diff --git a/tests/vendir.lock.yml b/tests/vendir.lock.yml
index 50b8092f2..2c5d2855d 100644
--- a/tests/vendir.lock.yml
+++ b/tests/vendir.lock.yml
@@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1
directories:
- contents:
- githubRelease:
- tag: v0.12.3
- url: https://api.github.com/repos/buildpacks-community/kpack/releases/131064629
+ tag: v0.13.2
+ url: https://api.github.com/repos/buildpacks-community/kpack/releases/139740949
path: kpack
- githubRelease:
tag: v0.7.0
@@ -14,8 +14,8 @@ directories:
url: https://api.github.com/repos/kubernetes-sigs/metrics-server/releases/137632772
path: metrics-server-local
- githubRelease:
- tag: v1.13.3
- url: https://api.github.com/repos/cert-manager/cert-manager/releases/133422641
+ tag: v1.14.1
+ url: https://api.github.com/repos/cert-manager/cert-manager/releases/139697993
path: cert-manager
- git:
commitTitle: Update Contour Docker image to v1.27.0....
diff --git a/tests/vendor/cert-manager/cert-manager.crds.yaml b/tests/vendor/cert-manager/cert-manager.crds.yaml
index 2ab32261e..3d16882f0 100644
--- a/tests/vendor/cert-manager/cert-manager.crds.yaml
+++ b/tests/vendor/cert-manager/cert-manager.crds.yaml
@@ -22,7 +22,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: cert-manager.io
names:
@@ -220,7 +220,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: cert-manager.io
names:
@@ -382,9 +382,83 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
+ profile:
+ description: "Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret."
+ type: string
+ enum:
+ - LegacyRC2
+ - LegacyDES
+ - Modern2023
literalSubject:
description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components."
type: string
+ nameConstraints:
+ description: "x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 \n This is an Alpha Feature and is only enabled with the `--feature-gates=NameConstraints=true` option set on both the controller and webhook components."
+ type: object
+ properties:
+ critical:
+ description: if true then the name constraints are marked critical.
+ type: boolean
+ excluded:
+ description: Excluded contains the constraints which must be disallowed. Any name matching a restriction in the excluded field is invalid regardless of information appearing in the permitted
+ type: object
+ properties:
+ dnsDomains:
+ description: DNSDomains is a list of DNS domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ emailAddresses:
+ description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ ipRanges:
+ description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation.
+ type: array
+ items:
+ type: string
+ uriDomains:
+ description: URIDomains is a list of URI domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ permitted:
+ description: Permitted contains the constraints in which the names must be located.
+ type: object
+ properties:
+ dnsDomains:
+ description: DNSDomains is a list of DNS domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ emailAddresses:
+ description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ ipRanges:
+ description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation.
+ type: array
+ items:
+ type: string
+ uriDomains:
+ description: URIDomains is a list of URI domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ otherNames:
+ description: '`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.'
+ type: array
+ items:
+ type: object
+ properties:
+ oid:
+ description: OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, "1.2.840.113556.1.4.221".
+ type: string
+ utf8Value:
+ description: utf8Value is the string value of the otherName SAN. The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+ type: string
privateKey:
description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy.
type: object
@@ -591,7 +665,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: acme.cert-manager.io
names:
@@ -756,10 +830,10 @@ spec:
- subscriptionID
properties:
clientID:
- description: if both this and ClientSecret are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
type: string
clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
type: object
required:
- name
@@ -782,14 +856,14 @@ spec:
description: name of the DNS zone that should be used
type: string
managedIdentity:
- description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
type: object
properties:
clientID:
description: client ID of the managed identity, can not be used at the same time as resourceID
type: string
resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID
+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
type: string
resourceGroupName:
description: resource group the DNS zone is located in
@@ -798,7 +872,7 @@ spec:
description: ID of the Azure subscription
type: string
tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
type: string
cloudDNS:
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
@@ -1004,13 +1078,13 @@ spec:
maxLength: 253
minLength: 1
namespace:
- description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
type: string
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
port:
- description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
type: integer
format: int32
maximum: 65535
@@ -1224,7 +1298,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -1254,6 +1328,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -1307,7 +1393,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -1337,6 +1423,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -1397,7 +1495,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -1427,6 +1525,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -1480,7 +1590,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -1510,6 +1620,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -1669,7 +1791,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: "cert-manager"
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: cert-manager.io
names:
@@ -1873,10 +1995,10 @@ spec:
- subscriptionID
properties:
clientID:
- description: if both this and ClientSecret are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
type: string
clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
type: object
required:
- name
@@ -1899,14 +2021,14 @@ spec:
description: name of the DNS zone that should be used
type: string
managedIdentity:
- description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
type: object
properties:
clientID:
description: client ID of the managed identity, can not be used at the same time as resourceID
type: string
resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID
+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
type: string
resourceGroupName:
description: resource group the DNS zone is located in
@@ -1915,7 +2037,7 @@ spec:
description: ID of the Azure subscription
type: string
tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
type: string
cloudDNS:
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
@@ -2121,13 +2243,13 @@ spec:
maxLength: 253
minLength: 1
namespace:
- description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
type: string
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
port:
- description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
type: integer
format: int32
maximum: 65535
@@ -2341,7 +2463,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -2371,6 +2493,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -2424,7 +2558,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -2454,6 +2588,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -2514,7 +2660,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -2544,6 +2690,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -2597,7 +2755,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -2