status_endpoint: null
- # Endpoint for reporting per-message status.
- message_send_checkpoint_endpoint: null
- # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
- async_media: false
-
-# Application service host/registration related details.
-# Changing these values requires regeneration of the registration.
-appservice:
- # The address that the homeserver can use to connect to this appservice.
- address: http://mautrix-whatsapp:29317
-
- # The hostname and port where this appservice should listen.
- hostname: 0.0.0.0
- port: 29317
-
- # Database config.
- database:
- # The database type. "sqlite3" and "postgres" are supported.
- type: postgres
- # The database URI.
- # SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string
- # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
- # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
- uri: postgres://d688f79ec3ce:e929df0051ec@postgres-mautrix-whatsapp/mautrixwhatsappdb?sslmode=disable
- # Maximum number of connections. Mostly relevant for Postgres.
- max_open_conns: 20
- max_idle_conns: 2
- # Maximum connection idle time and lifetime before they're closed. Disabled if null.
- # Parsed with https://pkg.go.dev/time#ParseDuration
- max_conn_idle_time: null
- max_conn_lifetime: null
-
- # Settings for provisioning API
- provisioning:
- # Prefix for the provisioning API paths.
- prefix: /_matrix/provision
- # Shared secret for authentication. If set to "generate", a random secret will be generated,
- # or if set to "disable", the provisioning API will be disabled.
- shared_secret: hmHYVDSmSYjYAIBYlZwrKUnMFVgSFsBLjaoeaL1fPnimufqm08W4W1InwMzgft9V
- # Segment API key to enable analytics tracking for web server
- # endpoints. Set to null to disable.
- # Currently the only events are login start, QR code retrieve, and login
- # success/failure.
- segment_key: null
-
- # The unique ID of this appservice.
- id: whatsapp
- # Appservice bot details.
- bot:
- # Username of the appservice bot.
- username: whatsappbot
- # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
- # to leave display name/avatar as-is.
- displayname: WhatsApp bridge bot
- avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr
- # Whether or not to receive ephemeral events via appservice transactions.
- # Requires MSC2409 support (i.e. Synapse 1.22+).
- # You should disable bridge -> sync_with_custom_puppets when this is enabled.
- ephemeral_events: false
-
- # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
- as_token: "LtTfH7nGKJqfns8f7XGCQCgL8fMqlOLuSguIBp5MeUmGkJQrRZHBNoZzh6LHuiqA"
- hs_token: "YYiqtC8vKVQBkbVFbqe4hXn0e39WNU9zCkQ85A2FVjO2P4GzFzDXD8T6G1lWRs3u"
-
-# Prometheus config.
-metrics:
- # Enable prometheus metrics?
- enabled: false
- # IP and port where the metrics listener should be. The path is always /metrics
- listen: 127.0.0.1:8001
-
-# Config for things that are directly sent to WhatsApp.
-whatsapp:
- # Device name that's shown in the "WhatsApp Web" section in the mobile app.
- os_name: Mautrix-WhatsApp bridge
- # Browser name that determines the logo shown in the mobile app.
- # Must be "unknown" for a generic icon or a valid browser name if you want a specific icon.
- # List of valid browser names: https://github.com/tulir/whatsmeow/blob/2a72655ef600a7fd7a2e98d53ec6da029759c4b8/binary/proto/def.proto#L1582-L1594
- browser_name: unknown
-
-# Bridge config
-bridge:
- # Localpart template of MXIDs for WhatsApp users.
- # {{.}} is replaced with the phone number of the WhatsApp user.
- username_template: whatsapp_{{.}}
- # Displayname template for WhatsApp users.
- # {{.PushName}} - nickname set by the WhatsApp user
- # {{.BusinessName}} - validated WhatsApp business name
- # {{.Phone}} - phone number (international format)
- # The following variables are also available, but will cause problems on multi-user instances:
- # {{.FullName}} - full name from contact list
- # {{.FirstName}} - first name from contact list
- displayname_template: "{{if .FullName}}{{.FullName}}{{else if .PushName}}{{.PushName}}{{else if .BusinessName}}{{.BusinessName}}{{else}}{{.JID}}{{end}} (WhatsApp)"
- # Should the bridge create a space for each logged-in user and add bridged rooms to it?
- # Users who logged in before turning this on should run `!wa sync space` to create and fill the space for the first time.
- personal_filtering_spaces: false
- # Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp?
- delivery_receipts: false
- # Should incoming calls send a message to the Matrix room?
- call_start_notices: true
- # Should another user's cryptographic identity changing send a message to Matrix?
- identity_change_notices: false
- portal_message_buffer: 128
- # Settings for handling history sync payloads. These settings only apply right after login,
- # because the phone only sends the history sync data once, and there's no way to re-request it
- # (other than logging out and back in again).
- history_sync:
- # Should the bridge create portals for chats in the history sync payload?
- create_portals: true
- # Maximum age of chats in seconds to create portals for. Set to 0 to create portals for all chats in sync payload.
- max_age: 604800
- # Enable backfilling history sync payloads from WhatsApp using batch sending?
- # This requires a server with MSC2716 support, which is currently an experimental feature in synapse.
- # It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml.
- # Note that prior to Synapse 1.49, there were some bugs with the implementation, especially if using event persistence workers.
- # There are also still some issues in Synapse's federation implementation.
- backfill: false
- # Use double puppets for backfilling?
- # In order to use this, the double puppets must be in the appservice's user ID namespace
- # (because the bridge can't use the double puppet access token with batch sending).
- # This only affects double puppets on the local server, double puppets on other servers will never be used.
- double_puppet_backfill: false
- # Should the bridge request a full sync from the phone when logging in?
- # This bumps the size of history syncs from 3 months to 1 year.
- request_full_sync: false
- # Should puppet avatars be fetched from the server even if an avatar is already set?
- user_avatar_sync: true
- # Should Matrix users leaving groups be bridged to WhatsApp?
- bridge_matrix_leave: true
- # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices.
- sync_with_custom_puppets: true
- # Should the bridge update the m.direct account data event when double puppeting is enabled.
- # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
- # and is therefore prone to race conditions.
- sync_direct_chat_list: false
- # When double puppeting is enabled, users can use `!wa toggle` to change whether
- # presence and read receipts are bridged. These settings set the default values.
- # Existing users won't be affected when these are changed.
- default_bridge_receipts: true
- default_bridge_presence: true
- # Send the presence as "available" to whatsapp when users start typing on a portal.
- # This works as a workaround for homeservers that do not support presence, and allows
- # users to see when the whatsapp user on the other side is typing during a conversation.
- send_presence_on_typing: false
- # Should the bridge always send "active" delivery receipts (two gray ticks on WhatsApp)
- # even if the user isn't marked as online (e.g. when presence bridging isn't enabled)?
- #
- # By default, the bridge acts like WhatsApp web, which only sends active delivery
- # receipts when it's in the foreground.
- force_active_delivery_receipts: false
- # Servers to always allow double puppeting from
- double_puppet_server_map:
- example.com: https://example.com
- # Allow using double puppeting from any server with a valid client .well-known file.
- double_puppet_allow_discovery: false
- # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
- #
- # If set, double puppeting will be enabled automatically for local users
- # instead of users having to find an access token and run `login-matrix`
- # manually.
- login_shared_secret_map:
- example.com: foobar
- # Should the bridge explicitly set the avatar and room name for private chat portal rooms?
- private_chat_portal_meta: false
- # Should Matrix m.notice-type messages be bridged?
- bridge_notices: true
- # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
- # This field will automatically be changed back to false after it, except if the config file is not writable.
- resend_bridge_info: false
- # When using double puppeting, should muted chats be muted in Matrix?
- mute_bridging: false
- # When using double puppeting, should archived chats be moved to a specific tag in Matrix?
- # Note that WhatsApp unarchives chats when a message is received, which will also be mirrored to Matrix.
- # This can be set to a tag (e.g. m.lowpriority), or null to disable.
- archive_tag: null
- # Same as above, but for pinned chats. The favorite tag is called m.favourite
- pinned_tag: null
- # Should mute status and tags only be bridged when the portal room is created?
- tag_only_on_create: true
- # Should WhatsApp status messages be bridged into a Matrix room?
- # Disabling this won't affect already created status broadcast rooms.
- enable_status_broadcast: true
- # Should the status broadcast room be muted and moved into low priority by default?
- # This is only applied when creating the room, the user can unmute/untag it later.
- mute_status_broadcast: true
- # Should the bridge use thumbnails from WhatsApp?
- # They're disabled by default due to very low resolution.
- whatsapp_thumbnail: false
- # Allow invite permission for user. User can invite any bots to room with whatsapp
- # users (private chat and groups)
- allow_user_invite: false
- # Whether or not created rooms should have federation enabled.
- # If false, created portal rooms will never be federated.
- federate_rooms: true
- # Whether to enable disappearing messages in groups. If enabled, then the expiration time of
- # the messages will be determined by the first user to read the message, rather than individually.
- # If the bridge only has a single user, this can be turned on safely.
- disappearing_messages_in_groups: false
- # Should the bridge never send alerts to the bridge management room?
- # These are mostly things like the user being logged out.
- disable_bridge_alerts: false
- # Should the bridge detect URLs in outgoing messages, ask the homeserver to generate a preview,
- # and send it to WhatsApp? URL previews can always be sent using the `com.beeper.linkpreviews`
- # key in the event content even if this is disabled.
- url_previews: false
-
- # The prefix for commands. Only required in non-management rooms.
- command_prefix: "!wa"
-
- # Messages sent upon joining a management room.
- # Markdown is supported. The defaults are listed below.
- management_room_text:
- # Sent when joining a room.
- welcome: "Hello, I'm a WhatsApp bridge bot."
- # Sent when joining a management room and the user is already logged in.
- welcome_connected: "Use `help` for help."
- # Sent when joining a management room and the user is not logged in.
- welcome_unconnected: "Use `help` for help or `login` to log in. \n\
- IMPORTANT NOTICE: Before logging in, please make sure you have not joined a group that sends a lot of media, as this requires a lot of storage. \
- If the bot is abused the feature will be discontinued and only made available to paid users. Thanks for your help!"
- # Optional extra text sent when joining a management room.
- additional_help: ""
-
- # End-to-bridge encryption support options.
- #
- # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
- encryption:
- # Allow encryption, work in group chat rooms with e2ee enabled
- allow: false
- # Default to encryption, force-enable encryption in all portals the bridge creates
- # This will cause the bridge bot to be in private chats for the encryption to work properly.
- # It is recommended to also set private_chat_portal_meta to true when using this.
- default: false
- # Options for automatic key sharing.
- key_sharing:
- # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
- # You must use a client that supports requesting keys from other users to use this feature.
- allow: false
- # Require the requesting device to have a valid cross-signing signature?
- # This doesn't require that the bridge has verified the device, only that the user has verified it.
- # Not yet implemented.
- require_cross_signing: false
- # Require devices to be verified by the bridge?
- # Verification by the bridge is not yet implemented.
- require_verification: true
-
- # Permissions for using the bridge.
- # Permitted values:
- # relay - Talk through the relaybot (if enabled), no access otherwise
- # user - Access to use the bridge to chat with a WhatsApp account.
- # admin - User level and some additional administration tools
- # Permitted keys:
- # * - All Matrix users
- # domain - All users on that homeserver
- # mxid - Specific user
- permissions:
- # '*': puppeting
- # public.example.com: user
- # example.com: full
- # matrix.420joos.dev: user
- # '@ngoetti:matrix.420joos.dev': user
- '@andrijoos:matrix.420joos.dev': admin
- '@admin:matrix.420joos.dev': admin
-
- # Settings for relay mode
- relay:
- # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
- # authenticated user into a relaybot for that chat.
- enabled: false
- # Should only admins be allowed to set themselves as relay users?
- admin_only: true
- # The formats to use when sending messages to WhatsApp via the relaybot.
- message_formats:
- m.text: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
- m.notice: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
- m.emote: "* <b>{{ .Sender.Displayname }}</b> {{ .Message }}"
- m.file: "<b>{{ .Sender.Displayname }}</b> sent a file"
- m.image: "<b>{{ .Sender.Displayname }}</b> sent an image"
- m.audio: "<b>{{ .Sender.Displayname }}</b> sent an audio file"
- m.video: "<b>{{ .Sender.Displayname }}</b> sent a video"
- m.location: "<b>{{ .Sender.Displayname }}</b> sent a location"
-
-# Logging config.
-logging:
- # The directory for log files. Will be created if not found.
- directory: ./logs
- # Available variables: .Date for the file date and .Index for different log files on the same day.
- # Set this to null to disable logging to file.
- file_name_format: ""
- # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants
- file_date_format: "2006-01-02"
- # Log file permissions.
- file_mode: 0o600
- # Timestamp format for log entries in the Go time format.
- timestamp_format: "Jan _2, 2006 15:04:05"
- # Minimum severity for log messages printed to stdout/stderr. This doesn't affect the log file.
- # Options: debug, info, warn, error, fatal
- print_level: debug
diff --git a/synapse/bridges/mautrix-whatsapp/mautrix-whatsapp.yaml b/synapse/bridges/mautrix-whatsapp/mautrix-whatsapp.yaml
deleted file mode 100644
index c39aa59aed58a2c0b5d902e9e002fb8c165538c6..0000000000000000000000000000000000000000
--- a/synapse/bridges/mautrix-whatsapp/mautrix-whatsapp.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-apiVersion: v1
-name: mautrix-whatsapp
-namespace: synapse
-type: mautrix-bridge
-deployments:
-- id: default
- image: dock.mau.dev/mautrix/whatsapp:latest
- name: mautrix-whatsapp
- volumes:
- synapse-bridges:
- nfs:
- path: /synapse/bridges/whatsapp/config
-- id: postgres
- env:
- content:
- LC_COLLATE: C
- LC_CTYPE: C
- POSTGRES_DB: mautrixwhatsappdb
- POSTGRES_INITDB_ARGS: -E utf8
- POSTGRES_PASSWORD: e929df0051ec
- POSTGRES_USER: d688f79ec3ce
- name: postgres-mautrix-whatsapp
- volumes:
- mautrix-db:
- nfs:
- path: /synapse/bridges/whatsapp/db
diff --git a/synapse/default.signing.key b/synapse/default.signing.key
deleted file mode 100644
index e0909703664b0a6d3229948a4c17d17ee8847755..0000000000000000000000000000000000000000
--- a/synapse/default.signing.key
+++ /dev/null
@@ -1 +0,0 @@
-ed25519 a_GJYZ VAIu9CF5oXk2mmDlcFFUqErVoCJh24AAGIMapgNWd98
\ No newline at end of file
diff --git a/synapse/delete_user_medias.py b/synapse/delete_user_medias.py
deleted file mode 100644
index 203276f3bac5fc4a45daff198a61da3a437a9c69..0000000000000000000000000000000000000000
--- a/synapse/delete_user_medias.py
+++ /dev/null
@@ -1,33 +0,0 @@
-import requests
-
-# medias = []
-# with open("", "r") as f:
-# medias = f.readlines()
-
-# for media in medias:
-api_url = "https://matrix.420joos.dev/_synapse/admin"
-token = "syt_YWRtaW4_CJtZdxfsFVHslWHgOBxB_3YCE0K"
-headers = {"Authorization": f"Bearer {token}"}
-params = {
- "limit": "10000",
-}
-
-# users_req = requests.get(f"{api_url}/v2/users", headers=headers, params=params).json()
-users_req = requests.get(f"{api_url}/v1/statistics/users/media", headers=headers, params=params).json()
-
-users = users_req["users"]
-
-# deletion_users = [user for user in users if "telegram_" in user["name"]]
-# deletion_users.append({"name": telegrambot_user_id})
-deletion_users = [user for user in users if "telegram" in user["user_id"]]
-
-for user in deletion_users:
- user_id = user["user_id"]
- params = {
- "limit": "10000",
- "user_id": user_id
- }
-
- user_delete_req = requests.delete(f"{api_url}/v1/users/{user_id}/media", headers=headers, params=params).json()
-
- print(user_delete_req)
diff --git a/synapse/docu_attachments/img/app_element_io_login_edit_homeserver.png b/synapse/docu_attachments/img/app_element_io_login_edit_homeserver.png
deleted file mode 100644
index fc68142fb99eb4f1c57c202549a86f7cc9aea5ff..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_login_edit_homeserver.png and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_login_homeserver_address.png b/synapse/docu_attachments/img/app_element_io_login_homeserver_address.png
deleted file mode 100644
index bddbfd9357dccf30939fd277e2f47202f9ad3e5d..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_login_homeserver_address.png and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_login_username_pw.png b/synapse/docu_attachments/img/app_element_io_login_username_pw.png
deleted file mode 100644
index cfcc2a582c97434a4242466ed9d9c499df247959..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_login_username_pw.png and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_login_verification.png b/synapse/docu_attachments/img/app_element_io_login_verification.png
deleted file mode 100644
index 6f62e3ebfb044e07c19dab5f197f3100f8c36ab6..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_login_verification.png and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_login_verification_apply.png b/synapse/docu_attachments/img/app_element_io_login_verification_apply.png
deleted file mode 100644
index 52fc5bf16d9f18c97e008de6656621c31ebdd8eb..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_login_verification_apply.png and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_login_verification_client_scan_qr.jpg b/synapse/docu_attachments/img/app_element_io_login_verification_client_scan_qr.jpg
deleted file mode 100644
index 9def8b82069fe9cbdda0dfbab786a98fd3f236f3..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_login_verification_client_scan_qr.jpg and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_login_verification_client_verify_device.jpg b/synapse/docu_attachments/img/app_element_io_login_verification_client_verify_device.jpg
deleted file mode 100644
index deb70f461f7bded15a9c4b9def4adc562d741472..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_login_verification_client_verify_device.jpg and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_login_verification_client_verify_device_scan_code_or_other_method.jpeg b/synapse/docu_attachments/img/app_element_io_login_verification_client_verify_device_scan_code_or_other_method.jpeg
deleted file mode 100644
index 2e59513125cad2cac94a94f5856739898c3fbfcf..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_login_verification_client_verify_device_scan_code_or_other_method.jpeg and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_login_verification_qr.png b/synapse/docu_attachments/img/app_element_io_login_verification_qr.png
deleted file mode 100644
index 949168230c10f9c5801bdd905e63e6ec4fe8e412..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_login_verification_qr.png and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_login_verification_web.png b/synapse/docu_attachments/img/app_element_io_login_verification_web.png
deleted file mode 100644
index 9a3d3c23aec5fd563da45735e70e70f887150b9e..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_login_verification_web.png and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_sign_up_edit_homeserver.png b/synapse/docu_attachments/img/app_element_io_sign_up_edit_homeserver.png
deleted file mode 100644
index 7fcaab122b1fbfc57e0427226c38de8b76fe7aea..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_sign_up_edit_homeserver.png and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_sign_up_homeserver_address.png b/synapse/docu_attachments/img/app_element_io_sign_up_homeserver_address.png
deleted file mode 100644
index 88a6ea2e31c1325b601737774b86fd870b4e5489..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_sign_up_homeserver_address.png and /dev/null differ
diff --git a/synapse/docu_attachments/img/app_element_io_sign_up_username_pw.png b/synapse/docu_attachments/img/app_element_io_sign_up_username_pw.png
deleted file mode 100644
index 115aa5ddb9a85caa9c7869fb5da96ee991fd7e5e..0000000000000000000000000000000000000000
Binary files a/synapse/docu_attachments/img/app_element_io_sign_up_username_pw.png and /dev/null differ
diff --git a/synapse/homeserver.yaml b/synapse/homeserver.yaml
deleted file mode 100644
index 5db65aadbea8d0a3c70178b5b93e0c5df4098ae5..0000000000000000000000000000000000000000
--- a/synapse/homeserver.yaml
+++ /dev/null
@@ -1,2847 +0,0 @@
-# Configuration file for Synapse.
-#
-# This is a YAML file: see [1] for a quick introduction. Note in particular
-# that *indentation is important*: all the elements of a list or dictionary
-# should have the same indentation.
-#
-# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
-
-## Server ##
-
-# The public-facing domain of the server
-#
-# The server_name name will appear at the end of usernames and room addresses
-# created on this server. For example if the server_name was example.com,
-# usernames on this server would be in the format @user:example.com
-#
-# In most cases you should avoid using a matrix specific subdomain such as
-# matrix.example.com or synapse.example.com as the server_name for the same
-# reasons you wouldn't use user@email.example.com as your email address.
-# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md
-# for information on how to host Synapse on a subdomain while preserving
-# a clean server_name.
-#
-# The server_name cannot be changed later so it is important to
-# configure this correctly before you start Synapse. It should be all
-# lowercase and may contain an explicit port.
-# Examples: matrix.org, localhost:8080
-#
-server_name: "matrix.420joos.dev"
-
-# When running as a daemon, the file to store the pid in
-#
-pid_file: /data/homeserver.pid
-
-# The absolute URL to the web client which /_matrix/client will redirect
-# to if 'webclient' is configured under the 'listeners' configuration.
-#
-# This option can be also set to the filesystem path to the web client
-# which will be served at /_matrix/client/ if 'webclient' is configured
-# under the 'listeners' configuration, however this is a security risk:
-# https://github.com/matrix-org/synapse#security-note
-#
-#web_client_location: https://riot.example.com/
-
-# The public-facing base URL that clients use to access this Homeserver (not
-# including _matrix/...). This is the same URL a user might enter into the
-# 'Custom Homeserver URL' field on their client. If you use Synapse with a
-# reverse proxy, this should be the URL to reach Synapse via the proxy.
-# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
-# 'listeners' below).
-#
-public_baseurl: https://matrix.420joos.dev
-
-# Set the soft limit on the number of file descriptors synapse can use
-# Zero is used to indicate synapse should set the soft limit to the
-# hard limit.
-#
-#soft_file_limit: 0
-
-# Set to false to disable presence tracking on this homeserver.
-#
-#use_presence: false
-
-# Whether to require authentication to retrieve profile data (avatars,
-# display names) of other users through the client API. Defaults to
-# 'false'. Note that profile data is also available via the federation
-# API, unless allow_profile_lookup_over_federation is set to false.
-#
-#require_auth_for_profile_requests: true
-
-# Uncomment to require a user to share a room with another user in order
-# to retrieve their profile information. Only checked on Client-Server
-# requests. Profile requests from other servers should be checked by the
-# requesting server. Defaults to 'false'.
-#
-#limit_profile_requests_to_users_who_share_rooms: true
-
-# Uncomment to prevent a user's profile data from being retrieved and
-# displayed in a room until they have joined it. By default, a user's
-# profile data is included in an invite event, regardless of the values
-# of the above two settings, and whether or not the users share a server.
-# Defaults to 'true'.
-#
-#include_profile_data_on_invite: false
-
-# If set to 'true', removes the need for authentication to access the server's
-# public rooms directory through the client API, meaning that anyone can
-# query the room directory. Defaults to 'false'.
-#
-#allow_public_rooms_without_auth: true
-
-# If set to 'true', allows any other homeserver to fetch the server's public
-# rooms directory via federation. Defaults to 'false'.
-#
-#allow_public_rooms_over_federation: true
-
-# The default room version for newly created rooms.
-#
-# Known room versions are listed here:
-# https://matrix.org/docs/spec/#complete-list-of-room-versions
-#
-# For example, for room version 1, default_room_version should be set
-# to "1".
-#
-#default_room_version: "6"
-
-# The GC threshold parameters to pass to `gc.set_threshold`, if defined
-#
-#gc_thresholds: [700, 10, 10]
-
-# Set the limit on the returned events in the timeline in the get
-# and sync operations. The default value is 100. -1 means no upper limit.
-#
-# Uncomment the following to increase the limit to 5000.
-#
-#filter_timeline_limit: 5000
-
-# Whether room invites to users on this server should be blocked
-# (except those sent by local server admins). The default is False.
-#
-#block_non_admin_invites: true
-
-# Room searching
-#
-# If disabled, new messages will not be indexed for searching and users
-# will receive errors when searching for messages. Defaults to enabled.
-#
-#enable_search: false
-
-# Prevent outgoing requests from being sent to the following blacklisted IP address
-# CIDR ranges. If this option is not specified then it defaults to private IP
-# address ranges (see the example below).
-#
-# The blacklist applies to the outbound requests for federation, identity servers,
-# push servers, and for checking key validity for third-party invite events.
-#
-# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
-# listed here, since they correspond to unroutable addresses.)
-#
-# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
-#
-#ip_range_blacklist:
-# - '127.0.0.0/8'
-# - '10.0.0.0/8'
-# - '172.16.0.0/12'
-# - '192.168.0.0/16'
-# - '100.64.0.0/10'
-# - '192.0.0.0/24'
-# - '169.254.0.0/16'
-# - '192.88.99.0/24'
-# - '198.18.0.0/15'
-# - '192.0.2.0/24'
-# - '198.51.100.0/24'
-# - '203.0.113.0/24'
-# - '224.0.0.0/4'
-# - '::1/128'
-# - 'fe80::/10'
-# - 'fc00::/7'
-# - '2001:db8::/32'
-# - 'ff00::/8'
-# - 'fec0::/10'
-
-# List of IP address CIDR ranges that should be allowed for federation,
-# identity servers, push servers, and for checking key validity for
-# third-party invite events. This is useful for specifying exceptions to
-# wide-ranging blacklisted target IP ranges - e.g. for communication with
-# a push server only visible in your network.
-#
-# This whitelist overrides ip_range_blacklist and defaults to an empty
-# list.
-#
-#ip_range_whitelist:
-# - '192.168.1.1'
-
-# List of ports that Synapse should listen on, their purpose and their
-# configuration.
-#
-# Options for each listener include:
-#
-# port: the TCP port to bind to
-#
-# bind_addresses: a list of local addresses to listen on. The default is
-# 'all local interfaces'.
-#
-# type: the type of listener. Normally 'http', but other valid options are:
-# 'manhole' (see docs/manhole.md),
-# 'metrics' (see docs/metrics-howto.md),
-# 'replication' (see docs/workers.md).
-#
-# tls: set to true to enable TLS for this listener. Will use the TLS
-# key/cert specified in tls_private_key_path / tls_certificate_path.
-#
-# x_forwarded: Only valid for an 'http' listener. Set to true to use the
-# X-Forwarded-For header as the client IP. Useful when Synapse is
-# behind a reverse-proxy.
-#
-# resources: Only valid for an 'http' listener. A list of resources to host
-# on this port. Options for each resource are:
-#
-# names: a list of names of HTTP resources. See below for a list of
-# valid resource names.
-#
-# compress: set to true to enable HTTP compression for this resource.
-#
-# additional_resources: Only valid for an 'http' listener. A map of
-# additional endpoints which should be loaded via dynamic modules.
-#
-# Valid resource names are:
-#
-# client: the client-server API (/_matrix/client), and the synapse admin
-# API (/_synapse/admin). Also implies 'media' and 'static'.
-#
-# consent: user consent forms (/_matrix/consent). See
-# docs/consent_tracking.md.
-#
-# federation: the server-server API (/_matrix/federation). Also implies
-# 'media', 'keys', 'openid'
-#
-# keys: the key discovery API (/_matrix/keys).
-#
-# media: the media API (/_matrix/media).
-#
-# metrics: the metrics interface. See docs/metrics-howto.md.
-#
-# openid: OpenID authentication.
-#
-# replication: the HTTP replication API (/_synapse/replication). See
-# docs/workers.md.
-#
-# static: static resources under synapse/static (/_matrix/static). (Mostly
-# useful for 'fallback authentication'.)
-#
-# webclient: A web client. Requires web_client_location to be set.
-#
-listeners:
- # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
- #
- # Disabled by default. To enable it, uncomment the following. (Note that you
- # will also need to give Synapse a TLS key and certificate: see the TLS section
- # below.)
- #
- #- port: 8448
- # type: http
- # tls: true
- # resources:
- # - names: [client, federation]
-
- # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
- # that unwraps TLS.
- #
- # If you plan to use a reverse proxy, please see
- # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md.
- #
- - port: 8008
- tls: false
- type: http
- x_forwarded: true
-
- resources:
- - names: [client, federation]
- compress: false
-
- # example additional_resources:
- #
- #additional_resources:
- # "/_matrix/my/custom/endpoint":
- # module: my_module.CustomRequestHandler
- # config: {}
-
- # Turn on the twisted ssh manhole service on localhost on the given
- # port.
- #
- #- port: 9000
- # bind_addresses: ['::1', '127.0.0.1']
- # type: manhole
-
-# Forward extremities can build up in a room due to networking delays between
-# homeservers. Once this happens in a large room, calculation of the state of
-# that room can become quite expensive. To mitigate this, once the number of
-# forward extremities reaches a given threshold, Synapse will send an
-# org.matrix.dummy_event event, which will reduce the forward extremities
-# in the room.
-#
-# This setting defines the threshold (i.e. number of forward extremities in the
-# room) at which dummy events are sent. The default value is 10.
-#
-#dummy_events_threshold: 5
-
-
-## Homeserver blocking ##
-
-# How to reach the server admin, used in ResourceLimitError
-#
-#admin_contact: 'mailto:admin@server.com'
-
-# Global blocking
-#
-#hs_disabled: false
-#hs_disabled_message: 'Human readable reason for why the HS is blocked'
-
-# Monthly Active User Blocking
-#
-# Used in cases where the admin or server owner wants to limit to the
-# number of monthly active users.
-#
-# 'limit_usage_by_mau' disables/enables monthly active user blocking. When
-# enabled and a limit is reached the server returns a 'ResourceLimitError'
-# with error type Codes.RESOURCE_LIMIT_EXCEEDED
-#
-# 'max_mau_value' is the hard limit of monthly active users above which
-# the server will start blocking user actions.
-#
-# 'mau_trial_days' is a means to add a grace period for active users. It
-# means that users must be active for this number of days before they
-# can be considered active and guards against the case where lots of users
-# sign up in a short space of time never to return after their initial
-# session.
-#
-# 'mau_limit_alerting' is a means of limiting client side alerting
-# should the mau limit be reached. This is useful for small instances
-# where the admin has 5 mau seats (say) for 5 specific people and no
-# interest increasing the mau limit further. Defaults to True, which
-# means that alerting is enabled
-#
-#limit_usage_by_mau: false
-#max_mau_value: 50
-#mau_trial_days: 2
-#mau_limit_alerting: false
-
-# If enabled, the metrics for the number of monthly active users will
-# be populated, however no one will be limited. If limit_usage_by_mau
-# is true, this is implied to be true.
-#
-#mau_stats_only: false
-
-# Sometimes the server admin will want to ensure certain accounts are
-# never blocked by mau checking. These accounts are specified here.
-#
-#mau_limit_reserved_threepids:
-# - medium: 'email'
-# address: 'reserved_user@example.com'
-
-# Used by phonehome stats to group together related servers.
-#server_context: context
-
-# Resource-constrained homeserver settings
-#
-# When this is enabled, the room "complexity" will be checked before a user
-# joins a new remote room. If it is above the complexity limit, the server will
-# disallow joining, or will instantly leave.
-#
-# Room complexity is an arbitrary measure based on factors such as the number of
-# users in the room.
-#
-limit_remote_rooms:
- # Uncomment to enable room complexity checking.
- #
- #enabled: true
-
- # the limit above which rooms cannot be joined. The default is 1.0.
- #
- #complexity: 0.5
-
- # override the error which is returned when the room is too complex.
- #
- #complexity_error: "This room is too complex."
-
- # allow server admins to join complex rooms. Default is false.
- #
- #admins_can_join: true
-
-# Whether to require a user to be in the room to add an alias to it.
-# Defaults to 'true'.
-#
-#require_membership_for_aliases: false
-
-# Whether to allow per-room membership profiles through the send of membership
-# events with profile information that differ from the target's global profile.
-# Defaults to 'true'.
-#
-#allow_per_room_profiles: false
-
-# How long to keep redacted events in unredacted form in the database. After
-# this period redacted events get replaced with their redacted form in the DB.
-#
-# Defaults to `7d`. Set to `null` to disable.
-#
-#redaction_retention_period: 28d
-
-# How long to track users' last seen time and IPs in the database.
-#
-# Defaults to `28d`. Set to `null` to disable clearing out of old rows.
-#
-#user_ips_max_age: 14d
-
-# Message retention policy at the server level.
-#
-# Room admins and mods can define a retention period for their rooms using the
-# 'm.room.retention' state event, and server admins can cap this period by setting
-# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options.
-#
-# If this feature is enabled, Synapse will regularly look for and purge events
-# which are older than the room's maximum retention period. Synapse will also
-# filter events received over federation so that events that should have been
-# purged are ignored and not stored again.
-#
-retention:
- # The message retention policies feature is disabled by default. Uncomment the
- # following line to enable it.
- #
- enabled: false
-
- # Default retention policy. If set, Synapse will apply it to rooms that lack the
- # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't
- # matter much because Synapse doesn't take it into account yet.
- #
- #default_policy:
- # min_lifetime: 1d
- # max_lifetime: 1y
-
- # Retention policy limits. If set, and the state of a room contains a
- # 'm.room.retention' event in its state which contains a 'min_lifetime' or a
- # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
- # to these limits when running purge jobs.
- #
- #allowed_lifetime_min: 1d
- allowed_lifetime_max: 1y
-
- # Server admins can define the settings of the background jobs purging the
- # events which lifetime has expired under the 'purge_jobs' section.
- #
- # If no configuration is provided, a single job will be set up to delete expired
- # events in every room daily.
- #
- # Each job's configuration defines which range of message lifetimes the job
- # takes care of. For example, if 'shortest_max_lifetime' is '2d' and
- # 'longest_max_lifetime' is '3d', the job will handle purging expired events in
- # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and
- # lower than or equal to 3 days. Both the minimum and the maximum value of a
- # range are optional, e.g. a job with no 'shortest_max_lifetime' and a
- # 'longest_max_lifetime' of '3d' will handle every room with a retention policy
- # which 'max_lifetime' is lower than or equal to three days.
- #
- # The rationale for this per-job configuration is that some rooms might have a
- # retention policy with a low 'max_lifetime', where history needs to be purged
- # of outdated messages on a more frequent basis than for the rest of the rooms
- # (e.g. every 12h), but not want that purge to be performed by a job that's
- # iterating over every room it knows, which could be heavy on the server.
- #
- # If any purge job is configured, it is strongly recommended to have at least
- # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
- # set, or one job without 'shortest_max_lifetime' and one job without
- # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
- # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
- # room's policy to these values is done after the policies are retrieved from
- # Synapse's database (which is done using the range specified in a purge job's
- # configuration).
- #
- #purge_jobs:
- # - longest_max_lifetime: 3d
- # interval: 12h
- # - shortest_max_lifetime: 3d
- # interval: 1d
-
-# Inhibits the /requestToken endpoints from returning an error that might leak
-# information about whether an e-mail address is in use or not on this
-# homeserver.
-# Note that for some endpoints the error situation is the e-mail already being
-# used, and for others the error is entering the e-mail being unused.
-# If this option is enabled, instead of returning an error, these endpoints will
-# act as if no error happened and return a fake session ID ('sid') to clients.
-#
-#request_token_inhibit_3pid_errors: true
-
-# A list of domains that the domain portion of 'next_link' parameters
-# must match.
-#
-# This parameter is optionally provided by clients while requesting
-# validation of an email or phone number, and maps to a link that
-# users will be automatically redirected to after validation
-# succeeds. Clients can make use this parameter to aid the validation
-# process.
-#
-# The whitelist is applied whether the homeserver or an
-# identity server is handling validation.
-#
-# The default value is no whitelist functionality; all domains are
-# allowed. Setting this value to an empty list will instead disallow
-# all domains.
-#
-#next_link_domain_whitelist: ["matrix.org"]
-
-
-## TLS ##
-
-# PEM-encoded X509 certificate for TLS.
-# This certificate, as of Synapse 1.0, will need to be a valid and verifiable
-# certificate, signed by a recognised Certificate Authority.
-#
-# See 'ACME support' below to enable auto-provisioning this certificate via
-# Let's Encrypt.
-#
-# If supplying your own, be sure to use a `.pem` file that includes the
-# full certificate chain including any intermediate certificates (for
-# instance, if using certbot, use `fullchain.pem` as your certificate,
-# not `cert.pem`).
-#
-#tls_certificate_path: "/data/matrix.420joos.dev.tls.crt"
-
-# PEM-encoded private key for TLS
-#
-#tls_private_key_path: "/data/matrix.420joos.dev.tls.key"
-
-# Whether to verify TLS server certificates for outbound federation requests.
-#
-# Defaults to `true`. To disable certificate verification, uncomment the
-# following line.
-#
-#federation_verify_certificates: false
-
-# The minimum TLS version that will be used for outbound federation requests.
-#
-# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
-# that setting this value higher than `1.2` will prevent federation to most
-# of the public Matrix network: only configure it to `1.3` if you have an
-# entirely private federation setup and you can ensure TLS 1.3 support.
-#
-#federation_client_minimum_tls_version: 1.2
-
-# Skip federation certificate verification on the following whitelist
-# of domains.
-#
-# This setting should only be used in very specific cases, such as
-# federation over Tor hidden services and similar. For private networks
-# of homeservers, you likely want to use a private CA instead.
-#
-# Only effective if federation_verify_certicates is `true`.
-#
-#federation_certificate_verification_whitelist:
-# - lon.example.com
-# - *.domain.com
-# - *.onion
-
-# List of custom certificate authorities for federation traffic.
-#
-# This setting should only normally be used within a private network of
-# homeservers.
-#
-# Note that this list will replace those that are provided by your
-# operating environment. Certificates must be in PEM format.
-#
-#federation_custom_ca_list:
-# - myCA1.pem
-# - myCA2.pem
-# - myCA3.pem
-
-# ACME support: This will configure Synapse to request a valid TLS certificate
-# for your configured `server_name` via Let's Encrypt.
-#
-# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
-# ACME v2. This means that this feature currently won't work with installs set
-# up after November 2019. For more info, and alternative solutions, see
-# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
-#
-# Note that provisioning a certificate in this way requires port 80 to be
-# routed to Synapse so that it can complete the http-01 ACME challenge.
-# By default, if you enable ACME support, Synapse will attempt to listen on
-# port 80 for incoming http-01 challenges - however, this will likely fail
-# with 'Permission denied' or a similar error.
-#
-# There are a couple of potential solutions to this:
-#
-# * If you already have an Apache, Nginx, or similar listening on port 80,
-# you can configure Synapse to use an alternate port, and have your web
-# server forward the requests. For example, assuming you set 'port: 8009'
-# below, on Apache, you would write:
-#
-# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
-#
-# * Alternatively, you can use something like `authbind` to give Synapse
-# permission to listen on port 80.
-#
-acme:
- # ACME support is disabled by default. Set this to `true` and uncomment
- # tls_certificate_path and tls_private_key_path above to enable it.
- #
- enabled: false
-
- # Endpoint to use to request certificates. If you only want to test,
- # use Let's Encrypt's staging url:
- # https://acme-staging.api.letsencrypt.org/directory
- #
- #url: https://acme-v01.api.letsencrypt.org/directory
-
- # Port number to listen on for the HTTP-01 challenge. Change this if
- # you are forwarding connections through Apache/Nginx/etc.
- #
- port: 80
-
- # Local addresses to listen on for incoming connections.
- # Again, you may want to change this if you are forwarding connections
- # through Apache/Nginx/etc.
- #
- bind_addresses: ['::', '0.0.0.0']
-
- # How many days remaining on a certificate before it is renewed.
- #
- reprovision_threshold: 30
-
- # The domain that the certificate should be for. Normally this
- # should be the same as your Matrix domain (i.e., 'server_name'), but,
- # by putting a file at 'https://<server_name>/.well-known/matrix/server',
- # you can delegate incoming traffic to another server. If you do that,
- # you should give the target of the delegation here.
- #
- # For example: if your 'server_name' is 'example.com', but
- # 'https://example.com/.well-known/matrix/server' delegates to
- # 'matrix.example.com', you should put 'matrix.example.com' here.
- #
- # If not set, defaults to your 'server_name'.
- #
- domain: matrix.420joos.dev
-
- # file to use for the account key. This will be generated if it doesn't
- # exist.
- #
- # If unspecified, we will use CONFDIR/client.key.
- #
- account_key_file: /data/acme_account.key
-
-# List of allowed TLS fingerprints for this server to publish along
-# with the signing keys for this server. Other matrix servers that
-# make HTTPS requests to this server will check that the TLS
-# certificates returned by this server match one of the fingerprints.
-#
-# Synapse automatically adds the fingerprint of its own certificate
-# to the list. So if federation traffic is handled directly by synapse
-# then no modification to the list is required.
-#
-# If synapse is run behind a load balancer that handles the TLS then it
-# will be necessary to add the fingerprints of the certificates used by
-# the loadbalancers to this list if they are different to the one
-# synapse is using.
-#
-# Homeservers are permitted to cache the list of TLS fingerprints
-# returned in the key responses up to the "valid_until_ts" returned in
-# key. It may be necessary to publish the fingerprints of a new
-# certificate and wait until the "valid_until_ts" of the previous key
-# responses have passed before deploying it.
-#
-# You can calculate a fingerprint from a given TLS listener via:
-# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
-# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
-# or by checking matrix.org/federationtester/api/report?server_name=$host
-#
-#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
-
-
-## Federation ##
-
-# Restrict federation to the following whitelist of domains.
-# N.B. we recommend also firewalling your federation listener to limit
-# inbound federation traffic as early as possible, rather than relying
-# purely on this application-layer restriction. If not specified, the
-# default is to whitelist everything.
-#
-federation_domain_whitelist:
-# - lon.example.com
-# - nyc.example.com
-# - syd.example.com
-
-# Report prometheus metrics on the age of PDUs being sent to and received from
-# the following domains. This can be used to give an idea of "delay" on inbound
-# and outbound federation, though be aware that any delay can be due to problems
-# at either end or with the intermediate network.
-#
-# By default, no domains are monitored in this way.
-#
-#federation_metrics_domains:
-# - matrix.org
-# - example.com
-
-# Uncomment to disable profile lookup over federation. By default, the
-# Federation API allows other homeservers to obtain profile data of any user
-# on this homeserver. Defaults to 'true'.
-#
-#allow_profile_lookup_over_federation: false
-
-
-## Caching ##
-
-# Caching can be configured through the following options.
-#
-# A cache 'factor' is a multiplier that can be applied to each of
-# Synapse's caches in order to increase or decrease the maximum
-# number of entries that can be stored.
-
-# The number of events to cache in memory. Not affected by
-# caches.global_factor.
-#
-#event_cache_size: 10K
-
-caches:
- # Controls the global cache factor, which is the default cache factor
- # for all caches if a specific factor for that cache is not otherwise
- # set.
- #
- # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment
- # variable. Setting by environment variable takes priority over
- # setting through the config file.
- #
- # Defaults to 0.5, which will half the size of all caches.
- #
- #global_factor: 1.0
-
- # A dictionary of cache name to cache factor for that individual
- # cache. Overrides the global cache factor for a given cache.
- #
- # These can also be set through environment variables comprised
- # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital
- # letters and underscores. Setting by environment variable
- # takes priority over setting through the config file.
- # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0
- #
- # Some caches have '*' and other characters that are not
- # alphanumeric or underscores. These caches can be named with or
- # without the special characters stripped. For example, to specify
- # the cache factor for `*stateGroupCache*` via an environment
- # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`.
- #
- per_cache_factors:
- #get_users_who_share_room_with_user: 2.0
-
-
-## Database ##
-
-# The 'database' setting defines the database that synapse uses to store all of
-# its data.
-#
-# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
-# 'psycopg2' (for PostgreSQL).
-#
-# 'args' gives options which are passed through to the database engine,
-# except for options starting 'cp_', which are used to configure the Twisted
-# connection pool. For a reference to valid arguments, see:
-# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
-# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
-# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
-#
-#
-# Example SQLite configuration:
-#
-#database:
-# name: sqlite3
-# args:
-# database: /path/to/homeserver.db
-#
-#
-# Example Postgres configuration:
-#
-database:
- name: psycopg2
- args:
- user: 250b36482dea
- password: 1473810b1d04
- database: postgresdb
- host: postgres
- port: 5432
- # cp_min: 5
- # cp_max: 10
-#
-# For more information on using Synapse with Postgres, see `docs/postgres.md`.
-#
-# database:
-# name: sqlite3
-# args:
-# database: /data/homeserver.db
-
-
-## Logging ##
-
-# A yaml python logging config file as described by
-# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
-#
-log_config: "/data/default.log.config"
-
-
-## Ratelimiting ##
-
-# Ratelimiting settings for client actions (registration, login, messaging).
-#
-# Each ratelimiting configuration is made of two parameters:
-# - per_second: number of requests a client can send per second.
-# - burst_count: number of requests a client can send before being throttled.
-#
-# Synapse currently uses the following configurations:
-# - one for messages that ratelimits sending based on the account the client
-# is using
-# - one for registration that ratelimits registration requests based on the
-# client's IP address.
-# - one for login that ratelimits login requests based on the client's IP
-# address.
-# - one for login that ratelimits login requests based on the account the
-# client is attempting to log into.
-# - one for login that ratelimits login requests based on the account the
-# client is attempting to log into, based on the amount of failed login
-# attempts for this account.
-# - one for ratelimiting redactions by room admins. If this is not explicitly
-# set then it uses the same ratelimiting as per rc_message. This is useful
-# to allow room admins to deal with abuse quickly.
-# - two for ratelimiting number of rooms a user can join, "local" for when
-# users are joining rooms the server is already in (this is cheap) vs
-# "remote" for when users are trying to join rooms not on the server (which
-# can be more expensive)
-# - one for ratelimiting how often a user or IP can attempt to validate a 3PID.
-# - two for ratelimiting how often invites can be sent in a room or to a
-# specific user.
-#
-# The defaults are as shown below.
-#
-#rc_message:
-# per_second: 0.2
-# burst_count: 10
-#
-#rc_registration:
-# per_second: 0.17
-# burst_count: 3
-#
-#rc_login:
-# address:
-# per_second: 0.17
-# burst_count: 3
-# account:
-# per_second: 0.17
-# burst_count: 3
-# failed_attempts:
-# per_second: 0.17
-# burst_count: 3
-#
-#rc_admin_redaction:
-# per_second: 1
-# burst_count: 50
-#
-#rc_joins:
-# local:
-# per_second: 0.1
-# burst_count: 3
-# remote:
-# per_second: 0.01
-# burst_count: 3
-#
-#rc_3pid_validation:
-# per_second: 0.003
-# burst_count: 5
-#
-#rc_invites:
-# per_room:
-# per_second: 0.3
-# burst_count: 10
-# per_user:
-# per_second: 0.003
-# burst_count: 5
-
-# Ratelimiting settings for incoming federation
-#
-# The rc_federation configuration is made up of the following settings:
-# - window_size: window size in milliseconds
-# - sleep_limit: number of federation requests from a single server in
-# a window before the server will delay processing the request.
-# - sleep_delay: duration in milliseconds to delay processing events
-# from remote servers by if they go over the sleep limit.
-# - reject_limit: maximum number of concurrent federation requests
-# allowed from a single server
-# - concurrent: number of federation requests to concurrently process
-# from a single server
-#
-# The defaults are as shown below.
-#
-#rc_federation:
-# window_size: 1000
-# sleep_limit: 10
-# sleep_delay: 500
-# reject_limit: 50
-# concurrent: 3
-
-# Target outgoing federation transaction frequency for sending read-receipts,
-# per-room.
-#
-# If we end up trying to send out more read-receipts, they will get buffered up
-# into fewer transactions.
-#
-#federation_rr_transactions_per_room_per_second: 50
-
-
-
-## Media Store ##
-
-# Enable the media store service in the Synapse master. Uncomment the
-# following if you are using a separate media store worker.
-#
-#enable_media_repo: false
-
-# Directory where uploaded images and attachments are stored.
-#
-media_store_path: "/var/lib/media_store"
-
-# Media storage providers allow media to be stored in different
-# locations.
-#
-#media_storage_providers:
-# - module: file_system
-# # Whether to store newly uploaded local files
-# store_local: false
-# # Whether to store newly downloaded remote files
-# store_remote: false
-# # Whether to wait for successful storage for local uploads
-# store_synchronous: false
-# config:
-# directory: /mnt/some/other/directory
-
-# The largest allowed upload size in bytes
-#
-max_upload_size: 50M
-uploads_path: "/var/lib/uploads"
-
-# Maximum number of pixels that will be thumbnailed
-#
-#max_image_pixels: 32M
-
-# Whether to generate new thumbnails on the fly to precisely match
-# the resolution requested by the client. If true then whenever
-# a new resolution is requested by the client the server will
-# generate a new thumbnail. If false the server will pick a thumbnail
-# from a precalculated list.
-#
-#dynamic_thumbnails: false
-
-# List of thumbnails to precalculate when an image is uploaded.
-#
-#thumbnail_sizes:
-# - width: 32
-# height: 32
-# method: crop
-# - width: 96
-# height: 96
-# method: crop
-# - width: 320
-# height: 240
-# method: scale
-# - width: 640
-# height: 480
-# method: scale
-# - width: 800
-# height: 600
-# method: scale
-
-# Is the preview URL API enabled?
-#
-# 'false' by default: uncomment the following to enable it (and specify astored
-# specify a list for URL previewing to work. You should specify any
-# internal services in your network that you do not want synapse to try
-# to connect to, otherwise anyone in any Matrix room could cause your
-# synapse to issue arbitrary GET requests to your internal services,
-# causing serious security issues.
-#
-# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
-# listed here, since they correspond to unroutable addresses.)
-#
-# This must be specified if url_preview_enabled is set. It is recommended that
-# you uncomment the following list as a starting point.
-#
-#url_preview_ip_range_blacklist:
-# - '127.0.0.0/8'
-# - '10.0.0.0/8'
-# - '172.16.0.0/12'
-# - '192.168.0.0/16'
-# - '100.64.0.0/10'
-# - '192.0.0.0/24'
-# - '169.254.0.0/16'
-# - '192.88.99.0/24'
-# - '198.18.0.0/15'
-# - '192.0.2.0/24'
-# - '198.51.100.0/24'
-# - '203.0.113.0/24'
-# - '224.0.0.0/4'
-# - '::1/128'
-# - 'fe80::/10'
-# - 'fc00::/7'
-# - '2001:db8::/32'
-# - 'ff00::/8'
-# - 'fec0::/10'
-
-# List of IP address CIDR ranges that the URL preview spider is allowed
-# to access even if they are specified in url_preview_ip_range_blacklist.
-# This is useful for specifying exceptions to wide-ranging blacklisted
-# target IP ranges - e.g. for enabling URL previews for a specific private
-# website only visible in your network.
-#
-#url_preview_ip_range_whitelist:
-# - '192.168.1.1'
-
-# Optional list of URL matches that the URL preview spider is
-# denied from accessing. You should use url_preview_ip_range_blacklist
-# in preference to this, otherwise someone could define a public DNS
-# entry that points to a private IP address and circumvent the blacklist.
-# This is more useful if you know there is an entire shape of URL that
-# you know that will never want synapse to try to spider.
-#
-# Each list entry is a dictionary of url component attributes as returned
-# by urlparse.urlsplit as applied to the absolute form of the URL. See
-# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
-# The values of the dictionary are treated as an filename match pattern
-# applied to that component of URLs, unless they start with a ^ in which
-# case they are treated as a regular expression match. If all the
-# blacklisted.
-#
-#url_preview_url_blacklist:
-# # blacklist any URL with a username in its URI
-# - username: '*'
-#
-# # blacklist all *.google.com URLs
-# - netloc: 'google.com'
-# - netloc: '*.google.com'
-#
-# # blacklist all plain HTTP URLs
-# - scheme: 'http'
-#
-# # blacklist http(s)://www.acme.com/foo
-# - netloc: 'www.acme.com'
-# path: '/foo'
-#
-# # blacklist any URL with a literal IPv4 address
-# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
-
-# The largest allowed URL preview spidering size in bytes
-#
-#max_spider_size: 10M
-
-# A list of values for the Accept-Language HTTP header used when
-# downloading webpages during URL preview generation. This allows
-# Synapse to specify the preferred languages that URL previews should
-# be in when communicating with remote servers.
-#
-# Each value is a IETF language tag; a 2-3 letter identifier for a
-# language, optionally followed by subtags separated by '-', specifying
-# a country or region variant.
-#
-# Multiple values can be provided, and a weight can be added to each by
-# using quality value syntax (;q=). '*' translates to any language.
-#
-# Defaults to "en".
-#
-# Example:
-#
-# url_preview_accept_language:
-# - en-UK
-# - en-US;q=0.9
-# - fr;q=0.8
-# - *;q=0.7
-#
-url_preview_accept_language:
-# - en
-
-
-## Captcha ##
-# See docs/CAPTCHA_SETUP.md for full details of configuring this.
-
-# This homeserver's ReCAPTCHA public key. Must be specified if
-# enable_registration_captcha is enabled.
-#
-recaptcha_public_key: "6Lc865YaAAAAAM_PAufSa8WdlVJmZAmI8XLVCieW"
-
-# This homeserver's ReCAPTCHA private key. Must be specified if
-# enable_registration_captcha is enabled.
-#
-recaptcha_private_key: "6Lc865YaAAAAABR25-cz9cWe-99Yl0-3GTvLUCjB"
-
-# Uncomment to enable ReCaptcha checks when registering, preventing signup
-# unless a captcha is answered. Requires a valid ReCaptcha
-# public/private key. Defaults to 'false'.
-#
-enable_registration_captcha: true
-
-# The API endpoint to use for verifying m.login.recaptcha responses.
-# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify".
-#
-recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
-
-
-## TURN ##
-
-# The public URIs of the TURN server to give to clients
-#
-# turn_uris: ["turn:turn.matrix.org?transport=udp", "turn:turn.matrix.org?transport=tcp"]
-# turn_uris: ["turn:turn.420joos.dev"]
-# turn_uris : ["turn:numb.viagenie.ca?transport=udp", "turn:numb.viagenie.ca?transport=tcp"]
-# turn_uris: ["stun:stun.l.google.com:19302"]
-# turn_uris : ["turn:numb.viagenie.ca"]
-turn_uris: ["turn:turn.420joos.dev?transport=udp", "turn:turn.420joos.dev?transport=tcp"]
-# turn_uris: ["turn:turn.420joos.dev?transport=udp"]
-
-
-# The shared secret used to compute passwords for the TURN server
-#
-turn_shared_secret: rjALsyzwcAD8Un27SWBh39eWzaM2eKXj2FV4pXlNA1ihEKN6eV1zsESThZ968viZ
-
-# The Username and password if the TURN server needs them and
-# does not use a token
-#
-# turn_username: "turnadmin"
-# turn_password: "rjALsyzwcAD8Un27SWBh39eWzaM2eKXj2FV4pXlNA1ihEKN6eV1zsESThZ968viZ"
-
-# How long generated TURN credentials last
-#
-# turn_user_lifetime: 86400000 #1h
-
-# Whether guests should be allowed to use the TURN server.
-# This defaults to True, otherwise VoIP will be unreliable for guests.
-# However, it does introduce a slight security risk as it allows users to
-# connect to arbitrary endpoints without having first signed up for a
-# valid account (e.g. by passing a CAPTCHA).
-#
-turn_allow_guests: false
-
-
-## Registration ##
-#
-# Registration can be rate-limited using the parameters in the "Ratelimiting"
-# section of this file.
-
-# Enable registration for new users.
-#
-enable_registration: true
-
-# Optional account validity configuration. This allows for accounts to be denied
-# any request after a given period.
-#
-# Once this feature is enabled, Synapse will look for registered users without an
-# expiration date at startup and will add one to every account it found using the
-# current settings at that time.
-# This means that, if a validity period is set, and Synapse is restarted (it will
-# then derive an expiration date from the current validity period), and some time
-# after that the validity period changes and Synapse is restarted, the users'
-# expiration dates won't be updated unless their account is manually renewed. This
-# date will be randomly selected within a range [now + period - d ; now + period],
-# where d is equal to 10% of the validity period.
-#
-account_validity:
- # The account validity feature is disabled by default. Uncomment the
- # following line to enable it.
- #
- #enabled: true
-
- # The period after which an account is valid after its registration. When
- # renewing the account, its validity period will be extended by this amount
- # of time. This parameter is required when using the account validity
- # feature.
- #
- #period: 6w
-
- # The amount of time before an account's expiry date at which Synapse will
- # send an email to the account's email address with a renewal link. By
- # default, no such emails are sent.
- #
- # If you enable this setting, you will also need to fill out the 'email' and
- # 'public_baseurl' configuration sections.
- #
- #renew_at: 1w
-
- # The subject of the email sent out with the renewal link. '%(app)s' can be
- # used as a placeholder for the 'app_name' parameter from the 'email'
- # section.
- #
- # Note that the placeholder must be written '%(app)s', including the
- # trailing 's'.
- #
- # If this is not set, a default value is used.
- #
- #renew_email_subject: "Renew your %(app)s account"
-
- # Directory in which Synapse will try to find templates for the HTML files to
- # serve to the user when trying to renew an account. If not set, default
- # templates from within the Synapse package will be used.
- #
- #template_dir: "res/templates"
-
- # File within 'template_dir' giving the HTML to be displayed to the user after
- # they successfully renewed their account. If not set, default text is used.
- #
- #account_renewed_html_path: "account_renewed.html"
-
- # File within 'template_dir' giving the HTML to be displayed when the user
- # tries to renew an account with an invalid renewal token. If not set,
- # default text is used.
- #
- #invalid_token_html_path: "invalid_token.html"
-
-# Time that a user's session remains valid for, after they log in.
-#
-# Note that this is not currently compatible with guest logins.
-#
-# Note also that this is calculated at login time: changes are not applied
-# retrospectively to users who have already logged in.
-#
-# By default, this is infinite.
-#
-#session_lifetime: 24h
-
-# The user must provide all of the below types of 3PID when registering.
-#
-#registrations_require_3pid:
-# - email
-# - msisdn
-
-# Explicitly disable asking for MSISDNs from the registration
-# flow (overrides registrations_require_3pid if MSISDNs are set as required)
-#
-#disable_msisdn_registration: true
-
-# Mandate that users are only allowed to associate certain formats of
-# 3PIDs with accounts on this server.
-#
-#allowed_local_3pids:
-# - medium: email
-# pattern: '.*@matrix\.org'
-# - medium: email
-# pattern: '.*@vector\.im'
-# - medium: msisdn
-# pattern: '\+44'
-
-# Enable 3PIDs lookup requests to identity servers from this server.
-#
-#enable_3pid_lookup: true
-
-# If set, allows registration of standard or admin accounts by anyone who
-# has the shared secret, even if registration is otherwise disabled.
-#
-registration_shared_secret: "xn8X+aj1--&wY=xgw+hPJ_LqRn-O~H7lt+RZGVTvLqh96F2*2P"
-
-# Set the number of bcrypt rounds used to generate password hash.
-# Larger numbers increase the work factor needed to generate the hash.
-# The default number is 12 (which equates to 2^12 rounds).
-# N.B. that increasing this will exponentially increase the time required
-# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
-#
-#bcrypt_rounds: 12
-
-# Allows users to register as guests without a password/email/etc, and
-# participate in rooms hosted on this server which have been made
-# accessible to anonymous users.
-#
-#allow_guest_access: false
-
-# The identity server which we suggest that clients should use when users log
-# in on this server.
-#
-# (By default, no suggestion is made, so it is left up to the client.
-# This setting is ignored unless public_baseurl is also set.)
-#
-#default_identity_server: https://matrix.org
-
-# Handle threepid (email/phone etc) registration and password resets through a set of
-# *trusted* identity servers. Note that this allows the configured identity server to
-# reset passwords for accounts!
-#
-# Be aware that if `email` is not set, and SMTP options have not been
-# configured in the email config block, registration and user password resets via
-# email will be globally disabled.
-#
-# Additionally, if `msisdn` is not set, registration and password resets via msisdn
-# will be disabled regardless, and users will not be able to associate an msisdn
-# identifier to their account. This is due to Synapse currently not supporting
-# any method of sending SMS messages on its own.
-#
-# To enable using an identity server for operations regarding a particular third-party
-# identifier type, set the value to the URL of that identity server as shown in the
-# examples below.
-#
-# Servers handling the these requests must answer the `/requestToken` endpoints defined
-# by the Matrix Identity Service API specification:
-# https://matrix.org/docs/spec/identity_service/latest
-#
-# If a delegate is specified, the config option public_baseurl must also be filled out.
-#
-account_threepid_delegates:
- #email: https://example.com # Delegate email sending to example.com
- #msisdn: http://localhost:8090 # Delegate SMS sending to this local process
-
-# Whether users are allowed to change their displayname after it has
-# been initially set. Useful when provisioning users based on the
-# contents of a third-party directory.
-#
-# Does not apply to server administrators. Defaults to 'true'
-#
-#enable_set_displayname: false
-
-# Whether users are allowed to change their avatar after it has been
-# initially set. Useful when provisioning users based on the contents
-# of a third-party directory.
-#
-# Does not apply to server administrators. Defaults to 'true'
-#
-#enable_set_avatar_url: false
-
-# Whether users can change the 3PIDs associated with their accounts
-# (email address and msisdn).
-#
-# Defaults to 'true'
-#
-#enable_3pid_changes: false
-
-# Users who register on this homeserver will automatically be joined
-# to these rooms.
-#
-# By default, any room aliases included in this list will be created
-# as a publicly joinable room when the first user registers for the
-# homeserver. This behaviour can be customised with the settings below.
-# If the room already exists, make certain it is a publicly joinable
-# room. The join rule of the room must be set to 'public'.
-#
-#auto_join_rooms:
-# - "#example:example.com"
-
-# Where auto_join_rooms are specified, setting this flag ensures that the
-# the rooms exist by creating them when the first user on the
-# homeserver registers.
-#
-# By default the auto-created rooms are publicly joinable from any federated
-# server. Use the autocreate_auto_join_rooms_federated and
-# autocreate_auto_join_room_preset settings below to customise this behaviour.
-#
-# Setting to false means that if the rooms are not manually created,
-# users cannot be auto-joined since they do not exist.
-#
-# Defaults to true. Uncomment the following line to disable automatically
-# creating auto-join rooms.
-#
-#autocreate_auto_join_rooms: false
-
-# Whether the auto_join_rooms that are auto-created are available via
-# federation. Only has an effect if autocreate_auto_join_rooms is true.
-#
-# Note that whether a room is federated cannot be modified after
-# creation.
-#
-# Defaults to true: the room will be joinable from other servers.
-# Uncomment the following to prevent users from other homeservers from
-# joining these rooms.
-#
-#autocreate_auto_join_rooms_federated: false
-
-# The room preset to use when auto-creating one of auto_join_rooms. Only has an
-# effect if autocreate_auto_join_rooms is true.
-#
-# This can be one of "public_chat", "private_chat", or "trusted_private_chat".
-# If a value of "private_chat" or "trusted_private_chat" is used then
-# auto_join_mxid_localpart must also be configured.
-#
-# Defaults to "public_chat", meaning that the room is joinable by anyone, including
-# federated servers if autocreate_auto_join_rooms_federated is true (the default).
-# Uncomment the following to require an invitation to join these rooms.
-#
-#autocreate_auto_join_room_preset: private_chat
-
-# The local part of the user id which is used to create auto_join_rooms if
-# autocreate_auto_join_rooms is true. If this is not provided then the
-# initial user account that registers will be used to create the rooms.
-#
-# The user id is also used to invite new users to any auto-join rooms which
-# are set to invite-only.
-#
-# It *must* be configured if autocreate_auto_join_room_preset is set to
-# "private_chat" or "trusted_private_chat".
-#
-# Note that this must be specified in order for new users to be correctly
-# invited to any auto-join rooms which have been set to invite-only (either
-# at the time of creation or subsequently).
-#
-# Note that, if the room already exists, this user must be joined and
-# have the appropriate permissions to invite new members.
-#
-#auto_join_mxid_localpart: system
-
-# When auto_join_rooms is specified, setting this flag to false prevents
-# guest accounts from being automatically joined to the rooms.
-#
-# Defaults to true.
-#
-#auto_join_rooms_for_guests: false
-
-
-## Metrics ###
-
-# Enable collection and rendering of performance metrics
-#
-#enable_metrics: false
-
-# Enable sentry integration
-# NOTE: While attempts are made to ensure that the logs don't contain
-# any sensitive information, this cannot be guaranteed. By enabling
-# this option the sentry server may therefore receive sensitive
-# information, and it in turn may then diseminate sensitive information
-# through insecure notification channels if so configured.
-#
-#sentry:
-# dsn: "..."
-
-# Flags to enable Prometheus metrics which are not suitable to be
-# enabled by default, either for performance reasons or limited use.
-#
-metrics_flags:
- # Publish synapse_federation_known_servers, a gauge of the number of
- # servers this homeserver knows about, including itself. May cause
- # performance problems on large homeservers.
- #
- #known_servers: true
-
-# Whether or not to report anonymized homeserver usage statistics.
-#
-report_stats: true
-
-# The endpoint to report the anonymized homeserver usage statistics to.
-# Defaults to https://matrix.org/report-usage-stats/push
-#
-#report_stats_endpoint: https://example.com/report-usage-stats/push
-
-
-## API Configuration ##
-
-# A list of event types that will be included in the room_invite_state
-#
-#room_invite_state_types:
-# - "m.room.join_rules"
-# - "m.room.canonical_alias"
-# - "m.room.avatar"
-# - "m.room.encryption"
-# - "m.room.name"
-
-
-# A list of application service config files to use
-#
-app_service_config_files:
- - /bridges/telegram/config/registration.yaml
- - /bridges/whatsapp/config/registration.yaml
-
-# Uncomment to enable tracking of application service IP addresses. Implicitly
-# enables MAU tracking for application service users.
-#
-#track_appservice_user_ips: true
-
-
-# a secret which is used to sign access tokens. If none is specified,
-# the registration_shared_secret is used, if one is given; otherwise,
-# a secret key is derived from the signing key.
-#
-macaroon_secret_key: "1uofg7T5nKUswEXta&t33e-cXoFA.eeYn9L3gXVc1^BE60m6Rl"
-
-# a secret which is used to calculate HMACs for form values, to stop
-# falsification of values. Must be specified for the User Consent
-# forms to work.
-#
-form_secret: "r^9;J+3xC6Q;-EmgC^@ib@^oS9@93Kqg2=6Ii3eft.W0qsbpqE"
-
-## Signing Keys ##
-
-# Path to the signing key to sign messages with
-#
-signing_key_path: "/data/default.signing.key"
-
-# The keys that the server used to sign messages with but won't use
-# to sign new messages.
-#
-old_signing_keys:
- # For each key, `key` should be the base64-encoded public key, and
- # `expired_ts`should be the time (in milliseconds since the unix epoch) that
- # it was last used.
- #
- # It is possible to build an entry from an old signing.key file using the
- # `export_signing_key` script which is provided with synapse.
- #
- # For example:
- #
- #"ed25519:id": { key: "base64string", expired_ts: 123456789123 }
-
-# How long key response published by this server is valid for.
-# Used to set the valid_until_ts in /key/v2 APIs.
-# Determines how quickly servers will query to check which keys
-# are still valid.
-#
-#key_refresh_interval: 1d
-
-# The trusted servers to download signing keys from.
-#
-# When we need to fetch a signing key, each server is tried in parallel.
-#
-# Normally, the connection to the key server is validated via TLS certificates.
-# Additional security can be provided by configuring a `verify key`, which
-# will make synapse check that the response is signed by that key.
-#
-# This setting supercedes an older setting named `perspectives`. The old format
-# is still supported for backwards-compatibility, but it is deprecated.
-#
-# 'trusted_key_servers' defaults to matrix.org, but using it will generate a
-# warning on start-up. To suppress this warning, set
-# 'suppress_key_server_warning' to true.
-#
-# Options for each entry in the list include:
-#
-# server_name: the name of the server. required.
-#
-# verify_keys: an optional map from key id to base64-encoded public key.
-# If specified, we will check that the response is signed by at least
-# one of the given keys.
-#
-# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
-# and federation_verify_certificates is not `true`, synapse will refuse
-# to start, because this would allow anyone who can spoof DNS responses
-# to masquerade as the trusted key server. If you know what you are doing
-# and are sure that your network environment provides a secure connection
-# to the key server, you can set this to `true` to override this
-# behaviour.
-#
-# An example configuration might look like:
-#
-#trusted_key_servers:
-# - server_name: "my_trusted_server.example.com"
-# verify_keys:
-# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
-# - server_name: "my_other_trusted_server.example.com"
-#
-trusted_key_servers:
- - server_name: "matrix.org"
-
-# Uncomment the following to disable the warning that is emitted when the
-# trusted_key_servers include 'matrix.org'. See above.
-#
-#suppress_key_server_warning: true
-
-# The signing keys to use when acting as a trusted key server. If not specified
-# defaults to the server signing key.
-#
-# Can contain multiple keys, one per line.
-#
-#key_server_signing_keys_path: "key_server_signing_keys.key"
-
-
-## Single sign-on integration ##
-
-# The following settings can be used to make Synapse use a single sign-on
-# provider for authentication, instead of its internal password database.
-#
-# You will probably also want to set the following options to `false` to
-# disable the regular login/registration flows:
-# * enable_registration
-# * password_config.enabled
-#
-# You will also want to investigate the settings under the "sso" configuration
-# section below.
-
-# Enable SAML2 for registration and login. Uses pysaml2.
-#
-# At least one of `sp_config` or `config_path` must be set in this section to
-# enable SAML login.
-#
-# Once SAML support is enabled, a metadata file will be exposed at
-# https://<server>:<port>/_synapse/client/saml2/metadata.xml, which you may be able to
-# use to configure your SAML IdP with. Alternatively, you can manually configure
-# the IdP to use an ACS location of
-# https://<server>:<port>/_synapse/client/saml2/authn_response.
-#
-saml2_config:
- # `sp_config` is the configuration for the pysaml2 Service Provider.
- # See pysaml2 docs for format of config.
- #
- # Default values will be used for the 'entityid' and 'service' settings,
- # so it is not normally necessary to specify them unless you need to
- # override them.
- #
- sp_config:
- # Point this to the IdP's metadata. You must provide either a local
- # file via the `local` attribute or (preferably) a URL via the
- # `remote` attribute.
- #
- #metadata:
- # local: ["saml2/idp.xml"]
- # remote:
- # - url: https://our_idp/metadata.xml
-
- # Allowed clock difference in seconds between the homeserver and IdP.
- #
- # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
- #
- #accepted_time_diff: 3
-
- # By default, the user has to go to our login page first. If you'd like
- # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
- # 'service.sp' section:
- #
- #service:
- # sp:
- # allow_unsolicited: true
-
- # The examples below are just used to generate our metadata xml, and you
- # may well not need them, depending on your setup. Alternatively you
- # may need a whole lot more detail - see the pysaml2 docs!
-
- #description: ["My awesome SP", "en"]
- #name: ["Test SP", "en"]
-
- #ui_info:
- # display_name:
- # - lang: en
- # text: "Display Name is the descriptive name of your service."
- # description:
- # - lang: en
- # text: "Description should be a short paragraph explaining the purpose of the service."
- # information_url:
- # - lang: en
- # text: "https://example.com/terms-of-service"
- # privacy_statement_url:
- # - lang: en
- # text: "https://example.com/privacy-policy"
- # keywords:
- # - lang: en
- # text: ["Matrix", "Element"]
- # logo:
- # - lang: en
- # text: "https://example.com/logo.svg"
- # width: "200"
- # height: "80"
-
- #organization:
- # name: Example com
- # display_name:
- # - ["Example co", "en"]
- # url: "http://example.com"
-
- #contact_person:
- # - given_name: Bob
- # sur_name: "the Sysadmin"
- # email_address": ["admin@example.com"]
- # contact_type": technical
-
- # Instead of putting the config inline as above, you can specify a
- # separate pysaml2 configuration file:
- #
- #config_path: "/data/sp_conf.py"
-
- # The lifetime of a SAML session. This defines how long a user has to
- # complete the authentication process, if allow_unsolicited is unset.
- # The default is 15 minutes.
- #
- #saml_session_lifetime: 5m
-
- # An external module can be provided here as a custom solution to
- # mapping attributes returned from a saml provider onto a matrix user.
- #
- user_mapping_provider:
- # The custom module's class. Uncomment to use a custom module.
- #
- #module: mapping_provider.SamlMappingProvider
-
- # Custom configuration values for the module. Below options are
- # intended for the built-in provider, they should be changed if
- # using a custom module. This section will be passed as a Python
- # dictionary to the module's `parse_config` method.
- #
- config:
- # The SAML attribute (after mapping via the attribute maps) to use
- # to derive the Matrix ID from. 'uid' by default.
- #
- # Note: This used to be configured by the
- # saml2_config.mxid_source_attribute option. If that is still
- # defined, its value will be used instead.
- #
- #mxid_source_attribute: displayName
-
- # The mapping system to use for mapping the saml attribute onto a
- # matrix ID.
- #
- # Options include:
- # * 'hexencode' (which maps unpermitted characters to '=xx')
- # * 'dotreplace' (which replaces unpermitted characters with
- # '.').
- # The default is 'hexencode'.
- #
- # Note: This used to be configured by the
- # saml2_config.mxid_mapping option. If that is still defined, its
- # value will be used instead.
- #
- #mxid_mapping: dotreplace
-
- # In previous versions of synapse, the mapping from SAML attribute to
- # MXID was always calculated dynamically rather than stored in a
- # table. For backwards- compatibility, we will look for user_ids
- # matching such a pattern before creating a new account.
- #
- # This setting controls the SAML attribute which will be used for this
- # backwards-compatibility lookup. Typically it should be 'uid', but if
- # the attribute maps are changed, it may be necessary to change it.
- #
- # The default is 'uid'.
- #
- #grandfathered_mxid_source_attribute: upn
-
- # It is possible to configure Synapse to only allow logins if SAML attributes
- # match particular values. The requirements can be listed under
- # `attribute_requirements` as shown below. All of the listed attributes must
- # match for the login to be permitted.
- #
- #attribute_requirements:
- # - attribute: userGroup
- # value: "staff"
- # - attribute: department
- # value: "sales"
-
- # If the metadata XML contains multiple IdP entities then the `idp_entityid`
- # option must be set to the entity to redirect users to.
- #
- # Most deployments only have a single IdP entity and so should omit this
- # option.
- #
- #idp_entityid: 'https://our_idp/entityid'
-
-
-# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
-# and login.
-#
-# Options for each entry include:
-#
-# idp_id: a unique identifier for this identity provider. Used internally
-# by Synapse; should be a single word such as 'github'.
-#
-# Note that, if this is changed, users authenticating via that provider
-# will no longer be recognised as the same user!
-#
-# idp_name: A user-facing name for this identity provider, which is used to
-# offer the user a choice of login mechanisms.
-#
-# idp_icon: An optional icon for this identity provider, which is presented
-# by clients and Synapse's own IdP picker page. If given, must be an
-# MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
-# obtain such an MXC URI is to upload an image to an (unencrypted) room
-# and then copy the "url" from the source of the event.)
-#
-# idp_brand: An optional brand for this identity provider, allowing clients
-# to style the login flow according to the identity provider in question.
-# See the spec for possible options here.
-#
-# discover: set to 'false' to disable the use of the OIDC discovery mechanism
-# to discover endpoints. Defaults to true.
-#
-# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
-# is enabled) to discover the provider's endpoints.
-#
-# client_id: Required. oauth2 client id to use.
-#
-# client_secret: oauth2 client secret to use. May be omitted if
-# client_secret_jwt_key is given, or if client_auth_method is 'none'.
-#
-# client_secret_jwt_key: Alternative to client_secret: details of a key used
-# to create a JSON Web Token to be used as an OAuth2 client secret. If
-# given, must be a dictionary with the following properties:
-#
-# key: a pem-encoded signing key. Must be a suitable key for the
-# algorithm specified. Required unless 'key_file' is given.
-#
-# key_file: the path to file containing a pem-encoded signing key file.
-# Required unless 'key' is given.
-#
-# jwt_header: a dictionary giving properties to include in the JWT
-# header. Must include the key 'alg', giving the algorithm used to
-# sign the JWT, such as "ES256", using the JWA identifiers in
-# RFC7518.
-#
-# jwt_payload: an optional dictionary giving properties to include in
-# the JWT payload. Normally this should include an 'iss' key.
-#
-# client_auth_method: auth method to use when exchanging the token. Valid
-# values are 'client_secret_basic' (default), 'client_secret_post' and
-# 'none'.
-#
-# scopes: list of scopes to request. This should normally include the "openid"
-# scope. Defaults to ["openid"].
-#
-# authorization_endpoint: the oauth2 authorization endpoint. Required if
-# provider discovery is disabled.
-#
-# token_endpoint: the oauth2 token endpoint. Required if provider discovery is
-# disabled.
-#
-# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
-# disabled and the 'openid' scope is not requested.
-#
-# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
-# the 'openid' scope is used.
-#
-# skip_verification: set to 'true' to skip metadata verification. Use this if
-# you are connecting to a provider that is not OpenID Connect compliant.
-# Defaults to false. Avoid this in production.
-#
-# user_profile_method: Whether to fetch the user profile from the userinfo
-# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
-#
-# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
-# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
-# userinfo endpoint.
-#
-# allow_existing_users: set to 'true' to allow a user logging in via OIDC to
-# match a pre-existing account instead of failing. This could be used if
-# switching from password logins to OIDC. Defaults to false.
-#
-# user_mapping_provider: Configuration for how attributes returned from a OIDC
-# provider are mapped onto a matrix user. This setting has the following
-# sub-properties:
-#
-# module: The class name of a custom mapping module. Default is
-# 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
-# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
-# for information on implementing a custom mapping provider.
-#
-# config: Configuration for the mapping provider module. This section will
-# be passed as a Python dictionary to the user mapping provider
-# module's `parse_config` method.
-#
-# For the default provider, the following settings are available:
-#
-# subject_claim: name of the claim containing a unique identifier
-# for the user. Defaults to 'sub', which OpenID Connect
-# compliant providers should provide.
-#
-# localpart_template: Jinja2 template for the localpart of the MXID.
-# If this is not set, the user will be prompted to choose their
-# own username (see 'sso_auth_account_details.html' in the 'sso'
-# section of this file).
-#
-# display_name_template: Jinja2 template for the display name to set
-# on first login. If unset, no displayname will be set.
-#
-# email_template: Jinja2 template for the email address of the user.
-# If unset, no email address will be added to the account.
-#
-# extra_attributes: a map of Jinja2 templates for extra attributes
-# to send back to the client during login.
-# Note that these are non-standard and clients will ignore them
-# without modifications.
-#
-# When rendering, the Jinja2 templates are given a 'user' variable,
-# which is set to the claims returned by the UserInfo Endpoint and/or
-# in the ID Token.
-#
-# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
-# for information on how to configure these options.
-#
-# For backwards compatibility, it is also possible to configure a single OIDC
-# provider via an 'oidc_config' setting. This is now deprecated and admins are
-# advised to migrate to the 'oidc_providers' format. (When doing that migration,
-# use 'oidc' for the idp_id to ensure that existing users continue to be
-# recognised.)
-#
-oidc_providers:
- # Generic example
- #
- #- idp_id: my_idp
- # idp_name: "My OpenID provider"
- # idp_icon: "mxc://example.com/mediaid"
- # discover: false
- # issuer: "https://accounts.example.com/"
- # client_id: "provided-by-your-issuer"
- # client_secret: "provided-by-your-issuer"
- # client_auth_method: client_secret_post
- # scopes: ["openid", "profile"]
- # authorization_endpoint: "https://accounts.example.com/oauth2/auth"
- # token_endpoint: "https://accounts.example.com/oauth2/token"
- # userinfo_endpoint: "https://accounts.example.com/userinfo"
- # jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
- # skip_verification: true
- # user_mapping_provider:
- # config:
- # subject_claim: "id"
- # localpart_template: "{{ user.login }}"
- # display_name_template: "{{ user.name }}"
- # email_template: "{{ user.email }}"
-
- # For use with Keycloak
- #
- #- idp_id: keycloak
- # idp_name: Keycloak
- # issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name"
- # client_id: "synapse"
- # client_secret: "copy secret generated in Keycloak UI"
- # scopes: ["openid", "profile"]
-
- # For use with Github
- #
- #- idp_id: github
- # idp_name: Github
- # idp_brand: github
- # discover: false
- # issuer: "https://github.com/"
- # client_id: "your-client-id" # TO BE FILLED
- # client_secret: "your-client-secret" # TO BE FILLED
- # authorization_endpoint: "https://github.com/login/oauth/authorize"
- # token_endpoint: "https://github.com/login/oauth/access_token"
- # userinfo_endpoint: "https://api.github.com/user"
- # scopes: ["read:user"]
- # user_mapping_provider:
- # config:
- # subject_claim: "id"
- # localpart_template: "{{ user.login }}"
- # display_name_template: "{{ user.name }}"
-
-
-# Enable Central Authentication Service (CAS) for registration and login.
-#
-cas_config:
- # Uncomment the following to enable authorization against a CAS server.
- # Defaults to false.
- #
- #enabled: true
-
- # The URL of the CAS authorization endpoint.
- #
- #server_url: "https://cas-server.com"
-
- # The attribute of the CAS response to use as the display name.
- #
- # If unset, no displayname will be set.
- #
- #displayname_attribute: name
-
- # It is possible to configure Synapse to only allow logins if CAS attributes
- # match particular values. All of the keys in the mapping below must exist
- # and the values must match the given value. Alternately if the given value
- # is None then any value is allowed (the attribute just must exist).
- # All of the listed attributes must match for the login to be permitted.
- #
- #required_attributes:
- # userGroup: "staff"
- # department: None
-
-
-# Additional settings to use with single-sign on systems such as OpenID Connect,
-# SAML2 and CAS.
-#
-sso:
- # A list of client URLs which are whitelisted so that the user does not
- # have to confirm giving access to their account to the URL. Any client
- # whose URL starts with an entry in the following list will not be subject
- # to an additional confirmation step after the SSO login is completed.
- #
- # WARNING: An entry such as "https://my.client" is insecure, because it
- # will also match "https://my.client.evil.site", exposing your users to
- # phishing attacks from evil.site. To avoid this, include a slash after the
- # hostname: "https://my.client/".
- #
- # If public_baseurl is set, then the login fallback page (used by clients
- # that don't natively support the required login flows) is whitelisted in
- # addition to any URLs in this list.
- #
- # By default, this list is empty.
- #
- #client_whitelist:
- # - https://riot.im/develop
- # - https://my.custom.client/
-
- # Directory in which Synapse will try to find the template files below.
- # If not set, or the files named below are not found within the template
- # directory, default templates from within the Synapse package will be used.
- #
- # Synapse will look for the following templates in this directory:
- #
- # * HTML page to prompt the user to choose an Identity Provider during
- # login: 'sso_login_idp_picker.html'.
- #
- # This is only used if multiple SSO Identity Providers are configured.
- #
- # When rendering, this template is given the following variables:
- # * redirect_url: the URL that the user will be redirected to after
- # login.
- #
- # * server_name: the homeserver's name.
- #
- # * providers: a list of available Identity Providers. Each element is
- # an object with the following attributes:
- #
- # * idp_id: unique identifier for the IdP
- # * idp_name: user-facing name for the IdP
- # * idp_icon: if specified in the IdP config, an MXC URI for an icon
- # for the IdP
- # * idp_brand: if specified in the IdP config, a textual identifier
- # for the brand of the IdP
- #
- # The rendered HTML page should contain a form which submits its results
- # back as a GET request, with the following query parameters:
- #
- # * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
- # to the template)
- #
- # * idp: the 'idp_id' of the chosen IDP.
- #
- # * HTML page to prompt new users to enter a userid and confirm other
- # details: 'sso_auth_account_details.html'. This is only shown if the
- # SSO implementation (with any user_mapping_provider) does not return
- # a localpart.
- #
- # When rendering, this template is given the following variables:
- #
- # * server_name: the homeserver's name.
- #
- # * idp: details of the SSO Identity Provider that the user logged in
- # with: an object with the following attributes:
- #
- # * idp_id: unique identifier for the IdP
- # * idp_name: user-facing name for the IdP
- # * idp_icon: if specified in the IdP config, an MXC URI for an icon
- # for the IdP
- # * idp_brand: if specified in the IdP config, a textual identifier
- # for the brand of the IdP
- #
- # * user_attributes: an object containing details about the user that
- # we received from the IdP. May have the following attributes:
- #
- # * display_name: the user's display_name
- # * emails: a list of email addresses
- #
- # The template should render a form which submits the following fields:
- #
- # * username: the localpart of the user's chosen user id
- #
- # * HTML page allowing the user to consent to the server's terms and
- # conditions. This is only shown for new users, and only if
- # `user_consent.require_at_registration` is set.
- #
- # When rendering, this template is given the following variables:
- #
- # * server_name: the homeserver's name.
- #
- # * user_id: the user's matrix proposed ID.
- #
- # * user_profile.display_name: the user's proposed display name, if any.
- #
- # * consent_version: the version of the terms that the user will be
- # shown
- #
- # * terms_url: a link to the page showing the terms.
- #
- # The template should render a form which submits the following fields:
- #
- # * accepted_version: the version of the terms accepted by the user
- # (ie, 'consent_version' from the input variables).
- #
- # * HTML page for a confirmation step before redirecting back to the client
- # with the login token: 'sso_redirect_confirm.html'.
- #
- # When rendering, this template is given the following variables:
- #
- # * redirect_url: the URL the user is about to be redirected to.
- #
- # * display_url: the same as `redirect_url`, but with the query
- # parameters stripped. The intention is to have a
- # human-readable URL to show to users, not to use it as
- # the final address to redirect to.
- #
- # * server_name: the homeserver's name.
- #
- # * new_user: a boolean indicating whether this is the user's first time
- # logging in.
- #
- # * user_id: the user's matrix ID.
- #
- # * user_profile.avatar_url: an MXC URI for the user's avatar, if any.
- # None if the user has not set an avatar.
- #
- # * user_profile.display_name: the user's display name. None if the user
- # has not set a display name.
- #
- # * HTML page which notifies the user that they are authenticating to confirm
- # an operation on their account during the user interactive authentication
- # process: 'sso_auth_confirm.html'.
- #
- # When rendering, this template is given the following variables:
- # * redirect_url: the URL the user is about to be redirected to.
- #
- # * description: the operation which the user is being asked to confirm
- #
- # * idp: details of the Identity Provider that we will use to confirm
- # the user's identity: an object with the following attributes:
- #
- # * idp_id: unique identifier for the IdP
- # * idp_name: user-facing name for the IdP
- # * idp_icon: if specified in the IdP config, an MXC URI for an icon
- # for the IdP
- # * idp_brand: if specified in the IdP config, a textual identifier
- # for the brand of the IdP
- #
- # * HTML page shown after a successful user interactive authentication session:
- # 'sso_auth_success.html'.
- #
- # Note that this page must include the JavaScript which notifies of a successful authentication
- # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback).
- #
- # This template has no additional variables.
- #
- # * HTML page shown after a user-interactive authentication session which
- # does not map correctly onto the expected user: 'sso_auth_bad_user.html'.
- #
- # When rendering, this template is given the following variables:
- # * server_name: the homeserver's name.
- # * user_id_to_verify: the MXID of the user that we are trying to
- # validate.
- #
- # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)
- # attempts to login: 'sso_account_deactivated.html'.
- #
- # This template has no additional variables.
- #
- # * HTML page to display to users if something goes wrong during the
- # OpenID Connect authentication process: 'sso_error.html'.
- #
- # When rendering, this template is given two variables:
- # * error: the technical name of the error
- # * error_description: a human-readable message for the error
- #
- # You can see the default templates at:
- # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
- #
- #template_dir: "res/templates"
-
-
-# JSON web token integration. The following settings can be used to make
-# Synapse JSON web tokens for authentication, instead of its internal
-# password database.
-#
-# Each JSON Web Token needs to contain a "sub" (subject) claim, which is
-# used as the localpart of the mxid.
-#
-# Additionally, the expiration time ("exp"), not before time ("nbf"),
-# and issued at ("iat") claims are validated if present.
-#
-# Note that this is a non-standard login type and client support is
-# expected to be non-existent.
-#
-# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md.
-#
-#jwt_config:
- # Uncomment the following to enable authorization using JSON web
- # tokens. Defaults to false.
- #
- #enabled: true
-
- # This is either the private shared secret or the public key used to
- # decode the contents of the JSON web token.
- #
- # Required if 'enabled' is true.
- #
- #secret: "provided-by-your-issuer"
-
- # The algorithm used to sign the JSON web token.
- #
- # Supported algorithms are listed at
- # https://pyjwt.readthedocs.io/en/latest/algorithms.html
- #
- # Required if 'enabled' is true.
- #
- #algorithm: "provided-by-your-issuer"
-
- # The issuer to validate the "iss" claim against.
- #
- # Optional, if provided the "iss" claim will be required and
- # validated for all JSON web tokens.
- #
- #issuer: "provided-by-your-issuer"
-
- # A list of audiences to validate the "aud" claim against.
- #
- # Optional, if provided the "aud" claim will be required and
- # validated for all JSON web tokens.
- #
- # Note that if the "aud" claim is included in a JSON web token then
- # validation will fail without configuring audiences.
- #
- #audiences:
- # - "provided-by-your-issuer"
-
-
-password_config:
- # Uncomment to disable password login
- #
- #enabled: false
-
- # Uncomment to disable authentication against the local password
- # database. This is ignored if `enabled` is false, and is only useful
- # if you have other password_providers.
- #
- #localdb_enabled: false
-
- # Uncomment and change to a secret random string for extra security.
- # DO NOT CHANGE THIS AFTER INITIAL SETUP!
- #
- #pepper: "EVEN_MORE_SECRET"
-
- # Define and enforce a password policy. Each parameter is optional.
- # This is an implementation of MSC2000.
- #
- policy:
- # Whether to enforce the password policy.
- # Defaults to 'false'.
- #
- enabled: true
-
- # Minimum accepted length for a password.
- # Defaults to 0.
- #
- #minimum_length: 15
-
- # Whether a password must contain at least one digit.
- # Defaults to 'false'.
- #
- require_digit: true
-
- # Whether a password must contain at least one symbol.
- # A symbol is any character that's not a number or a letter.
- # Defaults to 'false'.
- #
- #require_symbol: true
-
- # Whether a password must contain at least one lowercase letter.
- # Defaults to 'false'.
- #
- require_lowercase: true
-
- # Whether a password must contain at least one lowercase letter.
- # Defaults to 'false'.
- #
- require_uppercase: true
-
-ui_auth:
- # The amount of time to allow a user-interactive authentication session
- # to be active.
- #
- # This defaults to 0, meaning the user is queried for their credentials
- # before every action, but this can be overridden to allow a single
- # validation to be re-used. This weakens the protections afforded by
- # the user-interactive authentication process, by allowing for multiple
- # (and potentially different) operations to use the same validation session.
- #
- # Uncomment below to allow for credential validation to last for 15
- # seconds.
- #
- #session_timeout: "15s"
-
-
-# Configuration for sending emails from Synapse.
-#
-email:
- # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
- #
- #smtp_host: mail.server
-
- # The port on the mail server for outgoing SMTP. Defaults to 25.
- #
- #smtp_port: 587
-
- # Username/password for authentication to the SMTP server. By default, no
- # authentication is attempted.
- #
- #smtp_user: "exampleusername"
- #smtp_pass: "examplepassword"
-
- # Uncomment the following to require TLS transport security for SMTP.
- # By default, Synapse will connect over plain text, and will then switch to
- # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
- # Synapse will refuse to connect unless the server supports STARTTLS.
- #
- #require_transport_security: true
-
- # notif_from defines the "From" address to use when sending emails.
- # It must be set if email sending is enabled.
- #
- # The placeholder '%(app)s' will be replaced by the application name,
- # which is normally 'app_name' (below), but may be overridden by the
- # Matrix client application.
- #
- # Note that the placeholder must be written '%(app)s', including the
- # trailing 's'.
- #
- #notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
-
- # app_name defines the default value for '%(app)s' in notif_from and email
- # subjects. It defaults to 'Matrix'.
- #
- #app_name: my_branded_matrix_server
-
- # Uncomment the following to enable sending emails for messages that the user
- # has missed. Disabled by default.
- #
- #enable_notifs: true
-
- # Uncomment the following to disable automatic subscription to email
- # notifications for new users. Enabled by default.
- #
- #notif_for_new_users: false
-
- # Custom URL for client links within the email notifications. By default
- # links will be based on "https://matrix.to".
- #
- # (This setting used to be called riot_base_url; the old name is still
- # supported for backwards-compatibility but is now deprecated.)
- #
- #client_base_url: "http://localhost/riot"
-
- # Configure the time that a validation email will expire after sending.
- # Defaults to 1h.
- #
- #validation_token_lifetime: 15m
-
- # The web client location to direct users to during an invite. This is passed
- # to the identity server as the org.matrix.web_client_location key. Defaults
- # to unset, giving no guidance to the identity server.
- #
- #invite_client_location: https://app.element.io
-
- # Directory in which Synapse will try to find the template files below.
- # If not set, or the files named below are not found within the template
- # directory, default templates from within the Synapse package will be used.
- #
- # Synapse will look for the following templates in this directory:
- #
- # * The contents of email notifications of missed events: 'notif_mail.html' and
- # 'notif_mail.txt'.
- #
- # * The contents of account expiry notice emails: 'notice_expiry.html' and
- # 'notice_expiry.txt'.
- #
- # * The contents of password reset emails sent by the homeserver:
- # 'password_reset.html' and 'password_reset.txt'
- #
- # * An HTML page that a user will see when they follow the link in the password
- # reset email. The user will be asked to confirm the action before their
- # password is reset: 'password_reset_confirmation.html'
- #
- # * HTML pages for success and failure that a user will see when they confirm
- # the password reset flow using the page above: 'password_reset_success.html'
- # and 'password_reset_failure.html'
- #
- # * The contents of address verification emails sent during registration:
- # 'registration.html' and 'registration.txt'
- #
- # * HTML pages for success and failure that a user will see when they follow
- # the link in an address verification email sent during registration:
- # 'registration_success.html' and 'registration_failure.html'
- #
- # * The contents of address verification emails sent when an address is added
- # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt'
- #
- # * HTML pages for success and failure that a user will see when they follow
- # the link in an address verification email sent when an address is added
- # to a Matrix account: 'add_threepid_success.html' and
- # 'add_threepid_failure.html'
- #
- # You can see the default templates at:
- # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
- #
- #template_dir: "res/templates"
-
- # Subjects to use when sending emails from Synapse.
- #
- # The placeholder '%(app)s' will be replaced with the value of the 'app_name'
- # setting above, or by a value dictated by the Matrix client application.
- #
- # If a subject isn't overridden in this configuration file, the value used as
- # its example will be used.
- #
- #subjects:
-
- # Subjects for notification emails.
- #
- # On top of the '%(app)s' placeholder, these can use the following
- # placeholders:
- #
- # * '%(person)s', which will be replaced by the display name of the user(s)
- # that sent the message(s), e.g. "Alice and Bob".
- # * '%(room)s', which will be replaced by the name of the room the
- # message(s) have been sent to, e.g. "My super room".
- #
- # See the example provided for each setting to see which placeholder can be
- # used and how to use them.
- #
- # Subject to use to notify about one message from one or more user(s) in a
- # room which has a name.
- #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..."
- #
- # Subject to use to notify about one message from one or more user(s) in a
- # room which doesn't have a name.
- #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..."
- #
- # Subject to use to notify about multiple messages from one or more users in
- # a room which doesn't have a name.
- #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..."
- #
- # Subject to use to notify about multiple messages in a room which has a
- # name.
- #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..."
- #
- # Subject to use to notify about multiple messages in multiple rooms.
- #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..."
- #
- # Subject to use to notify about multiple messages from multiple persons in
- # multiple rooms. This is similar to the setting above except it's used when
- # the room in which the notification was triggered has no name.
- #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..."
- #
- # Subject to use to notify about an invite to a room which has a name.
- #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..."
- #
- # Subject to use to notify about an invite to a room which doesn't have a
- # name.
- #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..."
-
- # Subject for emails related to account administration.
- #
- # On top of the '%(app)s' placeholder, these one can use the
- # '%(server_name)s' placeholder, which will be replaced by the value of the
- # 'server_name' setting in your Synapse configuration.
- #
- # Subject to use when sending a password reset email.
- #password_reset: "[%(server_name)s] Password reset"
- #
- # Subject to use when sending a verification email to assert an address's
- # ownership.
- #email_validation: "[%(server_name)s] Validate your email"
-
-
-# Password providers allow homeserver administrators to integrate
-# their Synapse installation with existing authentication methods
-# ex. LDAP, external tokens, etc.
-#
-# For more information and known implementations, please see
-# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md
-#
-# Note: instances wishing to use SAML or CAS authentication should
-# instead use the `saml2_config` or `cas_config` options,
-# respectively.
-#
-password_providers:
-# # Example config for an LDAP auth provider
-# - module: "ldap_auth_provider.LdapAuthProvider"
-# config:
-# enabled: true
-# uri: "ldap://ldap.example.com:389"
-# start_tls: true
-# base: "ou=users,dc=example,dc=com"
-# attributes:
-# uid: "cn"
-# mail: "email"
-# name: "givenName"
-# #bind_dn:
-# #bind_password:
-# #filter: "(objectClass=posixAccount)"
-
-
-
-## Push ##
-
-push:
- # Clients requesting push notifications can either have the body of
- # the message sent in the notification poke along with other details
- # like the sender, or just the event ID and room ID (`event_id_only`).
- # If clients choose the former, this option controls whether the
- # notification request includes the content of the event (other details
- # like the sender are still included). For `event_id_only` push, it
- # has no effect.
- #
- # For modern android devices the notification content will still appear
- # because it is loaded by the app. iPhone, however will send a
- # notification saying only that a message arrived and who it came from.
- #
- # The default value is "true" to include message details. Uncomment to only
- # include the event ID and room ID in push notification payloads.
- #
- #include_content: false
-
- # When a push notification is received, an unread count is also sent.
- # This number can either be calculated as the number of unread messages
- # for the user, or the number of *rooms* the user has unread messages in.
- #
- # The default value is "true", meaning push clients will see the number of
- # rooms with unread messages in them. Uncomment to instead send the number
- # of unread messages.
- #
- #group_unread_count_by_room: false
-
-
-# Spam checkers are third-party modules that can block specific actions
-# of local users, such as creating rooms and registering undesirable
-# usernames, as well as remote users by redacting incoming events.
-#
-spam_checker:
- #- module: "my_custom_project.SuperSpamChecker"
- # config:
- # example_option: 'things'
- #- module: "some_other_project.BadEventStopper"
- # config:
- # example_stop_events_from: ['@bad:example.com']
-
-
-## Rooms ##
-
-# Controls whether locally-created rooms should be end-to-end encrypted by
-# default.
-#
-# Possible options are "all", "invite", and "off". They are defined as:
-#
-# * "all": any locally-created room
-# * "invite": any room created with the "private_chat" or "trusted_private_chat"
-# room creation presets
-# * "off": this option will take no effect
-#
-# The default value is "off".
-#
-# Note that this option will only affect rooms created after it is set. It
-# will also not affect rooms created by other servers.
-#
-#encryption_enabled_by_default_for_room_type: invite
-
-
-# Uncomment to allow non-server-admin users to create groups on this server
-#
-#enable_group_creation: true
-
-# If enabled, non server admins can only create groups with local parts
-# starting with this prefix
-#
-#group_creation_prefix: "unofficial_"
-
-
-
-# User Directory configuration
-#
-user_directory:
- # Defines whether users can search the user directory. If false then
- # empty responses are returned to all queries. Defaults to true.
- #
- # Uncomment to disable the user directory.
- #
- #enabled: false
-
- # Defines whether to search all users visible to your HS when searching
- # the user directory, rather than limiting to users visible in public
- # rooms. Defaults to false.
- #
- # If you set it true, you'll have to rebuild the user_directory search
- # indexes, see:
- # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md
- #
- # Uncomment to return search results containing all known users, even if that
- # user does not share a room with the requester.
- #
- #search_all_users: true
-
- # Defines whether to prefer local users in search query results.
- # If True, local users are more likely to appear above remote users
- # when searching the user directory. Defaults to false.
- #
- # Uncomment to prefer local over remote users in user directory search
- # results.
- #
- #prefer_local_users: true
-
-
-# User Consent configuration
-#
-# for detailed instructions, see
-# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
-#
-# Parts of this section are required if enabling the 'consent' resource under
-# 'listeners', in particular 'template_dir' and 'version'.
-#
-# 'template_dir' gives the location of the templates for the HTML forms.
-# This directory should contain one subdirectory per language (eg, 'en', 'fr'),
-# and each language directory should contain the policy document (named as
-# '<version>.html') and a success page (success.html).
-#
-# 'version' specifies the 'current' version of the policy document. It defines
-# the version to be served by the consent resource if there is no 'v'
-# parameter.
-#
-# 'server_notice_content', if enabled, will send a user a "Server Notice"
-# asking them to consent to the privacy policy. The 'server_notices' section
-# must also be configured for this to work. Notices will *not* be sent to
-# guest users unless 'send_server_notice_to_guests' is set to true.
-#
-# 'block_events_error', if set, will block any attempts to send events
-# until the user consents to the privacy policy. The value of the setting is
-# used as the text of the error.
-#
-# 'require_at_registration', if enabled, will add a step to the registration
-# process, similar to how captcha works. Users will be required to accept the
-# policy before their account is created.
-#
-# 'policy_name' is the display name of the policy users will see when registering
-# for an account. Has no effect unless `require_at_registration` is enabled.
-# Defaults to "Privacy Policy".
-#
-#user_consent:
-# template_dir: res/templates/privacy
-# version: 1.0
-# server_notice_content:
-# msgtype: m.text
-# body: >-
-# To continue using this homeserver you must review and agree to the
-# terms and conditions at %(consent_uri)s
-# send_server_notice_to_guests: true
-# block_events_error: >-
-# To continue using this homeserver you must review and agree to the
-# terms and conditions at %(consent_uri)s
-# require_at_registration: false
-# policy_name: Privacy Policy
-#
-
-
-
-# Settings for local room and user statistics collection. See
-# docs/room_and_user_statistics.md.
-#
-stats:
- # Uncomment the following to disable room and user statistics. Note that doing
- # so may cause certain features (such as the room directory) not to work
- # correctly.
- #
- #enabled: false
-
- # The size of each timeslice in the room_stats_historical and
- # user_stats_historical tables, as a time period. Defaults to "1d".
- #
- #bucket_size: 1h
-
-
-# Server Notices room configuration
-#
-# Uncomment this section to enable a room which can be used to send notices
-# from the server to users. It is a special room which cannot be left; notices
-# come from a special "notices" user id.
-#
-# If you uncomment this section, you *must* define the system_mxid_localpart
-# setting, which defines the id of the user which will be used to send the
-# notices.
-#
-# It's also possible to override the room name, the display name of the
-# "notices" user, and the avatar for the user.
-#
-server_notices:
- system_mxid_localpart: notices
- system_mxid_display_name: "Server Notices"
- system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
- room_name: "Server Notices"
-
-
-
-# Uncomment to disable searching the public room list. When disabled
-# blocks searching local and remote room lists for local and remote
-# users by always returning an empty list for all queries.
-#
-#enable_room_list_search: false
-
-# The `alias_creation` option controls who's allowed to create aliases
-# on this server.
-#
-# The format of this option is a list of rules that contain globs that
-# match against user_id, room_id and the new alias (fully qualified with
-# server name). The action in the first rule that matches is taken,
-# which can currently either be "allow" or "deny".
-#
-# Missing user_id/room_id/alias fields default to "*".
-#
-# If no rules match the request is denied. An empty list means no one
-# can create aliases.
-#
-# Options for the rules include:
-#
-# user_id: Matches against the creator of the alias
-# alias: Matches against the alias being created
-# room_id: Matches against the room ID the alias is being pointed at
-# action: Whether to "allow" or "deny" the request if the rule matches
-#
-# The default is:
-#
-#alias_creation_rules:
-# - user_id: "*"
-# alias: "*"
-# room_id: "*"
-# action: allow
-
-# The `room_list_publication_rules` option controls who can publish and
-# which rooms can be published in the public room list.
-#
-# The format of this option is the same as that for
-# `alias_creation_rules`.
-#
-# If the room has one or more aliases associated with it, only one of
-# the aliases needs to match the alias rule. If there are no aliases
-# then only rules with `alias: *` match.
-#
-# If no rules match the request is denied. An empty list means no one
-# can publish rooms.
-#
-# Options for the rules include:
-#
-# user_id: Matches against the creator of the alias
-# room_id: Matches against the room ID being published
-# alias: Matches against any current local or canonical aliases
-# associated with the room
-# action: Whether to "allow" or "deny" the request if the rule matches
-#
-# The default is:
-#
-#room_list_publication_rules:
-# - user_id: "*"
-# alias: "*"
-# room_id: "*"
-# action: allow
-
-
-# Server admins can define a Python module that implements extra rules for
-# allowing or denying incoming events. In order to work, this module needs to
-# override the methods defined in synapse/events/third_party_rules.py.
-#
-# This feature is designed to be used in closed federations only, where each
-# participating server enforces the same rules.
-#
-#third_party_event_rules:
-# module: "my_custom_project.SuperRulesSet"
-# config:
-# example_option: 'things'
-
-
-## Opentracing ##
-
-# These settings enable opentracing, which implements distributed tracing.
-# This allows you to observe the causal chains of events across servers
-# including requests, key lookups etc., across any server running
-# synapse or any other other services which supports opentracing
-# (specifically those implemented with Jaeger).
-#
-opentracing:
- # tracing is disabled by default. Uncomment the following line to enable it.
- #
- #enabled: true
-
- # The list of homeservers we wish to send and receive span contexts and span baggage.
- # See docs/opentracing.rst
- # This is a list of regexes which are matched against the server_name of the
- # homeserver.
- #
- # By default, it is empty, so no servers are matched.
- #
- #homeserver_whitelist:
- # - ".*"
-
- # Jaeger can be configured to sample traces at different rates.
- # All configuration options provided by Jaeger can be set here.
- # Jaeger's configuration mostly related to trace sampling which
- # is documented here:
- # https://www.jaegertracing.io/docs/1.13/sampling/.
- #
- #jaeger_config:
- # sampler:
- # type: const
- # param: 1
-
- # Logging whether spans were started and reported
- #
- # logging:
- # false
-
-
-## Workers ##
-
-# Disables sending of outbound federation transactions on the main process.
-# Uncomment if using a federation sender worker.
-#
-#send_federation: false
-
-# It is possible to run multiple federation sender workers, in which case the
-# work is balanced across them.
-#
-# This configuration must be shared between all federation sender workers, and if
-# changed all federation sender workers must be stopped at the same time and then
-# started, to ensure that all instances are running with the same config (otherwise
-# events may be dropped).
-#
-#federation_sender_instances:
-# - federation_sender1
-
-# When using workers this should be a map from `worker_name` to the
-# HTTP replication listener of the worker, if configured.
-#
-#instance_map:
-# worker1:
-# host: localhost
-# port: 8034
-
-# Experimental: When using workers you can define which workers should
-# handle event persistence and typing notifications. Any worker
-# specified here must also be in the `instance_map`.
-#
-#stream_writers:
-# events: worker1
-# typing: worker1
-
-# The worker that is used to run background tasks (e.g. cleaning up expired
-# data). If not provided this defaults to the main process.
-#
-#run_background_tasks_on: worker1
-
-# A shared secret used by the replication APIs to authenticate HTTP requests
-# from workers.
-#
-# By default this is unused and traffic is not authenticated.
-#
-#worker_replication_secret: ""
-
-
-# Configuration for Redis when using workers. This *must* be enabled when
-# using workers (unless using old style direct TCP configuration).
-#
-redis:
- # Uncomment the below to enable Redis support.
- #
- #enabled: true
-
- # Optional host and port to use to connect to redis. Defaults to
- # localhost and 6379
- #
- #host: localhost
- #port: 6379
-
- # Optional password if configured on the Redis instance
- #
- #password: <secret_password>
-
-
-# vim:ft=yaml
-
-
-serve_server_wellknown: true
diff --git a/synapse/my_synapse/homeserver.yaml b/synapse/my_synapse/homeserver.yaml
deleted file mode 100644
index 371f116079a85b434cd17a593e283030e6649a40..0000000000000000000000000000000000000000
--- a/synapse/my_synapse/homeserver.yaml
+++ /dev/null
@@ -1,2847 +0,0 @@
-# Configuration file for Synapse.
-#
-# This is a YAML file: see [1] for a quick introduction. Note in particular
-# that *indentation is important*: all the elements of a list or dictionary
-# should have the same indentation.
-#
-# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
-
-## Server ##
-
-# The public-facing domain of the server
-#
-# The server_name name will appear at the end of usernames and room addresses
-# created on this server. For example if the server_name was example.com,
-# usernames on this server would be in the format @user:example.com
-#
-# In most cases you should avoid using a matrix specific subdomain such as
-# matrix.example.com or synapse.example.com as the server_name for the same
-# reasons you wouldn't use user@email.example.com as your email address.
-# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md
-# for information on how to host Synapse on a subdomain while preserving
-# a clean server_name.
-#
-# The server_name cannot be changed later so it is important to
-# configure this correctly before you start Synapse. It should be all
-# lowercase and may contain an explicit port.
-# Examples: matrix.org, localhost:8080
-#
-server_name: "matrix.420joos.dev"
-
-# When running as a daemon, the file to store the pid in
-#
-pid_file: /data/homeserver.pid
-
-# The absolute URL to the web client which /_matrix/client will redirect
-# to if 'webclient' is configured under the 'listeners' configuration.
-#
-# This option can be also set to the filesystem path to the web client
-# which will be served at /_matrix/client/ if 'webclient' is configured
-# under the 'listeners' configuration, however this is a security risk:
-# https://github.com/matrix-org/synapse#security-note
-#
-#web_client_location: https://riot.example.com/
-
-# The public-facing base URL that clients use to access this Homeserver (not
-# including _matrix/...). This is the same URL a user might enter into the
-# 'Custom Homeserver URL' field on their client. If you use Synapse with a
-# reverse proxy, this should be the URL to reach Synapse via the proxy.
-# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
-# 'listeners' below).
-#
-public_baseurl: https://my_matrix.testenv.420joos.dev
-
-# Set the soft limit on the number of file descriptors synapse can use
-# Zero is used to indicate synapse should set the soft limit to the
-# hard limit.
-#
-#soft_file_limit: 0
-
-# Set to false to disable presence tracking on this homeserver.
-#
-#use_presence: false
-
-# Whether to require authentication to retrieve profile data (avatars,
-# display names) of other users through the client API. Defaults to
-# 'false'. Note that profile data is also available via the federation
-# API, unless allow_profile_lookup_over_federation is set to false.
-#
-#require_auth_for_profile_requests: true
-
-# Uncomment to require a user to share a room with another user in order
-# to retrieve their profile information. Only checked on Client-Server
-# requests. Profile requests from other servers should be checked by the
-# requesting server. Defaults to 'false'.
-#
-#limit_profile_requests_to_users_who_share_rooms: true
-
-# Uncomment to prevent a user's profile data from being retrieved and
-# displayed in a room until they have joined it. By default, a user's
-# profile data is included in an invite event, regardless of the values
-# of the above two settings, and whether or not the users share a server.
-# Defaults to 'true'.
-#
-#include_profile_data_on_invite: false
-
-# If set to 'true', removes the need for authentication to access the server's
-# public rooms directory through the client API, meaning that anyone can
-# query the room directory. Defaults to 'false'.
-#
-#allow_public_rooms_without_auth: true
-
-# If set to 'true', allows any other homeserver to fetch the server's public
-# rooms directory via federation. Defaults to 'false'.
-#
-#allow_public_rooms_over_federation: true
-
-# The default room version for newly created rooms.
-#
-# Known room versions are listed here:
-# https://matrix.org/docs/spec/#complete-list-of-room-versions
-#
-# For example, for room version 1, default_room_version should be set
-# to "1".
-#
-#default_room_version: "6"
-
-# The GC threshold parameters to pass to `gc.set_threshold`, if defined
-#
-#gc_thresholds: [700, 10, 10]
-
-# Set the limit on the returned events in the timeline in the get
-# and sync operations. The default value is 100. -1 means no upper limit.
-#
-# Uncomment the following to increase the limit to 5000.
-#
-#filter_timeline_limit: 5000
-
-# Whether room invites to users on this server should be blocked
-# (except those sent by local server admins). The default is False.
-#
-#block_non_admin_invites: true
-
-# Room searching
-#
-# If disabled, new messages will not be indexed for searching and users
-# will receive errors when searching for messages. Defaults to enabled.
-#
-#enable_search: false
-
-# Prevent outgoing requests from being sent to the following blacklisted IP address
-# CIDR ranges. If this option is not specified then it defaults to private IP
-# address ranges (see the example below).
-#
-# The blacklist applies to the outbound requests for federation, identity servers,
-# push servers, and for checking key validity for third-party invite events.
-#
-# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
-# listed here, since they correspond to unroutable addresses.)
-#
-# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
-#
-#ip_range_blacklist:
-# - '127.0.0.0/8'
-# - '10.0.0.0/8'
-# - '172.16.0.0/12'
-# - '192.168.0.0/16'
-# - '100.64.0.0/10'
-# - '192.0.0.0/24'
-# - '169.254.0.0/16'
-# - '192.88.99.0/24'
-# - '198.18.0.0/15'
-# - '192.0.2.0/24'
-# - '198.51.100.0/24'
-# - '203.0.113.0/24'
-# - '224.0.0.0/4'
-# - '::1/128'
-# - 'fe80::/10'
-# - 'fc00::/7'
-# - '2001:db8::/32'
-# - 'ff00::/8'
-# - 'fec0::/10'
-
-# List of IP address CIDR ranges that should be allowed for federation,
-# identity servers, push servers, and for checking key validity for
-# third-party invite events. This is useful for specifying exceptions to
-# wide-ranging blacklisted target IP ranges - e.g. for communication with
-# a push server only visible in your network.
-#
-# This whitelist overrides ip_range_blacklist and defaults to an empty
-# list.
-#
-#ip_range_whitelist:
-# - '192.168.1.1'
-
-# List of ports that Synapse should listen on, their purpose and their
-# configuration.
-#
-# Options for each listener include:
-#
-# port: the TCP port to bind to
-#
-# bind_addresses: a list of local addresses to listen on. The default is
-# 'all local interfaces'.
-#
-# type: the type of listener. Normally 'http', but other valid options are:
-# 'manhole' (see docs/manhole.md),
-# 'metrics' (see docs/metrics-howto.md),
-# 'replication' (see docs/workers.md).
-#
-# tls: set to true to enable TLS for this listener. Will use the TLS
-# key/cert specified in tls_private_key_path / tls_certificate_path.
-#
-# x_forwarded: Only valid for an 'http' listener. Set to true to use the
-# X-Forwarded-For header as the client IP. Useful when Synapse is
-# behind a reverse-proxy.
-#
-# resources: Only valid for an 'http' listener. A list of resources to host
-# on this port. Options for each resource are:
-#
-# names: a list of names of HTTP resources. See below for a list of
-# valid resource names.
-#
-# compress: set to true to enable HTTP compression for this resource.
-#
-# additional_resources: Only valid for an 'http' listener. A map of
-# additional endpoints which should be loaded via dynamic modules.
-#
-# Valid resource names are:
-#
-# client: the client-server API (/_matrix/client), and the synapse admin
-# API (/_synapse/admin). Also implies 'media' and 'static'.
-#
-# consent: user consent forms (/_matrix/consent). See
-# docs/consent_tracking.md.
-#
-# federation: the server-server API (/_matrix/federation). Also implies
-# 'media', 'keys', 'openid'
-#
-# keys: the key discovery API (/_matrix/keys).
-#
-# media: the media API (/_matrix/media).
-#
-# metrics: the metrics interface. See docs/metrics-howto.md.
-#
-# openid: OpenID authentication.
-#
-# replication: the HTTP replication API (/_synapse/replication). See
-# docs/workers.md.
-#
-# static: static resources under synapse/static (/_matrix/static). (Mostly
-# useful for 'fallback authentication'.)
-#
-# webclient: A web client. Requires web_client_location to be set.
-#
-listeners:
- # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
- #
- # Disabled by default. To enable it, uncomment the following. (Note that you
- # will also need to give Synapse a TLS key and certificate: see the TLS section
- # below.)
- #
- #- port: 8448
- # type: http
- # tls: true
- # resources:
- # - names: [client, federation]
-
- # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
- # that unwraps TLS.
- #
- # If you plan to use a reverse proxy, please see
- # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md.
- #
- - port: 8008
- tls: false
- type: http
- x_forwarded: true
-
- resources:
- - names: [client, federation]
- compress: false
-
- # example additional_resources:
- #
- #additional_resources:
- # "/_matrix/my/custom/endpoint":
- # module: my_module.CustomRequestHandler
- # config: {}
-
- # Turn on the twisted ssh manhole service on localhost on the given
- # port.
- #
- #- port: 9000
- # bind_addresses: ['::1', '127.0.0.1']
- # type: manhole
-
-# Forward extremities can build up in a room due to networking delays between
-# homeservers. Once this happens in a large room, calculation of the state of
-# that room can become quite expensive. To mitigate this, once the number of
-# forward extremities reaches a given threshold, Synapse will send an
-# org.matrix.dummy_event event, which will reduce the forward extremities
-# in the room.
-#
-# This setting defines the threshold (i.e. number of forward extremities in the
-# room) at which dummy events are sent. The default value is 10.
-#
-#dummy_events_threshold: 5
-
-
-## Homeserver blocking ##
-
-# How to reach the server admin, used in ResourceLimitError
-#
-#admin_contact: 'mailto:admin@server.com'
-
-# Global blocking
-#
-#hs_disabled: false
-#hs_disabled_message: 'Human readable reason for why the HS is blocked'
-
-# Monthly Active User Blocking
-#
-# Used in cases where the admin or server owner wants to limit to the
-# number of monthly active users.
-#
-# 'limit_usage_by_mau' disables/enables monthly active user blocking. When
-# enabled and a limit is reached the server returns a 'ResourceLimitError'
-# with error type Codes.RESOURCE_LIMIT_EXCEEDED
-#
-# 'max_mau_value' is the hard limit of monthly active users above which
-# the server will start blocking user actions.
-#
-# 'mau_trial_days' is a means to add a grace period for active users. It
-# means that users must be active for this number of days before they
-# can be considered active and guards against the case where lots of users
-# sign up in a short space of time never to return after their initial
-# session.
-#
-# 'mau_limit_alerting' is a means of limiting client side alerting
-# should the mau limit be reached. This is useful for small instances
-# where the admin has 5 mau seats (say) for 5 specific people and no
-# interest increasing the mau limit further. Defaults to True, which
-# means that alerting is enabled
-#
-#limit_usage_by_mau: false
-#max_mau_value: 50
-#mau_trial_days: 2
-#mau_limit_alerting: false
-
-# If enabled, the metrics for the number of monthly active users will
-# be populated, however no one will be limited. If limit_usage_by_mau
-# is true, this is implied to be true.
-#
-#mau_stats_only: false
-
-# Sometimes the server admin will want to ensure certain accounts are
-# never blocked by mau checking. These accounts are specified here.
-#
-#mau_limit_reserved_threepids:
-# - medium: 'email'
-# address: 'reserved_user@example.com'
-
-# Used by phonehome stats to group together related servers.
-#server_context: context
-
-# Resource-constrained homeserver settings
-#
-# When this is enabled, the room "complexity" will be checked before a user
-# joins a new remote room. If it is above the complexity limit, the server will
-# disallow joining, or will instantly leave.
-#
-# Room complexity is an arbitrary measure based on factors such as the number of
-# users in the room.
-#
-limit_remote_rooms:
- # Uncomment to enable room complexity checking.
- #
- #enabled: true
-
- # the limit above which rooms cannot be joined. The default is 1.0.
- #
- #complexity: 0.5
-
- # override the error which is returned when the room is too complex.
- #
- #complexity_error: "This room is too complex."
-
- # allow server admins to join complex rooms. Default is false.
- #
- #admins_can_join: true
-
-# Whether to require a user to be in the room to add an alias to it.
-# Defaults to 'true'.
-#
-#require_membership_for_aliases: false
-
-# Whether to allow per-room membership profiles through the send of membership
-# events with profile information that differ from the target's global profile.
-# Defaults to 'true'.
-#
-#allow_per_room_profiles: false
-
-# How long to keep redacted events in unredacted form in the database. After
-# this period redacted events get replaced with their redacted form in the DB.
-#
-# Defaults to `7d`. Set to `null` to disable.
-#
-#redaction_retention_period: 28d
-
-# How long to track users' last seen time and IPs in the database.
-#
-# Defaults to `28d`. Set to `null` to disable clearing out of old rows.
-#
-#user_ips_max_age: 14d
-
-# Message retention policy at the server level.
-#
-# Room admins and mods can define a retention period for their rooms using the
-# 'm.room.retention' state event, and server admins can cap this period by setting
-# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options.
-#
-# If this feature is enabled, Synapse will regularly look for and purge events
-# which are older than the room's maximum retention period. Synapse will also
-# filter events received over federation so that events that should have been
-# purged are ignored and not stored again.
-#
-retention:
- # The message retention policies feature is disabled by default. Uncomment the
- # following line to enable it.
- #
- enabled: false
-
- # Default retention policy. If set, Synapse will apply it to rooms that lack the
- # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't
- # matter much because Synapse doesn't take it into account yet.
- #
- #default_policy:
- # min_lifetime: 1d
- # max_lifetime: 1y
-
- # Retention policy limits. If set, and the state of a room contains a
- # 'm.room.retention' event in its state which contains a 'min_lifetime' or a
- # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
- # to these limits when running purge jobs.
- #
- #allowed_lifetime_min: 1d
- allowed_lifetime_max: 1y
-
- # Server admins can define the settings of the background jobs purging the
- # events which lifetime has expired under the 'purge_jobs' section.
- #
- # If no configuration is provided, a single job will be set up to delete expired
- # events in every room daily.
- #
- # Each job's configuration defines which range of message lifetimes the job
- # takes care of. For example, if 'shortest_max_lifetime' is '2d' and
- # 'longest_max_lifetime' is '3d', the job will handle purging expired events in
- # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and
- # lower than or equal to 3 days. Both the minimum and the maximum value of a
- # range are optional, e.g. a job with no 'shortest_max_lifetime' and a
- # 'longest_max_lifetime' of '3d' will handle every room with a retention policy
- # which 'max_lifetime' is lower than or equal to three days.
- #
- # The rationale for this per-job configuration is that some rooms might have a
- # retention policy with a low 'max_lifetime', where history needs to be purged
- # of outdated messages on a more frequent basis than for the rest of the rooms
- # (e.g. every 12h), but not want that purge to be performed by a job that's
- # iterating over every room it knows, which could be heavy on the server.
- #
- # If any purge job is configured, it is strongly recommended to have at least
- # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
- # set, or one job without 'shortest_max_lifetime' and one job without
- # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
- # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
- # room's policy to these values is done after the policies are retrieved from
- # Synapse's database (which is done using the range specified in a purge job's
- # configuration).
- #
- #purge_jobs:
- # - longest_max_lifetime: 3d
- # interval: 12h
- # - shortest_max_lifetime: 3d
- # interval: 1d
-
-# Inhibits the /requestToken endpoints from returning an error that might leak
-# information about whether an e-mail address is in use or not on this
-# homeserver.
-# Note that for some endpoints the error situation is the e-mail already being
-# used, and for others the error is entering the e-mail being unused.
-# If this option is enabled, instead of returning an error, these endpoints will
-# act as if no error happened and return a fake session ID ('sid') to clients.
-#
-#request_token_inhibit_3pid_errors: true
-
-# A list of domains that the domain portion of 'next_link' parameters
-# must match.
-#
-# This parameter is optionally provided by clients while requesting
-# validation of an email or phone number, and maps to a link that
-# users will be automatically redirected to after validation
-# succeeds. Clients can make use this parameter to aid the validation
-# process.
-#
-# The whitelist is applied whether the homeserver or an
-# identity server is handling validation.
-#
-# The default value is no whitelist functionality; all domains are
-# allowed. Setting this value to an empty list will instead disallow
-# all domains.
-#
-#next_link_domain_whitelist: ["matrix.org"]
-
-
-## TLS ##
-
-# PEM-encoded X509 certificate for TLS.
-# This certificate, as of Synapse 1.0, will need to be a valid and verifiable
-# certificate, signed by a recognised Certificate Authority.
-#
-# See 'ACME support' below to enable auto-provisioning this certificate via
-# Let's Encrypt.
-#
-# If supplying your own, be sure to use a `.pem` file that includes the
-# full certificate chain including any intermediate certificates (for
-# instance, if using certbot, use `fullchain.pem` as your certificate,
-# not `cert.pem`).
-#
-#tls_certificate_path: "/data/matrix.420joos.dev.tls.crt"
-
-# PEM-encoded private key for TLS
-#
-#tls_private_key_path: "/data/matrix.420joos.dev.tls.key"
-
-# Whether to verify TLS server certificates for outbound federation requests.
-#
-# Defaults to `true`. To disable certificate verification, uncomment the
-# following line.
-#
-#federation_verify_certificates: false
-
-# The minimum TLS version that will be used for outbound federation requests.
-#
-# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
-# that setting this value higher than `1.2` will prevent federation to most
-# of the public Matrix network: only configure it to `1.3` if you have an
-# entirely private federation setup and you can ensure TLS 1.3 support.
-#
-#federation_client_minimum_tls_version: 1.2
-
-# Skip federation certificate verification on the following whitelist
-# of domains.
-#
-# This setting should only be used in very specific cases, such as
-# federation over Tor hidden services and similar. For private networks
-# of homeservers, you likely want to use a private CA instead.
-#
-# Only effective if federation_verify_certicates is `true`.
-#
-#federation_certificate_verification_whitelist:
-# - lon.example.com
-# - *.domain.com
-# - *.onion
-
-# List of custom certificate authorities for federation traffic.
-#
-# This setting should only normally be used within a private network of
-# homeservers.
-#
-# Note that this list will replace those that are provided by your
-# operating environment. Certificates must be in PEM format.
-#
-#federation_custom_ca_list:
-# - myCA1.pem
-# - myCA2.pem
-# - myCA3.pem
-
-# ACME support: This will configure Synapse to request a valid TLS certificate
-# for your configured `server_name` via Let's Encrypt.
-#
-# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
-# ACME v2. This means that this feature currently won't work with installs set
-# up after November 2019. For more info, and alternative solutions, see
-# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
-#
-# Note that provisioning a certificate in this way requires port 80 to be
-# routed to Synapse so that it can complete the http-01 ACME challenge.
-# By default, if you enable ACME support, Synapse will attempt to listen on
-# port 80 for incoming http-01 challenges - however, this will likely fail
-# with 'Permission denied' or a similar error.
-#
-# There are a couple of potential solutions to this:
-#
-# * If you already have an Apache, Nginx, or similar listening on port 80,
-# you can configure Synapse to use an alternate port, and have your web
-# server forward the requests. For example, assuming you set 'port: 8009'
-# below, on Apache, you would write:
-#
-# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
-#
-# * Alternatively, you can use something like `authbind` to give Synapse
-# permission to listen on port 80.
-#
-acme:
- # ACME support is disabled by default. Set this to `true` and uncomment
- # tls_certificate_path and tls_private_key_path above to enable it.
- #
- enabled: false
-
- # Endpoint to use to request certificates. If you only want to test,
- # use Let's Encrypt's staging url:
- # https://acme-staging.api.letsencrypt.org/directory
- #
- #url: https://acme-v01.api.letsencrypt.org/directory
-
- # Port number to listen on for the HTTP-01 challenge. Change this if
- # you are forwarding connections through Apache/Nginx/etc.
- #
- port: 80
-
- # Local addresses to listen on for incoming connections.
- # Again, you may want to change this if you are forwarding connections
- # through Apache/Nginx/etc.
- #
- bind_addresses: ['::', '0.0.0.0']
-
- # How many days remaining on a certificate before it is renewed.
- #
- reprovision_threshold: 30
-
- # The domain that the certificate should be for. Normally this
- # should be the same as your Matrix domain (i.e., 'server_name'), but,
- # by putting a file at 'https://<server_name>/.well-known/matrix/server',
- # you can delegate incoming traffic to another server. If you do that,
- # you should give the target of the delegation here.
- #
- # For example: if your 'server_name' is 'example.com', but
- # 'https://example.com/.well-known/matrix/server' delegates to
- # 'matrix.example.com', you should put 'matrix.example.com' here.
- #
- # If not set, defaults to your 'server_name'.
- #
- domain: my_matrix.420joos.dev
-
- # file to use for the account key. This will be generated if it doesn't
- # exist.
- #
- # If unspecified, we will use CONFDIR/client.key.
- #
- account_key_file: /data/acme_account.key
-
-# List of allowed TLS fingerprints for this server to publish along
-# with the signing keys for this server. Other matrix servers that
-# make HTTPS requests to this server will check that the TLS
-# certificates returned by this server match one of the fingerprints.
-#
-# Synapse automatically adds the fingerprint of its own certificate
-# to the list. So if federation traffic is handled directly by synapse
-# then no modification to the list is required.
-#
-# If synapse is run behind a load balancer that handles the TLS then it
-# will be necessary to add the fingerprints of the certificates used by
-# the loadbalancers to this list if they are different to the one
-# synapse is using.
-#
-# Homeservers are permitted to cache the list of TLS fingerprints
-# returned in the key responses up to the "valid_until_ts" returned in
-# key. It may be necessary to publish the fingerprints of a new
-# certificate and wait until the "valid_until_ts" of the previous key
-# responses have passed before deploying it.
-#
-# You can calculate a fingerprint from a given TLS listener via:
-# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
-# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
-# or by checking matrix.org/federationtester/api/report?server_name=$host
-#
-#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
-
-
-## Federation ##
-
-# Restrict federation to the following whitelist of domains.
-# N.B. we recommend also firewalling your federation listener to limit
-# inbound federation traffic as early as possible, rather than relying
-# purely on this application-layer restriction. If not specified, the
-# default is to whitelist everything.
-#
-federation_domain_whitelist:
-# - lon.example.com
-# - nyc.example.com
-# - syd.example.com
-
-# Report prometheus metrics on the age of PDUs being sent to and received from
-# the following domains. This can be used to give an idea of "delay" on inbound
-# and outbound federation, though be aware that any delay can be due to problems
-# at either end or with the intermediate network.
-#
-# By default, no domains are monitored in this way.
-#
-#federation_metrics_domains:
-# - matrix.org
-# - example.com
-
-# Uncomment to disable profile lookup over federation. By default, the
-# Federation API allows other homeservers to obtain profile data of any user
-# on this homeserver. Defaults to 'true'.
-#
-#allow_profile_lookup_over_federation: false
-
-
-## Caching ##
-
-# Caching can be configured through the following options.
-#
-# A cache 'factor' is a multiplier that can be applied to each of
-# Synapse's caches in order to increase or decrease the maximum
-# number of entries that can be stored.
-
-# The number of events to cache in memory. Not affected by
-# caches.global_factor.
-#
-#event_cache_size: 10K
-
-caches:
- # Controls the global cache factor, which is the default cache factor
- # for all caches if a specific factor for that cache is not otherwise
- # set.
- #
- # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment
- # variable. Setting by environment variable takes priority over
- # setting through the config file.
- #
- # Defaults to 0.5, which will half the size of all caches.
- #
- #global_factor: 1.0
-
- # A dictionary of cache name to cache factor for that individual
- # cache. Overrides the global cache factor for a given cache.
- #
- # These can also be set through environment variables comprised
- # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital
- # letters and underscores. Setting by environment variable
- # takes priority over setting through the config file.
- # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0
- #
- # Some caches have '*' and other characters that are not
- # alphanumeric or underscores. These caches can be named with or
- # without the special characters stripped. For example, to specify
- # the cache factor for `*stateGroupCache*` via an environment
- # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`.
- #
- per_cache_factors:
- #get_users_who_share_room_with_user: 2.0
-
-
-## Database ##
-
-# The 'database' setting defines the database that synapse uses to store all of
-# its data.
-#
-# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
-# 'psycopg2' (for PostgreSQL).
-#
-# 'args' gives options which are passed through to the database engine,
-# except for options starting 'cp_', which are used to configure the Twisted
-# connection pool. For a reference to valid arguments, see:
-# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
-# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
-# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
-#
-#
-# Example SQLite configuration:
-#
-#database:
-# name: sqlite3
-# args:
-# database: /path/to/homeserver.db
-#
-#
-# Example Postgres configuration:
-#
-database:
- name: psycopg2
- args:
- user: 250b36482dea
- password: 1473810b1d04
- database: postgresdb
- host: postgres
- port: 5432
- # cp_min: 5
- # cp_max: 10
-#
-# For more information on using Synapse with Postgres, see `docs/postgres.md`.
-#
-# database:
-# name: sqlite3
-# args:
-# database: /data/homeserver.db
-
-
-## Logging ##
-
-# A yaml python logging config file as described by
-# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
-#
-log_config: "/data/default.log.config"
-
-
-## Ratelimiting ##
-
-# Ratelimiting settings for client actions (registration, login, messaging).
-#
-# Each ratelimiting configuration is made of two parameters:
-# - per_second: number of requests a client can send per second.
-# - burst_count: number of requests a client can send before being throttled.
-#
-# Synapse currently uses the following configurations:
-# - one for messages that ratelimits sending based on the account the client
-# is using
-# - one for registration that ratelimits registration requests based on the
-# client's IP address.
-# - one for login that ratelimits login requests based on the client's IP
-# address.
-# - one for login that ratelimits login requests based on the account the
-# client is attempting to log into.
-# - one for login that ratelimits login requests based on the account the
-# client is attempting to log into, based on the amount of failed login
-# attempts for this account.
-# - one for ratelimiting redactions by room admins. If this is not explicitly
-# set then it uses the same ratelimiting as per rc_message. This is useful
-# to allow room admins to deal with abuse quickly.
-# - two for ratelimiting number of rooms a user can join, "local" for when
-# users are joining rooms the server is already in (this is cheap) vs
-# "remote" for when users are trying to join rooms not on the server (which
-# can be more expensive)
-# - one for ratelimiting how often a user or IP can attempt to validate a 3PID.
-# - two for ratelimiting how often invites can be sent in a room or to a
-# specific user.
-#
-# The defaults are as shown below.
-#
-#rc_message:
-# per_second: 0.2
-# burst_count: 10
-#
-#rc_registration:
-# per_second: 0.17
-# burst_count: 3
-#
-#rc_login:
-# address:
-# per_second: 0.17
-# burst_count: 3
-# account:
-# per_second: 0.17
-# burst_count: 3
-# failed_attempts:
-# per_second: 0.17
-# burst_count: 3
-#
-#rc_admin_redaction:
-# per_second: 1
-# burst_count: 50
-#
-#rc_joins:
-# local:
-# per_second: 0.1
-# burst_count: 3
-# remote:
-# per_second: 0.01
-# burst_count: 3
-#
-#rc_3pid_validation:
-# per_second: 0.003
-# burst_count: 5
-#
-#rc_invites:
-# per_room:
-# per_second: 0.3
-# burst_count: 10
-# per_user:
-# per_second: 0.003
-# burst_count: 5
-
-# Ratelimiting settings for incoming federation
-#
-# The rc_federation configuration is made up of the following settings:
-# - window_size: window size in milliseconds
-# - sleep_limit: number of federation requests from a single server in
-# a window before the server will delay processing the request.
-# - sleep_delay: duration in milliseconds to delay processing events
-# from remote servers by if they go over the sleep limit.
-# - reject_limit: maximum number of concurrent federation requests
-# allowed from a single server
-# - concurrent: number of federation requests to concurrently process
-# from a single server
-#
-# The defaults are as shown below.
-#
-#rc_federation:
-# window_size: 1000
-# sleep_limit: 10
-# sleep_delay: 500
-# reject_limit: 50
-# concurrent: 3
-
-# Target outgoing federation transaction frequency for sending read-receipts,
-# per-room.
-#
-# If we end up trying to send out more read-receipts, they will get buffered up
-# into fewer transactions.
-#
-#federation_rr_transactions_per_room_per_second: 50
-
-
-
-## Media Store ##
-
-# Enable the media store service in the Synapse master. Uncomment the
-# following if you are using a separate media store worker.
-#
-#enable_media_repo: false
-
-# Directory where uploaded images and attachments are stored.
-#
-media_store_path: "/var/lib/media_store"
-
-# Media storage providers allow media to be stored in different
-# locations.
-#
-#media_storage_providers:
-# - module: file_system
-# # Whether to store newly uploaded local files
-# store_local: false
-# # Whether to store newly downloaded remote files
-# store_remote: false
-# # Whether to wait for successful storage for local uploads
-# store_synchronous: false
-# config:
-# directory: /mnt/some/other/directory
-
-# The largest allowed upload size in bytes
-#
-max_upload_size: 50M
-uploads_path: "/var/lib/uploads"
-
-# Maximum number of pixels that will be thumbnailed
-#
-#max_image_pixels: 32M
-
-# Whether to generate new thumbnails on the fly to precisely match
-# the resolution requested by the client. If true then whenever
-# a new resolution is requested by the client the server will
-# generate a new thumbnail. If false the server will pick a thumbnail
-# from a precalculated list.
-#
-#dynamic_thumbnails: false
-
-# List of thumbnails to precalculate when an image is uploaded.
-#
-#thumbnail_sizes:
-# - width: 32
-# height: 32
-# method: crop
-# - width: 96
-# height: 96
-# method: crop
-# - width: 320
-# height: 240
-# method: scale
-# - width: 640
-# height: 480
-# method: scale
-# - width: 800
-# height: 600
-# method: scale
-
-# Is the preview URL API enabled?
-#
-# 'false' by default: uncomment the following to enable it (and specify astored
-# specify a list for URL previewing to work. You should specify any
-# internal services in your network that you do not want synapse to try
-# to connect to, otherwise anyone in any Matrix room could cause your
-# synapse to issue arbitrary GET requests to your internal services,
-# causing serious security issues.
-#
-# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
-# listed here, since they correspond to unroutable addresses.)
-#
-# This must be specified if url_preview_enabled is set. It is recommended that
-# you uncomment the following list as a starting point.
-#
-#url_preview_ip_range_blacklist:
-# - '127.0.0.0/8'
-# - '10.0.0.0/8'
-# - '172.16.0.0/12'
-# - '192.168.0.0/16'
-# - '100.64.0.0/10'
-# - '192.0.0.0/24'
-# - '169.254.0.0/16'
-# - '192.88.99.0/24'
-# - '198.18.0.0/15'
-# - '192.0.2.0/24'
-# - '198.51.100.0/24'
-# - '203.0.113.0/24'
-# - '224.0.0.0/4'
-# - '::1/128'
-# - 'fe80::/10'
-# - 'fc00::/7'
-# - '2001:db8::/32'
-# - 'ff00::/8'
-# - 'fec0::/10'
-
-# List of IP address CIDR ranges that the URL preview spider is allowed
-# to access even if they are specified in url_preview_ip_range_blacklist.
-# This is useful for specifying exceptions to wide-ranging blacklisted
-# target IP ranges - e.g. for enabling URL previews for a specific private
-# website only visible in your network.
-#
-#url_preview_ip_range_whitelist:
-# - '192.168.1.1'
-
-# Optional list of URL matches that the URL preview spider is
-# denied from accessing. You should use url_preview_ip_range_blacklist
-# in preference to this, otherwise someone could define a public DNS
-# entry that points to a private IP address and circumvent the blacklist.
-# This is more useful if you know there is an entire shape of URL that
-# you know that will never want synapse to try to spider.
-#
-# Each list entry is a dictionary of url component attributes as returned
-# by urlparse.urlsplit as applied to the absolute form of the URL. See
-# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
-# The values of the dictionary are treated as an filename match pattern
-# applied to that component of URLs, unless they start with a ^ in which
-# case they are treated as a regular expression match. If all the
-# blacklisted.
-#
-#url_preview_url_blacklist:
-# # blacklist any URL with a username in its URI
-# - username: '*'
-#
-# # blacklist all *.google.com URLs
-# - netloc: 'google.com'
-# - netloc: '*.google.com'
-#
-# # blacklist all plain HTTP URLs
-# - scheme: 'http'
-#
-# # blacklist http(s)://www.acme.com/foo
-# - netloc: 'www.acme.com'
-# path: '/foo'
-#
-# # blacklist any URL with a literal IPv4 address
-# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
-
-# The largest allowed URL preview spidering size in bytes
-#
-#max_spider_size: 10M
-
-# A list of values for the Accept-Language HTTP header used when
-# downloading webpages during URL preview generation. This allows
-# Synapse to specify the preferred languages that URL previews should
-# be in when communicating with remote servers.
-#
-# Each value is a IETF language tag; a 2-3 letter identifier for a
-# language, optionally followed by subtags separated by '-', specifying
-# a country or region variant.
-#
-# Multiple values can be provided, and a weight can be added to each by
-# using quality value syntax (;q=). '*' translates to any language.
-#
-# Defaults to "en".
-#
-# Example:
-#
-# url_preview_accept_language:
-# - en-UK
-# - en-US;q=0.9
-# - fr;q=0.8
-# - *;q=0.7
-#
-url_preview_accept_language:
-# - en
-
-
-## Captcha ##
-# See docs/CAPTCHA_SETUP.md for full details of configuring this.
-
-# This homeserver's ReCAPTCHA public key. Must be specified if
-# enable_registration_captcha is enabled.
-#
-recaptcha_public_key: "6Lc865YaAAAAAM_PAufSa8WdlVJmZAmI8XLVCieW"
-
-# This homeserver's ReCAPTCHA private key. Must be specified if
-# enable_registration_captcha is enabled.
-#
-recaptcha_private_key: "6Lc865YaAAAAABR25-cz9cWe-99Yl0-3GTvLUCjB"
-
-# Uncomment to enable ReCaptcha checks when registering, preventing signup
-# unless a captcha is answered. Requires a valid ReCaptcha
-# public/private key. Defaults to 'false'.
-#
-enable_registration_captcha: true
-
-# The API endpoint to use for verifying m.login.recaptcha responses.
-# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify".
-#
-recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
-
-
-## TURN ##
-
-# The public URIs of the TURN server to give to clients
-#
-# turn_uris: ["turn:turn.matrix.org?transport=udp", "turn:turn.matrix.org?transport=tcp"]
-# turn_uris: ["turn:turn.420joos.dev"]
-# turn_uris : ["turn:numb.viagenie.ca?transport=udp", "turn:numb.viagenie.ca?transport=tcp"]
-# turn_uris: ["stun:stun.l.google.com:19302"]
-# turn_uris : ["turn:numb.viagenie.ca"]
-turn_uris: ["turn:turn.420joos.dev?transport=udp", "turn:turn.420joos.dev?transport=tcp"]
-# turn_uris: ["turn:turn.420joos.dev?transport=udp"]
-
-
-# The shared secret used to compute passwords for the TURN server
-#
-turn_shared_secret: rjALsyzwcAD8Un27SWBh39eWzaM2eKXj2FV4pXlNA1ihEKN6eV1zsESThZ968viZ
-
-# The Username and password if the TURN server needs them and
-# does not use a token
-#
-# turn_username: "turnadmin"
-# turn_password: "rjALsyzwcAD8Un27SWBh39eWzaM2eKXj2FV4pXlNA1ihEKN6eV1zsESThZ968viZ"
-
-# How long generated TURN credentials last
-#
-# turn_user_lifetime: 86400000 #1h
-
-# Whether guests should be allowed to use the TURN server.
-# This defaults to True, otherwise VoIP will be unreliable for guests.
-# However, it does introduce a slight security risk as it allows users to
-# connect to arbitrary endpoints without having first signed up for a
-# valid account (e.g. by passing a CAPTCHA).
-#
-turn_allow_guests: false
-
-
-## Registration ##
-#
-# Registration can be rate-limited using the parameters in the "Ratelimiting"
-# section of this file.
-
-# Enable registration for new users.
-#
-enable_registration: true
-
-# Optional account validity configuration. This allows for accounts to be denied
-# any request after a given period.
-#
-# Once this feature is enabled, Synapse will look for registered users without an
-# expiration date at startup and will add one to every account it found using the
-# current settings at that time.
-# This means that, if a validity period is set, and Synapse is restarted (it will
-# then derive an expiration date from the current validity period), and some time
-# after that the validity period changes and Synapse is restarted, the users'
-# expiration dates won't be updated unless their account is manually renewed. This
-# date will be randomly selected within a range [now + period - d ; now + period],
-# where d is equal to 10% of the validity period.
-#
-account_validity:
- # The account validity feature is disabled by default. Uncomment the
- # following line to enable it.
- #
- #enabled: true
-
- # The period after which an account is valid after its registration. When
- # renewing the account, its validity period will be extended by this amount
- # of time. This parameter is required when using the account validity
- # feature.
- #
- #period: 6w
-
- # The amount of time before an account's expiry date at which Synapse will
- # send an email to the account's email address with a renewal link. By
- # default, no such emails are sent.
- #
- # If you enable this setting, you will also need to fill out the 'email' and
- # 'public_baseurl' configuration sections.
- #
- #renew_at: 1w
-
- # The subject of the email sent out with the renewal link. '%(app)s' can be
- # used as a placeholder for the 'app_name' parameter from the 'email'
- # section.
- #
- # Note that the placeholder must be written '%(app)s', including the
- # trailing 's'.
- #
- # If this is not set, a default value is used.
- #
- #renew_email_subject: "Renew your %(app)s account"
-
- # Directory in which Synapse will try to find templates for the HTML files to
- # serve to the user when trying to renew an account. If not set, default
- # templates from within the Synapse package will be used.
- #
- #template_dir: "res/templates"
-
- # File within 'template_dir' giving the HTML to be displayed to the user after
- # they successfully renewed their account. If not set, default text is used.
- #
- #account_renewed_html_path: "account_renewed.html"
-
- # File within 'template_dir' giving the HTML to be displayed when the user
- # tries to renew an account with an invalid renewal token. If not set,
- # default text is used.
- #
- #invalid_token_html_path: "invalid_token.html"
-
-# Time that a user's session remains valid for, after they log in.
-#
-# Note that this is not currently compatible with guest logins.
-#
-# Note also that this is calculated at login time: changes are not applied
-# retrospectively to users who have already logged in.
-#
-# By default, this is infinite.
-#
-#session_lifetime: 24h
-
-# The user must provide all of the below types of 3PID when registering.
-#
-#registrations_require_3pid:
-# - email
-# - msisdn
-
-# Explicitly disable asking for MSISDNs from the registration
-# flow (overrides registrations_require_3pid if MSISDNs are set as required)
-#
-#disable_msisdn_registration: true
-
-# Mandate that users are only allowed to associate certain formats of
-# 3PIDs with accounts on this server.
-#
-#allowed_local_3pids:
-# - medium: email
-# pattern: '.*@matrix\.org'
-# - medium: email
-# pattern: '.*@vector\.im'
-# - medium: msisdn
-# pattern: '\+44'
-
-# Enable 3PIDs lookup requests to identity servers from this server.
-#
-#enable_3pid_lookup: true
-
-# If set, allows registration of standard or admin accounts by anyone who
-# has the shared secret, even if registration is otherwise disabled.
-#
-registration_shared_secret: "xn8X+aj1--&wY=xgw+hPJ_LqRn-O~H7lt+RZGVTvLqh96F2*2P"
-
-# Set the number of bcrypt rounds used to generate password hash.
-# Larger numbers increase the work factor needed to generate the hash.
-# The default number is 12 (which equates to 2^12 rounds).
-# N.B. that increasing this will exponentially increase the time required
-# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
-#
-#bcrypt_rounds: 12
-
-# Allows users to register as guests without a password/email/etc, and
-# participate in rooms hosted on this server which have been made
-# accessible to anonymous users.
-#
-#allow_guest_access: false
-
-# The identity server which we suggest that clients should use when users log
-# in on this server.
-#
-# (By default, no suggestion is made, so it is left up to the client.
-# This setting is ignored unless public_baseurl is also set.)
-#
-#default_identity_server: https://matrix.org
-
-# Handle threepid (email/phone etc) registration and password resets through a set of
-# *trusted* identity servers. Note that this allows the configured identity server to
-# reset passwords for accounts!
-#
-# Be aware that if `email` is not set, and SMTP options have not been
-# configured in the email config block, registration and user password resets via
-# email will be globally disabled.
-#
-# Additionally, if `msisdn` is not set, registration and password resets via msisdn
-# will be disabled regardless, and users will not be able to associate an msisdn
-# identifier to their account. This is due to Synapse currently not supporting
-# any method of sending SMS messages on its own.
-#
-# To enable using an identity server for operations regarding a particular third-party
-# identifier type, set the value to the URL of that identity server as shown in the
-# examples below.
-#
-# Servers handling the these requests must answer the `/requestToken` endpoints defined
-# by the Matrix Identity Service API specification:
-# https://matrix.org/docs/spec/identity_service/latest
-#
-# If a delegate is specified, the config option public_baseurl must also be filled out.
-#
-account_threepid_delegates:
- #email: https://example.com # Delegate email sending to example.com
- #msisdn: http://localhost:8090 # Delegate SMS sending to this local process
-
-# Whether users are allowed to change their displayname after it has
-# been initially set. Useful when provisioning users based on the
-# contents of a third-party directory.
-#
-# Does not apply to server administrators. Defaults to 'true'
-#
-#enable_set_displayname: false
-
-# Whether users are allowed to change their avatar after it has been
-# initially set. Useful when provisioning users based on the contents
-# of a third-party directory.
-#
-# Does not apply to server administrators. Defaults to 'true'
-#
-#enable_set_avatar_url: false
-
-# Whether users can change the 3PIDs associated with their accounts
-# (email address and msisdn).
-#
-# Defaults to 'true'
-#
-#enable_3pid_changes: false
-
-# Users who register on this homeserver will automatically be joined
-# to these rooms.
-#
-# By default, any room aliases included in this list will be created
-# as a publicly joinable room when the first user registers for the
-# homeserver. This behaviour can be customised with the settings below.
-# If the room already exists, make certain it is a publicly joinable
-# room. The join rule of the room must be set to 'public'.
-#
-#auto_join_rooms:
-# - "#example:example.com"
-
-# Where auto_join_rooms are specified, setting this flag ensures that the
-# the rooms exist by creating them when the first user on the
-# homeserver registers.
-#
-# By default the auto-created rooms are publicly joinable from any federated
-# server. Use the autocreate_auto_join_rooms_federated and
-# autocreate_auto_join_room_preset settings below to customise this behaviour.
-#
-# Setting to false means that if the rooms are not manually created,
-# users cannot be auto-joined since they do not exist.
-#
-# Defaults to true. Uncomment the following line to disable automatically
-# creating auto-join rooms.
-#
-#autocreate_auto_join_rooms: false
-
-# Whether the auto_join_rooms that are auto-created are available via
-# federation. Only has an effect if autocreate_auto_join_rooms is true.
-#
-# Note that whether a room is federated cannot be modified after
-# creation.
-#
-# Defaults to true: the room will be joinable from other servers.
-# Uncomment the following to prevent users from other homeservers from
-# joining these rooms.
-#
-#autocreate_auto_join_rooms_federated: false
-
-# The room preset to use when auto-creating one of auto_join_rooms. Only has an
-# effect if autocreate_auto_join_rooms is true.
-#
-# This can be one of "public_chat", "private_chat", or "trusted_private_chat".
-# If a value of "private_chat" or "trusted_private_chat" is used then
-# auto_join_mxid_localpart must also be configured.
-#
-# Defaults to "public_chat", meaning that the room is joinable by anyone, including
-# federated servers if autocreate_auto_join_rooms_federated is true (the default).
-# Uncomment the following to require an invitation to join these rooms.
-#
-#autocreate_auto_join_room_preset: private_chat
-
-# The local part of the user id which is used to create auto_join_rooms if
-# autocreate_auto_join_rooms is true. If this is not provided then the
-# initial user account that registers will be used to create the rooms.
-#
-# The user id is also used to invite new users to any auto-join rooms which
-# are set to invite-only.
-#
-# It *must* be configured if autocreate_auto_join_room_preset is set to
-# "private_chat" or "trusted_private_chat".
-#
-# Note that this must be specified in order for new users to be correctly
-# invited to any auto-join rooms which have been set to invite-only (either
-# at the time of creation or subsequently).
-#
-# Note that, if the room already exists, this user must be joined and
-# have the appropriate permissions to invite new members.
-#
-#auto_join_mxid_localpart: system
-
-# When auto_join_rooms is specified, setting this flag to false prevents
-# guest accounts from being automatically joined to the rooms.
-#
-# Defaults to true.
-#
-#auto_join_rooms_for_guests: false
-
-
-## Metrics ###
-
-# Enable collection and rendering of performance metrics
-#
-#enable_metrics: false
-
-# Enable sentry integration
-# NOTE: While attempts are made to ensure that the logs don't contain
-# any sensitive information, this cannot be guaranteed. By enabling
-# this option the sentry server may therefore receive sensitive
-# information, and it in turn may then diseminate sensitive information
-# through insecure notification channels if so configured.
-#
-#sentry:
-# dsn: "..."
-
-# Flags to enable Prometheus metrics which are not suitable to be
-# enabled by default, either for performance reasons or limited use.
-#
-metrics_flags:
- # Publish synapse_federation_known_servers, a gauge of the number of
- # servers this homeserver knows about, including itself. May cause
- # performance problems on large homeservers.
- #
- #known_servers: true
-
-# Whether or not to report anonymized homeserver usage statistics.
-#
-report_stats: true
-
-# The endpoint to report the anonymized homeserver usage statistics to.
-# Defaults to https://matrix.org/report-usage-stats/push
-#
-#report_stats_endpoint: https://example.com/report-usage-stats/push
-
-
-## API Configuration ##
-
-# A list of event types that will be included in the room_invite_state
-#
-#room_invite_state_types:
-# - "m.room.join_rules"
-# - "m.room.canonical_alias"
-# - "m.room.avatar"
-# - "m.room.encryption"
-# - "m.room.name"
-
-
-# A list of application service config files to use
-#
-# app_service_config_files:
-# - /bridges/telegram/config/registration.yaml
-# - /bridges/whatsapp/config/registration.yaml
-
-# Uncomment to enable tracking of application service IP addresses. Implicitly
-# enables MAU tracking for application service users.
-#
-#track_appservice_user_ips: true
-
-
-# a secret which is used to sign access tokens. If none is specified,
-# the registration_shared_secret is used, if one is given; otherwise,
-# a secret key is derived from the signing key.
-#
-macaroon_secret_key: "1uofg7T5nKUswEXta&t33e-cXoFA.eeYn9L3gXVc1^BE60m6Rl"
-
-# a secret which is used to calculate HMACs for form values, to stop
-# falsification of values. Must be specified for the User Consent
-# forms to work.
-#
-form_secret: "r^9;J+3xC6Q;-EmgC^@ib@^oS9@93Kqg2=6Ii3eft.W0qsbpqE"
-
-## Signing Keys ##
-
-# Path to the signing key to sign messages with
-#
-signing_key_path: "/data/default.signing.key"
-
-# The keys that the server used to sign messages with but won't use
-# to sign new messages.
-#
-old_signing_keys:
- # For each key, `key` should be the base64-encoded public key, and
- # `expired_ts`should be the time (in milliseconds since the unix epoch) that
- # it was last used.
- #
- # It is possible to build an entry from an old signing.key file using the
- # `export_signing_key` script which is provided with synapse.
- #
- # For example:
- #
- #"ed25519:id": { key: "base64string", expired_ts: 123456789123 }
-
-# How long key response published by this server is valid for.
-# Used to set the valid_until_ts in /key/v2 APIs.
-# Determines how quickly servers will query to check which keys
-# are still valid.
-#
-#key_refresh_interval: 1d
-
-# The trusted servers to download signing keys from.
-#
-# When we need to fetch a signing key, each server is tried in parallel.
-#
-# Normally, the connection to the key server is validated via TLS certificates.
-# Additional security can be provided by configuring a `verify key`, which
-# will make synapse check that the response is signed by that key.
-#
-# This setting supercedes an older setting named `perspectives`. The old format
-# is still supported for backwards-compatibility, but it is deprecated.
-#
-# 'trusted_key_servers' defaults to matrix.org, but using it will generate a
-# warning on start-up. To suppress this warning, set
-# 'suppress_key_server_warning' to true.
-#
-# Options for each entry in the list include:
-#
-# server_name: the name of the server. required.
-#
-# verify_keys: an optional map from key id to base64-encoded public key.
-# If specified, we will check that the response is signed by at least
-# one of the given keys.
-#
-# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
-# and federation_verify_certificates is not `true`, synapse will refuse
-# to start, because this would allow anyone who can spoof DNS responses
-# to masquerade as the trusted key server. If you know what you are doing
-# and are sure that your network environment provides a secure connection
-# to the key server, you can set this to `true` to override this
-# behaviour.
-#
-# An example configuration might look like:
-#
-#trusted_key_servers:
-# - server_name: "my_trusted_server.example.com"
-# verify_keys:
-# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
-# - server_name: "my_other_trusted_server.example.com"
-#
-trusted_key_servers:
- - server_name: "matrix.org"
-
-# Uncomment the following to disable the warning that is emitted when the
-# trusted_key_servers include 'matrix.org'. See above.
-#
-#suppress_key_server_warning: true
-
-# The signing keys to use when acting as a trusted key server. If not specified
-# defaults to the server signing key.
-#
-# Can contain multiple keys, one per line.
-#
-#key_server_signing_keys_path: "key_server_signing_keys.key"
-
-
-## Single sign-on integration ##
-
-# The following settings can be used to make Synapse use a single sign-on
-# provider for authentication, instead of its internal password database.
-#
-# You will probably also want to set the following options to `false` to
-# disable the regular login/registration flows:
-# * enable_registration
-# * password_config.enabled
-#
-# You will also want to investigate the settings under the "sso" configuration
-# section below.
-
-# Enable SAML2 for registration and login. Uses pysaml2.
-#
-# At least one of `sp_config` or `config_path` must be set in this section to
-# enable SAML login.
-#
-# Once SAML support is enabled, a metadata file will be exposed at
-# https://<server>:<port>/_synapse/client/saml2/metadata.xml, which you may be able to
-# use to configure your SAML IdP with. Alternatively, you can manually configure
-# the IdP to use an ACS location of
-# https://<server>:<port>/_synapse/client/saml2/authn_response.
-#
-saml2_config:
- # `sp_config` is the configuration for the pysaml2 Service Provider.
- # See pysaml2 docs for format of config.
- #
- # Default values will be used for the 'entityid' and 'service' settings,
- # so it is not normally necessary to specify them unless you need to
- # override them.
- #
- sp_config:
- # Point this to the IdP's metadata. You must provide either a local
- # file via the `local` attribute or (preferably) a URL via the
- # `remote` attribute.
- #
- #metadata:
- # local: ["saml2/idp.xml"]
- # remote:
- # - url: https://our_idp/metadata.xml
-
- # Allowed clock difference in seconds between the homeserver and IdP.
- #
- # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
- #
- #accepted_time_diff: 3
-
- # By default, the user has to go to our login page first. If you'd like
- # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
- # 'service.sp' section:
- #
- #service:
- # sp:
- # allow_unsolicited: true
-
- # The examples below are just used to generate our metadata xml, and you
- # may well not need them, depending on your setup. Alternatively you
- # may need a whole lot more detail - see the pysaml2 docs!
-
- #description: ["My awesome SP", "en"]
- #name: ["Test SP", "en"]
-
- #ui_info:
- # display_name:
- # - lang: en
- # text: "Display Name is the descriptive name of your service."
- # description:
- # - lang: en
- # text: "Description should be a short paragraph explaining the purpose of the service."
- # information_url:
- # - lang: en
- # text: "https://example.com/terms-of-service"
- # privacy_statement_url:
- # - lang: en
- # text: "https://example.com/privacy-policy"
- # keywords:
- # - lang: en
- # text: ["Matrix", "Element"]
- # logo:
- # - lang: en
- # text: "https://example.com/logo.svg"
- # width: "200"
- # height: "80"
-
- #organization:
- # name: Example com
- # display_name:
- # - ["Example co", "en"]
- # url: "http://example.com"
-
- #contact_person:
- # - given_name: Bob
- # sur_name: "the Sysadmin"
- # email_address": ["admin@example.com"]
- # contact_type": technical
-
- # Instead of putting the config inline as above, you can specify a
- # separate pysaml2 configuration file:
- #
- #config_path: "/data/sp_conf.py"
-
- # The lifetime of a SAML session. This defines how long a user has to
- # complete the authentication process, if allow_unsolicited is unset.
- # The default is 15 minutes.
- #
- #saml_session_lifetime: 5m
-
- # An external module can be provided here as a custom solution to
- # mapping attributes returned from a saml provider onto a matrix user.
- #
- user_mapping_provider:
- # The custom module's class. Uncomment to use a custom module.
- #
- #module: mapping_provider.SamlMappingProvider
-
- # Custom configuration values for the module. Below options are
- # intended for the built-in provider, they should be changed if
- # using a custom module. This section will be passed as a Python
- # dictionary to the module's `parse_config` method.
- #
- config:
- # The SAML attribute (after mapping via the attribute maps) to use
- # to derive the Matrix ID from. 'uid' by default.
- #
- # Note: This used to be configured by the
- # saml2_config.mxid_source_attribute option. If that is still
- # defined, its value will be used instead.
- #
- #mxid_source_attribute: displayName
-
- # The mapping system to use for mapping the saml attribute onto a
- # matrix ID.
- #
- # Options include:
- # * 'hexencode' (which maps unpermitted characters to '=xx')
- # * 'dotreplace' (which replaces unpermitted characters with
- # '.').
- # The default is 'hexencode'.
- #
- # Note: This used to be configured by the
- # saml2_config.mxid_mapping option. If that is still defined, its
- # value will be used instead.
- #
- #mxid_mapping: dotreplace
-
- # In previous versions of synapse, the mapping from SAML attribute to
- # MXID was always calculated dynamically rather than stored in a
- # table. For backwards- compatibility, we will look for user_ids
- # matching such a pattern before creating a new account.
- #
- # This setting controls the SAML attribute which will be used for this
- # backwards-compatibility lookup. Typically it should be 'uid', but if
- # the attribute maps are changed, it may be necessary to change it.
- #
- # The default is 'uid'.
- #
- #grandfathered_mxid_source_attribute: upn
-
- # It is possible to configure Synapse to only allow logins if SAML attributes
- # match particular values. The requirements can be listed under
- # `attribute_requirements` as shown below. All of the listed attributes must
- # match for the login to be permitted.
- #
- #attribute_requirements:
- # - attribute: userGroup
- # value: "staff"
- # - attribute: department
- # value: "sales"
-
- # If the metadata XML contains multiple IdP entities then the `idp_entityid`
- # option must be set to the entity to redirect users to.
- #
- # Most deployments only have a single IdP entity and so should omit this
- # option.
- #
- #idp_entityid: 'https://our_idp/entityid'
-
-
-# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
-# and login.
-#
-# Options for each entry include:
-#
-# idp_id: a unique identifier for this identity provider. Used internally
-# by Synapse; should be a single word such as 'github'.
-#
-# Note that, if this is changed, users authenticating via that provider
-# will no longer be recognised as the same user!
-#
-# idp_name: A user-facing name for this identity provider, which is used to
-# offer the user a choice of login mechanisms.
-#
-# idp_icon: An optional icon for this identity provider, which is presented
-# by clients and Synapse's own IdP picker page. If given, must be an
-# MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
-# obtain such an MXC URI is to upload an image to an (unencrypted) room
-# and then copy the "url" from the source of the event.)
-#
-# idp_brand: An optional brand for this identity provider, allowing clients
-# to style the login flow according to the identity provider in question.
-# See the spec for possible options here.
-#
-# discover: set to 'false' to disable the use of the OIDC discovery mechanism
-# to discover endpoints. Defaults to true.
-#
-# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
-# is enabled) to discover the provider's endpoints.
-#
-# client_id: Required. oauth2 client id to use.
-#
-# client_secret: oauth2 client secret to use. May be omitted if
-# client_secret_jwt_key is given, or if client_auth_method is 'none'.
-#
-# client_secret_jwt_key: Alternative to client_secret: details of a key used
-# to create a JSON Web Token to be used as an OAuth2 client secret. If
-# given, must be a dictionary with the following properties:
-#
-# key: a pem-encoded signing key. Must be a suitable key for the
-# algorithm specified. Required unless 'key_file' is given.
-#
-# key_file: the path to file containing a pem-encoded signing key file.
-# Required unless 'key' is given.
-#
-# jwt_header: a dictionary giving properties to include in the JWT
-# header. Must include the key 'alg', giving the algorithm used to
-# sign the JWT, such as "ES256", using the JWA identifiers in
-# RFC7518.
-#
-# jwt_payload: an optional dictionary giving properties to include in
-# the JWT payload. Normally this should include an 'iss' key.
-#
-# client_auth_method: auth method to use when exchanging the token. Valid
-# values are 'client_secret_basic' (default), 'client_secret_post' and
-# 'none'.
-#
-# scopes: list of scopes to request. This should normally include the "openid"
-# scope. Defaults to ["openid"].
-#
-# authorization_endpoint: the oauth2 authorization endpoint. Required if
-# provider discovery is disabled.
-#
-# token_endpoint: the oauth2 token endpoint. Required if provider discovery is
-# disabled.
-#
-# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
-# disabled and the 'openid' scope is not requested.
-#
-# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
-# the 'openid' scope is used.
-#
-# skip_verification: set to 'true' to skip metadata verification. Use this if
-# you are connecting to a provider that is not OpenID Connect compliant.
-# Defaults to false. Avoid this in production.
-#
-# user_profile_method: Whether to fetch the user profile from the userinfo
-# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
-#
-# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
-# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
-# userinfo endpoint.
-#
-# allow_existing_users: set to 'true' to allow a user logging in via OIDC to
-# match a pre-existing account instead of failing. This could be used if
-# switching from password logins to OIDC. Defaults to false.
-#
-# user_mapping_provider: Configuration for how attributes returned from a OIDC
-# provider are mapped onto a matrix user. This setting has the following
-# sub-properties:
-#
-# module: The class name of a custom mapping module. Default is
-# 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
-# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
-# for information on implementing a custom mapping provider.
-#
-# config: Configuration for the mapping provider module. This section will
-# be passed as a Python dictionary to the user mapping provider
-# module's `parse_config` method.
-#
-# For the default provider, the following settings are available:
-#
-# subject_claim: name of the claim containing a unique identifier
-# for the user. Defaults to 'sub', which OpenID Connect
-# compliant providers should provide.
-#
-# localpart_template: Jinja2 template for the localpart of the MXID.
-# If this is not set, the user will be prompted to choose their
-# own username (see 'sso_auth_account_details.html' in the 'sso'
-# section of this file).
-#
-# display_name_template: Jinja2 template for the display name to set
-# on first login. If unset, no displayname will be set.
-#
-# email_template: Jinja2 template for the email address of the user.
-# If unset, no email address will be added to the account.
-#
-# extra_attributes: a map of Jinja2 templates for extra attributes
-# to send back to the client during login.
-# Note that these are non-standard and clients will ignore them
-# without modifications.
-#
-# When rendering, the Jinja2 templates are given a 'user' variable,
-# which is set to the claims returned by the UserInfo Endpoint and/or
-# in the ID Token.
-#
-# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
-# for information on how to configure these options.
-#
-# For backwards compatibility, it is also possible to configure a single OIDC
-# provider via an 'oidc_config' setting. This is now deprecated and admins are
-# advised to migrate to the 'oidc_providers' format. (When doing that migration,
-# use 'oidc' for the idp_id to ensure that existing users continue to be
-# recognised.)
-#
-oidc_providers:
- # Generic example
- #
- #- idp_id: my_idp
- # idp_name: "My OpenID provider"
- # idp_icon: "mxc://example.com/mediaid"
- # discover: false
- # issuer: "https://accounts.example.com/"
- # client_id: "provided-by-your-issuer"
- # client_secret: "provided-by-your-issuer"
- # client_auth_method: client_secret_post
- # scopes: ["openid", "profile"]
- # authorization_endpoint: "https://accounts.example.com/oauth2/auth"
- # token_endpoint: "https://accounts.example.com/oauth2/token"
- # userinfo_endpoint: "https://accounts.example.com/userinfo"
- # jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
- # skip_verification: true
- # user_mapping_provider:
- # config:
- # subject_claim: "id"
- # localpart_template: "{{ user.login }}"
- # display_name_template: "{{ user.name }}"
- # email_template: "{{ user.email }}"
-
- # For use with Keycloak
- #
- #- idp_id: keycloak
- # idp_name: Keycloak
- # issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name"
- # client_id: "synapse"
- # client_secret: "copy secret generated in Keycloak UI"
- # scopes: ["openid", "profile"]
-
- # For use with Github
- #
- #- idp_id: github
- # idp_name: Github
- # idp_brand: github
- # discover: false
- # issuer: "https://github.com/"
- # client_id: "your-client-id" # TO BE FILLED
- # client_secret: "your-client-secret" # TO BE FILLED
- # authorization_endpoint: "https://github.com/login/oauth/authorize"
- # token_endpoint: "https://github.com/login/oauth/access_token"
- # userinfo_endpoint: "https://api.github.com/user"
- # scopes: ["read:user"]
- # user_mapping_provider:
- # config:
- # subject_claim: "id"
- # localpart_template: "{{ user.login }}"
- # display_name_template: "{{ user.name }}"
-
-
-# Enable Central Authentication Service (CAS) for registration and login.
-#
-cas_config:
- # Uncomment the following to enable authorization against a CAS server.
- # Defaults to false.
- #
- #enabled: true
-
- # The URL of the CAS authorization endpoint.
- #
- #server_url: "https://cas-server.com"
-
- # The attribute of the CAS response to use as the display name.
- #
- # If unset, no displayname will be set.
- #
- #displayname_attribute: name
-
- # It is possible to configure Synapse to only allow logins if CAS attributes
- # match particular values. All of the keys in the mapping below must exist
- # and the values must match the given value. Alternately if the given value
- # is None then any value is allowed (the attribute just must exist).
- # All of the listed attributes must match for the login to be permitted.
- #
- #required_attributes:
- # userGroup: "staff"
- # department: None
-
-
-# Additional settings to use with single-sign on systems such as OpenID Connect,
-# SAML2 and CAS.
-#
-sso:
- # A list of client URLs which are whitelisted so that the user does not
- # have to confirm giving access to their account to the URL. Any client
- # whose URL starts with an entry in the following list will not be subject
- # to an additional confirmation step after the SSO login is completed.
- #
- # WARNING: An entry such as "https://my.client" is insecure, because it
- # will also match "https://my.client.evil.site", exposing your users to
- # phishing attacks from evil.site. To avoid this, include a slash after the
- # hostname: "https://my.client/".
- #
- # If public_baseurl is set, then the login fallback page (used by clients
- # that don't natively support the required login flows) is whitelisted in
- # addition to any URLs in this list.
- #
- # By default, this list is empty.
- #
- #client_whitelist:
- # - https://riot.im/develop
- # - https://my.custom.client/
-
- # Directory in which Synapse will try to find the template files below.
- # If not set, or the files named below are not found within the template
- # directory, default templates from within the Synapse package will be used.
- #
- # Synapse will look for the following templates in this directory:
- #
- # * HTML page to prompt the user to choose an Identity Provider during
- # login: 'sso_login_idp_picker.html'.
- #
- # This is only used if multiple SSO Identity Providers are configured.
- #
- # When rendering, this template is given the following variables:
- # * redirect_url: the URL that the user will be redirected to after
- # login.
- #
- # * server_name: the homeserver's name.
- #
- # * providers: a list of available Identity Providers. Each element is
- # an object with the following attributes:
- #
- # * idp_id: unique identifier for the IdP
- # * idp_name: user-facing name for the IdP
- # * idp_icon: if specified in the IdP config, an MXC URI for an icon
- # for the IdP
- # * idp_brand: if specified in the IdP config, a textual identifier
- # for the brand of the IdP
- #
- # The rendered HTML page should contain a form which submits its results
- # back as a GET request, with the following query parameters:
- #
- # * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
- # to the template)
- #
- # * idp: the 'idp_id' of the chosen IDP.
- #
- # * HTML page to prompt new users to enter a userid and confirm other
- # details: 'sso_auth_account_details.html'. This is only shown if the
- # SSO implementation (with any user_mapping_provider) does not return
- # a localpart.
- #
- # When rendering, this template is given the following variables:
- #
- # * server_name: the homeserver's name.
- #
- # * idp: details of the SSO Identity Provider that the user logged in
- # with: an object with the following attributes:
- #
- # * idp_id: unique identifier for the IdP
- # * idp_name: user-facing name for the IdP
- # * idp_icon: if specified in the IdP config, an MXC URI for an icon
- # for the IdP
- # * idp_brand: if specified in the IdP config, a textual identifier
- # for the brand of the IdP
- #
- # * user_attributes: an object containing details about the user that
- # we received from the IdP. May have the following attributes:
- #
- # * display_name: the user's display_name
- # * emails: a list of email addresses
- #
- # The template should render a form which submits the following fields:
- #
- # * username: the localpart of the user's chosen user id
- #
- # * HTML page allowing the user to consent to the server's terms and
- # conditions. This is only shown for new users, and only if
- # `user_consent.require_at_registration` is set.
- #
- # When rendering, this template is given the following variables:
- #
- # * server_name: the homeserver's name.
- #
- # * user_id: the user's matrix proposed ID.
- #
- # * user_profile.display_name: the user's proposed display name, if any.
- #
- # * consent_version: the version of the terms that the user will be
- # shown
- #
- # * terms_url: a link to the page showing the terms.
- #
- # The template should render a form which submits the following fields:
- #
- # * accepted_version: the version of the terms accepted by the user
- # (ie, 'consent_version' from the input variables).
- #
- # * HTML page for a confirmation step before redirecting back to the client
- # with the login token: 'sso_redirect_confirm.html'.
- #
- # When rendering, this template is given the following variables:
- #
- # * redirect_url: the URL the user is about to be redirected to.
- #
- # * display_url: the same as `redirect_url`, but with the query
- # parameters stripped. The intention is to have a
- # human-readable URL to show to users, not to use it as
- # the final address to redirect to.
- #
- # * server_name: the homeserver's name.
- #
- # * new_user: a boolean indicating whether this is the user's first time
- # logging in.
- #
- # * user_id: the user's matrix ID.
- #
- # * user_profile.avatar_url: an MXC URI for the user's avatar, if any.
- # None if the user has not set an avatar.
- #
- # * user_profile.display_name: the user's display name. None if the user
- # has not set a display name.
- #
- # * HTML page which notifies the user that they are authenticating to confirm
- # an operation on their account during the user interactive authentication
- # process: 'sso_auth_confirm.html'.
- #
- # When rendering, this template is given the following variables:
- # * redirect_url: the URL the user is about to be redirected to.
- #
- # * description: the operation which the user is being asked to confirm
- #
- # * idp: details of the Identity Provider that we will use to confirm
- # the user's identity: an object with the following attributes:
- #
- # * idp_id: unique identifier for the IdP
- # * idp_name: user-facing name for the IdP
- # * idp_icon: if specified in the IdP config, an MXC URI for an icon
- # for the IdP
- # * idp_brand: if specified in the IdP config, a textual identifier
- # for the brand of the IdP
- #
- # * HTML page shown after a successful user interactive authentication session:
- # 'sso_auth_success.html'.
- #
- # Note that this page must include the JavaScript which notifies of a successful authentication
- # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback).
- #
- # This template has no additional variables.
- #
- # * HTML page shown after a user-interactive authentication session which
- # does not map correctly onto the expected user: 'sso_auth_bad_user.html'.
- #
- # When rendering, this template is given the following variables:
- # * server_name: the homeserver's name.
- # * user_id_to_verify: the MXID of the user that we are trying to
- # validate.
- #
- # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)
- # attempts to login: 'sso_account_deactivated.html'.
- #
- # This template has no additional variables.
- #
- # * HTML page to display to users if something goes wrong during the
- # OpenID Connect authentication process: 'sso_error.html'.
- #
- # When rendering, this template is given two variables:
- # * error: the technical name of the error
- # * error_description: a human-readable message for the error
- #
- # You can see the default templates at:
- # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
- #
- #template_dir: "res/templates"
-
-
-# JSON web token integration. The following settings can be used to make
-# Synapse JSON web tokens for authentication, instead of its internal
-# password database.
-#
-# Each JSON Web Token needs to contain a "sub" (subject) claim, which is
-# used as the localpart of the mxid.
-#
-# Additionally, the expiration time ("exp"), not before time ("nbf"),
-# and issued at ("iat") claims are validated if present.
-#
-# Note that this is a non-standard login type and client support is
-# expected to be non-existent.
-#
-# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md.
-#
-#jwt_config:
- # Uncomment the following to enable authorization using JSON web
- # tokens. Defaults to false.
- #
- #enabled: true
-
- # This is either the private shared secret or the public key used to
- # decode the contents of the JSON web token.
- #
- # Required if 'enabled' is true.
- #
- #secret: "provided-by-your-issuer"
-
- # The algorithm used to sign the JSON web token.
- #
- # Supported algorithms are listed at
- # https://pyjwt.readthedocs.io/en/latest/algorithms.html
- #
- # Required if 'enabled' is true.
- #
- #algorithm: "provided-by-your-issuer"
-
- # The issuer to validate the "iss" claim against.
- #
- # Optional, if provided the "iss" claim will be required and
- # validated for all JSON web tokens.
- #
- #issuer: "provided-by-your-issuer"
-
- # A list of audiences to validate the "aud" claim against.
- #
- # Optional, if provided the "aud" claim will be required and
- # validated for all JSON web tokens.
- #
- # Note that if the "aud" claim is included in a JSON web token then
- # validation will fail without configuring audiences.
- #
- #audiences:
- # - "provided-by-your-issuer"
-
-
-password_config:
- # Uncomment to disable password login
- #
- #enabled: false
-
- # Uncomment to disable authentication against the local password
- # database. This is ignored if `enabled` is false, and is only useful
- # if you have other password_providers.
- #
- #localdb_enabled: false
-
- # Uncomment and change to a secret random string for extra security.
- # DO NOT CHANGE THIS AFTER INITIAL SETUP!
- #
- #pepper: "EVEN_MORE_SECRET"
-
- # Define and enforce a password policy. Each parameter is optional.
- # This is an implementation of MSC2000.
- #
- policy:
- # Whether to enforce the password policy.
- # Defaults to 'false'.
- #
- enabled: true
-
- # Minimum accepted length for a password.
- # Defaults to 0.
- #
- #minimum_length: 15
-
- # Whether a password must contain at least one digit.
- # Defaults to 'false'.
- #
- require_digit: true
-
- # Whether a password must contain at least one symbol.
- # A symbol is any character that's not a number or a letter.
- # Defaults to 'false'.
- #
- #require_symbol: true
-
- # Whether a password must contain at least one lowercase letter.
- # Defaults to 'false'.
- #
- require_lowercase: true
-
- # Whether a password must contain at least one lowercase letter.
- # Defaults to 'false'.
- #
- require_uppercase: true
-
-ui_auth:
- # The amount of time to allow a user-interactive authentication session
- # to be active.
- #
- # This defaults to 0, meaning the user is queried for their credentials
- # before every action, but this can be overridden to allow a single
- # validation to be re-used. This weakens the protections afforded by
- # the user-interactive authentication process, by allowing for multiple
- # (and potentially different) operations to use the same validation session.
- #
- # Uncomment below to allow for credential validation to last for 15
- # seconds.
- #
- #session_timeout: "15s"
-
-
-# Configuration for sending emails from Synapse.
-#
-email:
- # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
- #
- #smtp_host: mail.server
-
- # The port on the mail server for outgoing SMTP. Defaults to 25.
- #
- #smtp_port: 587
-
- # Username/password for authentication to the SMTP server. By default, no
- # authentication is attempted.
- #
- #smtp_user: "exampleusername"
- #smtp_pass: "examplepassword"
-
- # Uncomment the following to require TLS transport security for SMTP.
- # By default, Synapse will connect over plain text, and will then switch to
- # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
- # Synapse will refuse to connect unless the server supports STARTTLS.
- #
- #require_transport_security: true
-
- # notif_from defines the "From" address to use when sending emails.
- # It must be set if email sending is enabled.
- #
- # The placeholder '%(app)s' will be replaced by the application name,
- # which is normally 'app_name' (below), but may be overridden by the
- # Matrix client application.
- #
- # Note that the placeholder must be written '%(app)s', including the
- # trailing 's'.
- #
- #notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
-
- # app_name defines the default value for '%(app)s' in notif_from and email
- # subjects. It defaults to 'Matrix'.
- #
- #app_name: my_branded_matrix_server
-
- # Uncomment the following to enable sending emails for messages that the user
- # has missed. Disabled by default.
- #
- #enable_notifs: true
-
- # Uncomment the following to disable automatic subscription to email
- # notifications for new users. Enabled by default.
- #
- #notif_for_new_users: false
-
- # Custom URL for client links within the email notifications. By default
- # links will be based on "https://matrix.to".
- #
- # (This setting used to be called riot_base_url; the old name is still
- # supported for backwards-compatibility but is now deprecated.)
- #
- #client_base_url: "http://localhost/riot"
-
- # Configure the time that a validation email will expire after sending.
- # Defaults to 1h.
- #
- #validation_token_lifetime: 15m
-
- # The web client location to direct users to during an invite. This is passed
- # to the identity server as the org.matrix.web_client_location key. Defaults
- # to unset, giving no guidance to the identity server.
- #
- #invite_client_location: https://app.element.io
-
- # Directory in which Synapse will try to find the template files below.
- # If not set, or the files named below are not found within the template
- # directory, default templates from within the Synapse package will be used.
- #
- # Synapse will look for the following templates in this directory:
- #
- # * The contents of email notifications of missed events: 'notif_mail.html' and
- # 'notif_mail.txt'.
- #
- # * The contents of account expiry notice emails: 'notice_expiry.html' and
- # 'notice_expiry.txt'.
- #
- # * The contents of password reset emails sent by the homeserver:
- # 'password_reset.html' and 'password_reset.txt'
- #
- # * An HTML page that a user will see when they follow the link in the password
- # reset email. The user will be asked to confirm the action before their
- # password is reset: 'password_reset_confirmation.html'
- #
- # * HTML pages for success and failure that a user will see when they confirm
- # the password reset flow using the page above: 'password_reset_success.html'
- # and 'password_reset_failure.html'
- #
- # * The contents of address verification emails sent during registration:
- # 'registration.html' and 'registration.txt'
- #
- # * HTML pages for success and failure that a user will see when they follow
- # the link in an address verification email sent during registration:
- # 'registration_success.html' and 'registration_failure.html'
- #
- # * The contents of address verification emails sent when an address is added
- # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt'
- #
- # * HTML pages for success and failure that a user will see when they follow
- # the link in an address verification email sent when an address is added
- # to a Matrix account: 'add_threepid_success.html' and
- # 'add_threepid_failure.html'
- #
- # You can see the default templates at:
- # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
- #
- #template_dir: "res/templates"
-
- # Subjects to use when sending emails from Synapse.
- #
- # The placeholder '%(app)s' will be replaced with the value of the 'app_name'
- # setting above, or by a value dictated by the Matrix client application.
- #
- # If a subject isn't overridden in this configuration file, the value used as
- # its example will be used.
- #
- #subjects:
-
- # Subjects for notification emails.
- #
- # On top of the '%(app)s' placeholder, these can use the following
- # placeholders:
- #
- # * '%(person)s', which will be replaced by the display name of the user(s)
- # that sent the message(s), e.g. "Alice and Bob".
- # * '%(room)s', which will be replaced by the name of the room the
- # message(s) have been sent to, e.g. "My super room".
- #
- # See the example provided for each setting to see which placeholder can be
- # used and how to use them.
- #
- # Subject to use to notify about one message from one or more user(s) in a
- # room which has a name.
- #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..."
- #
- # Subject to use to notify about one message from one or more user(s) in a
- # room which doesn't have a name.
- #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..."
- #
- # Subject to use to notify about multiple messages from one or more users in
- # a room which doesn't have a name.
- #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..."
- #
- # Subject to use to notify about multiple messages in a room which has a
- # name.
- #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..."
- #
- # Subject to use to notify about multiple messages in multiple rooms.
- #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..."
- #
- # Subject to use to notify about multiple messages from multiple persons in
- # multiple rooms. This is similar to the setting above except it's used when
- # the room in which the notification was triggered has no name.
- #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..."
- #
- # Subject to use to notify about an invite to a room which has a name.
- #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..."
- #
- # Subject to use to notify about an invite to a room which doesn't have a
- # name.
- #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..."
-
- # Subject for emails related to account administration.
- #
- # On top of the '%(app)s' placeholder, these one can use the
- # '%(server_name)s' placeholder, which will be replaced by the value of the
- # 'server_name' setting in your Synapse configuration.
- #
- # Subject to use when sending a password reset email.
- #password_reset: "[%(server_name)s] Password reset"
- #
- # Subject to use when sending a verification email to assert an address's
- # ownership.
- #email_validation: "[%(server_name)s] Validate your email"
-
-
-# Password providers allow homeserver administrators to integrate
-# their Synapse installation with existing authentication methods
-# ex. LDAP, external tokens, etc.
-#
-# For more information and known implementations, please see
-# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md
-#
-# Note: instances wishing to use SAML or CAS authentication should
-# instead use the `saml2_config` or `cas_config` options,
-# respectively.
-#
-password_providers:
-# # Example config for an LDAP auth provider
-# - module: "ldap_auth_provider.LdapAuthProvider"
-# config:
-# enabled: true
-# uri: "ldap://ldap.example.com:389"
-# start_tls: true
-# base: "ou=users,dc=example,dc=com"
-# attributes:
-# uid: "cn"
-# mail: "email"
-# name: "givenName"
-# #bind_dn:
-# #bind_password:
-# #filter: "(objectClass=posixAccount)"
-
-
-
-## Push ##
-
-push:
- # Clients requesting push notifications can either have the body of
- # the message sent in the notification poke along with other details
- # like the sender, or just the event ID and room ID (`event_id_only`).
- # If clients choose the former, this option controls whether the
- # notification request includes the content of the event (other details
- # like the sender are still included). For `event_id_only` push, it
- # has no effect.
- #
- # For modern android devices the notification content will still appear
- # because it is loaded by the app. iPhone, however will send a
- # notification saying only that a message arrived and who it came from.
- #
- # The default value is "true" to include message details. Uncomment to only
- # include the event ID and room ID in push notification payloads.
- #
- #include_content: false
-
- # When a push notification is received, an unread count is also sent.
- # This number can either be calculated as the number of unread messages
- # for the user, or the number of *rooms* the user has unread messages in.
- #
- # The default value is "true", meaning push clients will see the number of
- # rooms with unread messages in them. Uncomment to instead send the number
- # of unread messages.
- #
- #group_unread_count_by_room: false
-
-
-# Spam checkers are third-party modules that can block specific actions
-# of local users, such as creating rooms and registering undesirable
-# usernames, as well as remote users by redacting incoming events.
-#
-spam_checker:
- #- module: "my_custom_project.SuperSpamChecker"
- # config:
- # example_option: 'things'
- #- module: "some_other_project.BadEventStopper"
- # config:
- # example_stop_events_from: ['@bad:example.com']
-
-
-## Rooms ##
-
-# Controls whether locally-created rooms should be end-to-end encrypted by
-# default.
-#
-# Possible options are "all", "invite", and "off". They are defined as:
-#
-# * "all": any locally-created room
-# * "invite": any room created with the "private_chat" or "trusted_private_chat"
-# room creation presets
-# * "off": this option will take no effect
-#
-# The default value is "off".
-#
-# Note that this option will only affect rooms created after it is set. It
-# will also not affect rooms created by other servers.
-#
-#encryption_enabled_by_default_for_room_type: invite
-
-
-# Uncomment to allow non-server-admin users to create groups on this server
-#
-#enable_group_creation: true
-
-# If enabled, non server admins can only create groups with local parts
-# starting with this prefix
-#
-#group_creation_prefix: "unofficial_"
-
-
-
-# User Directory configuration
-#
-user_directory:
- # Defines whether users can search the user directory. If false then
- # empty responses are returned to all queries. Defaults to true.
- #
- # Uncomment to disable the user directory.
- #
- #enabled: false
-
- # Defines whether to search all users visible to your HS when searching
- # the user directory, rather than limiting to users visible in public
- # rooms. Defaults to false.
- #
- # If you set it true, you'll have to rebuild the user_directory search
- # indexes, see:
- # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md
- #
- # Uncomment to return search results containing all known users, even if that
- # user does not share a room with the requester.
- #
- #search_all_users: true
-
- # Defines whether to prefer local users in search query results.
- # If True, local users are more likely to appear above remote users
- # when searching the user directory. Defaults to false.
- #
- # Uncomment to prefer local over remote users in user directory search
- # results.
- #
- #prefer_local_users: true
-
-
-# User Consent configuration
-#
-# for detailed instructions, see
-# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
-#
-# Parts of this section are required if enabling the 'consent' resource under
-# 'listeners', in particular 'template_dir' and 'version'.
-#
-# 'template_dir' gives the location of the templates for the HTML forms.
-# This directory should contain one subdirectory per language (eg, 'en', 'fr'),
-# and each language directory should contain the policy document (named as
-# '<version>.html') and a success page (success.html).
-#
-# 'version' specifies the 'current' version of the policy document. It defines
-# the version to be served by the consent resource if there is no 'v'
-# parameter.
-#
-# 'server_notice_content', if enabled, will send a user a "Server Notice"
-# asking them to consent to the privacy policy. The 'server_notices' section
-# must also be configured for this to work. Notices will *not* be sent to
-# guest users unless 'send_server_notice_to_guests' is set to true.
-#
-# 'block_events_error', if set, will block any attempts to send events
-# until the user consents to the privacy policy. The value of the setting is
-# used as the text of the error.
-#
-# 'require_at_registration', if enabled, will add a step to the registration
-# process, similar to how captcha works. Users will be required to accept the
-# policy before their account is created.
-#
-# 'policy_name' is the display name of the policy users will see when registering
-# for an account. Has no effect unless `require_at_registration` is enabled.
-# Defaults to "Privacy Policy".
-#
-#user_consent:
-# template_dir: res/templates/privacy
-# version: 1.0
-# server_notice_content:
-# msgtype: m.text
-# body: >-
-# To continue using this homeserver you must review and agree to the
-# terms and conditions at %(consent_uri)s
-# send_server_notice_to_guests: true
-# block_events_error: >-
-# To continue using this homeserver you must review and agree to the
-# terms and conditions at %(consent_uri)s
-# require_at_registration: false
-# policy_name: Privacy Policy
-#
-
-
-
-# Settings for local room and user statistics collection. See
-# docs/room_and_user_statistics.md.
-#
-stats:
- # Uncomment the following to disable room and user statistics. Note that doing
- # so may cause certain features (such as the room directory) not to work
- # correctly.
- #
- #enabled: false
-
- # The size of each timeslice in the room_stats_historical and
- # user_stats_historical tables, as a time period. Defaults to "1d".
- #
- #bucket_size: 1h
-
-
-# Server Notices room configuration
-#
-# Uncomment this section to enable a room which can be used to send notices
-# from the server to users. It is a special room which cannot be left; notices
-# come from a special "notices" user id.
-#
-# If you uncomment this section, you *must* define the system_mxid_localpart
-# setting, which defines the id of the user which will be used to send the
-# notices.
-#
-# It's also possible to override the room name, the display name of the
-# "notices" user, and the avatar for the user.
-#
-server_notices:
- system_mxid_localpart: notices
- system_mxid_display_name: "Server Notices"
- system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
- room_name: "Server Notices"
-
-
-
-# Uncomment to disable searching the public room list. When disabled
-# blocks searching local and remote room lists for local and remote
-# users by always returning an empty list for all queries.
-#
-#enable_room_list_search: false
-
-# The `alias_creation` option controls who's allowed to create aliases
-# on this server.
-#
-# The format of this option is a list of rules that contain globs that
-# match against user_id, room_id and the new alias (fully qualified with
-# server name). The action in the first rule that matches is taken,
-# which can currently either be "allow" or "deny".
-#
-# Missing user_id/room_id/alias fields default to "*".
-#
-# If no rules match the request is denied. An empty list means no one
-# can create aliases.
-#
-# Options for the rules include:
-#
-# user_id: Matches against the creator of the alias
-# alias: Matches against the alias being created
-# room_id: Matches against the room ID the alias is being pointed at
-# action: Whether to "allow" or "deny" the request if the rule matches
-#
-# The default is:
-#
-#alias_creation_rules:
-# - user_id: "*"
-# alias: "*"
-# room_id: "*"
-# action: allow
-
-# The `room_list_publication_rules` option controls who can publish and
-# which rooms can be published in the public room list.
-#
-# The format of this option is the same as that for
-# `alias_creation_rules`.
-#
-# If the room has one or more aliases associated with it, only one of
-# the aliases needs to match the alias rule. If there are no aliases
-# then only rules with `alias: *` match.
-#
-# If no rules match the request is denied. An empty list means no one
-# can publish rooms.
-#
-# Options for the rules include:
-#
-# user_id: Matches against the creator of the alias
-# room_id: Matches against the room ID being published
-# alias: Matches against any current local or canonical aliases
-# associated with the room
-# action: Whether to "allow" or "deny" the request if the rule matches
-#
-# The default is:
-#
-#room_list_publication_rules:
-# - user_id: "*"
-# alias: "*"
-# room_id: "*"
-# action: allow
-
-
-# Server admins can define a Python module that implements extra rules for
-# allowing or denying incoming events. In order to work, this module needs to
-# override the methods defined in synapse/events/third_party_rules.py.
-#
-# This feature is designed to be used in closed federations only, where each
-# participating server enforces the same rules.
-#
-#third_party_event_rules:
-# module: "my_custom_project.SuperRulesSet"
-# config:
-# example_option: 'things'
-
-
-## Opentracing ##
-
-# These settings enable opentracing, which implements distributed tracing.
-# This allows you to observe the causal chains of events across servers
-# including requests, key lookups etc., across any server running
-# synapse or any other other services which supports opentracing
-# (specifically those implemented with Jaeger).
-#
-opentracing:
- # tracing is disabled by default. Uncomment the following line to enable it.
- #
- #enabled: true
-
- # The list of homeservers we wish to send and receive span contexts and span baggage.
- # See docs/opentracing.rst
- # This is a list of regexes which are matched against the server_name of the
- # homeserver.
- #
- # By default, it is empty, so no servers are matched.
- #
- #homeserver_whitelist:
- # - ".*"
-
- # Jaeger can be configured to sample traces at different rates.
- # All configuration options provided by Jaeger can be set here.
- # Jaeger's configuration mostly related to trace sampling which
- # is documented here:
- # https://www.jaegertracing.io/docs/1.13/sampling/.
- #
- #jaeger_config:
- # sampler:
- # type: const
- # param: 1
-
- # Logging whether spans were started and reported
- #
- # logging:
- # false
-
-
-## Workers ##
-
-# Disables sending of outbound federation transactions on the main process.
-# Uncomment if using a federation sender worker.
-#
-#send_federation: false
-
-# It is possible to run multiple federation sender workers, in which case the
-# work is balanced across them.
-#
-# This configuration must be shared between all federation sender workers, and if
-# changed all federation sender workers must be stopped at the same time and then
-# started, to ensure that all instances are running with the same config (otherwise
-# events may be dropped).
-#
-#federation_sender_instances:
-# - federation_sender1
-
-# When using workers this should be a map from `worker_name` to the
-# HTTP replication listener of the worker, if configured.
-#
-#instance_map:
-# worker1:
-# host: localhost
-# port: 8034
-
-# Experimental: When using workers you can define which workers should
-# handle event persistence and typing notifications. Any worker
-# specified here must also be in the `instance_map`.
-#
-#stream_writers:
-# events: worker1
-# typing: worker1
-
-# The worker that is used to run background tasks (e.g. cleaning up expired
-# data). If not provided this defaults to the main process.
-#
-#run_background_tasks_on: worker1
-
-# A shared secret used by the replication APIs to authenticate HTTP requests
-# from workers.
-#
-# By default this is unused and traffic is not authenticated.
-#
-#worker_replication_secret: ""
-
-
-# Configuration for Redis when using workers. This *must* be enabled when
-# using workers (unless using old style direct TCP configuration).
-#
-redis:
- # Uncomment the below to enable Redis support.
- #
- #enabled: true
-
- # Optional host and port to use to connect to redis. Defaults to
- # localhost and 6379
- #
- #host: localhost
- #port: 6379
-
- # Optional password if configured on the Redis instance
- #
- #password: <secret_password>
-
-
-# vim:ft=yaml
-
-
-serve_server_wellknown: true
diff --git a/synapse/my_synapse/synapse_small.yaml b/synapse/my_synapse/synapse_small.yaml
deleted file mode 100644
index 4d6728e872498376bd643dd549935e990c4db46e..0000000000000000000000000000000000000000
--- a/synapse/my_synapse/synapse_small.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-apiVersion: v1
-name: my-synapse
-namespace: my-synapse
-type: matrix
-deployments:
-- id: synapse
- uri: mymatrix.${BASE_URL}
- volumes:
- synapse-media-store:
- nfs:
- path: /my_synapse/media/media_store
- synapse-uploads:
- nfs:
- path: /my_synapse/media/uploads
- synapse-config:
- content:
- - synapse/default.signing.key
- - synapse/my_synapse/homeserver.yaml
- - deploy/templates/synapse/default.log.config
- # synapse-bridges:
- # mountPath: /bridges
- # nfs:
- # path: /my_synapse/bridges
- # server: ${PRODCLUSTER_DEVICE_IP}
- # size: 100Mi
- # type: pv
-- id: postgres
- env:
- content:
- POSTGRES_DB: postgresdb
- POSTGRES_USER: 250b36482dea
- POSTGRES_PASSWORD: 1473810b1d04
- volumes:
- postgresdb:
- nfs:
- path: /my_synapse/db
diff --git a/synapse/synapse_small.yaml b/synapse/synapse_small.yaml
deleted file mode 100644
index 10b75193d26e4f9b8f96fe5963715bc1d86de35d..0000000000000000000000000000000000000000
--- a/synapse/synapse_small.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-apiVersion: v1
-name: synapse
-namespace: synapse
-type: matrix
-deployments:
-- id: synapse
- uri: matrix.${BASE_URL}
- volumes:
- synapse-media-store:
- nfs:
- path: /synapse/media/media_store
- synapse-uploads:
- nfs:
- path: /synapse/media/uploads
- synapse-config:
- content:
- - synapse/default.signing.key
- - synapse/homeserver.yaml
- - deploy/templates/synapse/default.log.config
- synapse-bridges:
- mountPath: /bridges
- nfs:
- path: /synapse/bridges
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 100Mi
- type: pv
-- id: postgres
- env:
- content:
- POSTGRES_DB: postgresdb
- POSTGRES_USER: 250b36482dea
- POSTGRES_PASSWORD: 1473810b1d04
- volumes:
- postgresdb:
- nfs:
- path: /synapse/db
diff --git a/testing/busybox.yaml b/testing/busybox.yaml
deleted file mode 100644
index a7c3b84484883f76b895931540304fde9bb4aa70..0000000000000000000000000000000000000000
--- a/testing/busybox.yaml
+++ /dev/null
@@ -1,79 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
- name: synapse-test
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
- namespace: default
- name: nfs-media-store-pv
- labels:
- type: local
- app: test
-spec:
- storageClassName: manual
- capacity:
- storage: 8Gi
- accessModes:
- - ReadWriteMany
- persistentVolumeReclaimPolicy: Retain
- nfs:
- server: 192.168.0.100
- path: "/test/test0"
- # csi:
- # driver: nfs.csi.k8s.io
- # readOnly: false
- # volumeHandle: nfs-media-store-9f9b10e3-2e76-4c48-a8c0-9e65eba10940 # make sure it's a unique id in the cluster
- # volumeAttributes:
- # server: nfs-server.synapse-test.svc.cluster.local
- # share: /
- mountOptions:
- - nfsvers=4.1
- - hard
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
- namespace: synapse-test
- name: nfs-media-store-pvc
- labels:
- app: test
-spec:
- volumeName:
- storageClassName: manual
- accessModes:
- - ReadWriteMany
- resources:
- requests:
- storage: 8Gi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- namespace: synapse-test
- name: test
- labels:
- app: test
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: test
- template:
- metadata:
- labels:
- app: test
- spec:
- containers:
- - name: test
- image: nginx
- # command: ["sleep"]
- # args: ["100000"]
- volumeMounts:
- - name: storage
- mountPath: /data
- volumes:
- - name: storage
- persistentVolumeClaim:
- claimName: nfs-media-store-pvc
diff --git a/testing/echo1.yaml b/testing/echo1.yaml
deleted file mode 100644
index ca8421cdfb04146fee376abc49340eab4c697c83..0000000000000000000000000000000000000000
--- a/testing/echo1.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: echo1
-spec:
- ports:
- - port: 80
- targetPort: 80
- selector:
- app: echo1
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: echo1
-spec:
- selector:
- matchLabels:
- app: echo1
- replicas: 2
- template:
- metadata:
- labels:
- app: echo1
- spec:
- containers:
- - name: echo1
- image: nginx
- #args:
- #- "-text=echo1"
- ports:
- - containerPort: 80
-
diff --git a/testing/echo2.yaml b/testing/echo2.yaml
deleted file mode 100644
index 7aa638488969d0834c48638175925998acbedfec..0000000000000000000000000000000000000000
--- a/testing/echo2.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: echo2
-spec:
- ports:
- - port: 80
- targetPort: 80
- selector:
- app: echo2
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: echo2
-spec:
- selector:
- matchLabels:
- app: echo2
- replicas: 1
- template:
- metadata:
- labels:
- app: echo2
- spec:
- containers:
- - name: echo2
- image: nginx
-# args:
-# - "-text=echo2"
- ports:
- - containerPort: 80
diff --git a/testing/small_testing.yaml b/testing/small_testing.yaml
deleted file mode 100644
index 9aedfab83f9762a19f2fee65a93a5de0581127f6..0000000000000000000000000000000000000000
--- a/testing/small_testing.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: v1
-type: nginx
-name: test-back
-namespace: test-back
-deployments:
-- id: default
- name: test-back
- image: nginx:1.21.6
- uri:
- - test.$BASE_URL
- - test2.$BASE_URL
- # volumes:
- # test-data:
- # accessModes:
- # - ReadWriteMany
- # mountPath: /test
- # nfs:
- # path: /
- # server: 192.168.8.199
- # size: 1Gi
- # type: pv
\ No newline at end of file
diff --git a/turn/turn_small.yaml b/turn/turn_small.yaml
deleted file mode 100644
index 9df580ebd572bf6fc848ded65916e4b6b247da03..0000000000000000000000000000000000000000
--- a/turn/turn_small.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: v1
-name: turn
-namespace: turn
-type: turn
-deployments:
-- id: turn_server
- uri: turn.420joos.dev # maybe this needed but no additional port (optimal)
- volumes:
- turn-config:
- content:
- - deploy/templates/turn/turnserver.conf
diff --git a/vaultwarden/vaultwarden_small.yaml b/vaultwarden/vaultwarden_small.yaml
deleted file mode 100644
index 6c613d8192878722ada45c8ca7d478d8da14f1c1..0000000000000000000000000000000000000000
--- a/vaultwarden/vaultwarden_small.yaml
+++ /dev/null
@@ -1,62 +0,0 @@
-apiVersion: v1
-name: vaultwarden
-namespace: vaultwarden
-type: none
-deployments:
-- id: default
- env:
- content:
- # WEBSOCKET_ENABLED: "true"
- SIGNUPS_ALLOWED: "false"
- INVITATIONS_ALLOWED: "false"
- ADMIN_TOKEN: EVyf9HGixESQVHa7Ee4sI81oRN2CWWG6
- WEB_VAULT_ENABLED: "true"
- DATABASE_URL: postgresql://0eccb43929df:b0badab04010@postgres:5432/vaultwardendb
- DOMAIN: https://pwm.420joos.dev
-
- # SMTP Settings
- SMTP_HOST: mail.privateemail.com
- SMTP_FROM: no-reply@420joos.dev
- SMTP_PORT: "587"
- SMTP_SECURITY: starttls
- SMTP_USERNAME: no-reply@420joos.dev
- SMTP_PASSWORD: GOvcPSzmgo3kfCzs4dGvCRwM93cnw1aw
- exposedHttpPort: 80
- image: vaultwarden/server:1.26.0-alpine
- name: vaultwarden
- uri: pwm.${BASE_URL}
- maxUploadSize: 50m
- volumes:
- test-back-config:
- accessModes:
- - ReadWriteMany
- mountPath: /data
- nfs:
- path: /vaultwarden/data
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 1Gi
- type: pv
-- id: postgres
- env:
- content:
- LC_COLLATE: C
- LC_CTYPE: C
- POSTGRES_INITDB_ARGS: "-E utf8"
- POSTGRES_DB: vaultwardendb
- POSTGRES_USER: 0eccb43929df
- POSTGRES_PASSWORD: b0badab04010
- image: postgres:15-alpine
- name: postgres
- ports:
- clusterIP:
- - port: 5432
- protocol: TCP
- targetPort: 5432
- volumes:
- db:
- mountPath: /var/lib/postgresql/data
- nfs:
- path: /vaultwarden/db
- server: ${PRODCLUSTER_DEVICE_IP}
- size: 2Gi
- type: pv
diff --git a/wordpress/cli_10001/wordpress_small.yaml b/wordpress/cli_10001/wordpress_small.yaml
deleted file mode 100644
index f3458d9ee2ffd68bb6f7d57c031a9dc4b5ae1880..0000000000000000000000000000000000000000
--- a/wordpress/cli_10001/wordpress_small.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: v1
-name: wordpress-cli-10001
-namespace: wordpress-cli-10001
-type: wordpress
-deployments:
-- id: wordpress-server
- env:
- content:
- WORDPRESS_DB_HOST: mysql:3306
- WORDPRESS_DB_NAME: wordpress
- WORDPRESS_DB_USER: G26CoGMBfzlbJ4g0dr7ZMeXOFXrcyPtT
- WORDPRESS_DB_PASSWORD: tJk0tEnSoMw3ag1ytjPBXDKheXjKjz5P
- uri: arnaudpas.com
- volumes:
- wordpress-html:
- nfs:
- path: /wordpress-cli-10001/html
- wordpress-htaccess-config:
- content:
- - deploy/templates/wordpress/.htaccess
-- id: mysql
- env:
- content:
- MYSQL_ROOT_PASSWORD: UR3jqzLeSIS6wly00LtoyV5z4gcYhfbv
- MYSQL_DATABASE: wordpress
- MYSQL_USER: G26CoGMBfzlbJ4g0dr7ZMeXOFXrcyPtT
- MYSQL_PASSWORD: tJk0tEnSoMw3ag1ytjPBXDKheXjKjz5P
- volumes:
- mysql-db:
- nfs:
- path: /wordpress-cli-10001/db
diff --git a/wordpress/cli_10002/wordpress_small.yaml b/wordpress/cli_10002/wordpress_small.yaml
deleted file mode 100644
index 55fa6d784b53679624ab0799b99ed17a6e4a71d9..0000000000000000000000000000000000000000
--- a/wordpress/cli_10002/wordpress_small.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: v1
-name: wordpress-cli-10002
-namespace: wordpress-cli-10002
-type: wordpress
-deployments:
-- id: wordpress-server
- env:
- content:
- WORDPRESS_DB_HOST: mysql:3306
- WORDPRESS_DB_NAME: wordpress
- WORDPRESS_DB_USER: k1PkIByDviqblpnlaV4C9p6MPs2fNJaV
- WORDPRESS_DB_PASSWORD: YpDMmJklkuGRzK51QvE3ajo8QM2kto7O
- uri: joeldisch.420joos.dev
- volumes:
- wordpress-html:
- nfs:
- path: /wordpress-cli-10002/html
- wordpress-htaccess-config:
- content:
- - deploy/templates/wordpress/.htaccess
-- id: mysql
- env:
- content:
- MYSQL_ROOT_PASSWORD: JNwUevJ32wfD8H6fElQ1w02hK2H7stTS
- MYSQL_DATABASE: wordpress
- MYSQL_USER: k1PkIByDviqblpnlaV4C9p6MPs2fNJaV
- MYSQL_PASSWORD: YpDMmJklkuGRzK51QvE3ajo8QM2kto7O
- volumes:
- mysql-db:
- nfs:
- path: /wordpress-cli-10002/db
diff --git a/wordpress/cli_10003/wordpress_small.yaml b/wordpress/cli_10003/wordpress_small.yaml
deleted file mode 100644
index 92a1151881c35a9079d07dd41f06db437b4f2a6d..0000000000000000000000000000000000000000
--- a/wordpress/cli_10003/wordpress_small.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: v1
-name: wordpress-cli-10003
-namespace: wordpress-cli-10003
-type: wordpress
-deployments:
-- id: wordpress-server
- env:
- content:
- WORDPRESS_DB_HOST: mysql:3306
- WORDPRESS_DB_NAME: wordpress
- WORDPRESS_DB_USER: A5igXffTk3FITvbEnyycHZkZUrSoTipa
- WORDPRESS_DB_PASSWORD: dxJOVLEFQAc0fBp9iBmJvB8CGzKkCnrs
- uri: nora.${BASE_URL}
- volumes:
- wordpress-html:
- nfs:
- path: /wordpress-cli-10003/html
- wordpress-htaccess-config:
- content:
- - deploy/templates/wordpress/.htaccess
-- id: mysql
- env:
- content:
- MYSQL_ROOT_PASSWORD: aHyoXjEoJFabiL0QpTDalcyg3tFBVKCv
- MYSQL_DATABASE: wordpress
- MYSQL_USER: A5igXffTk3FITvbEnyycHZkZUrSoTipa
- MYSQL_PASSWORD: dxJOVLEFQAc0fBp9iBmJvB8CGzKkCnrs
- volumes:
- mysql-db:
- nfs:
- path: /wordpress-cli-10003/db
diff --git a/wordpress/wordpress_small.yaml b/wordpress/wordpress_small.yaml
deleted file mode 100644
index 549eb64a7a03b941f727cd8e0ae2d6cc02ee1596..0000000000000000000000000000000000000000
--- a/wordpress/wordpress_small.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-apiVersion: v1
-name: wordpress
-namespace: wordpress
-type: wordpress
-deployments:
-- id: wordpress-server
- env:
- content:
- WORDPRESS_DB_HOST: mysql:3306
- WORDPRESS_DB_NAME: wordpress
- WORDPRESS_DB_USER: da06a40c79bc
- WORDPRESS_DB_PASSWORD: 1b545039bf4d
- uri:
- - ${BASE_URL}
- - andri.${JOOS_IO_BASE_URL}
- volumes:
- wordpress-html:
- nfs:
- path: /wordpress/html
- wordpress-htaccess-config:
- content:
- - deploy/templates/wordpress/.htaccess
-- id: mysql
- env:
- content:
- MYSQL_ROOT_PASSWORD: 257ab9e83d19
- MYSQL_DATABASE: wordpress
- MYSQL_USER: da06a40c79bc
- MYSQL_PASSWORD: 1b545039bf4d
- volumes:
- mysql-db:
- nfs:
- path: /wordpress/db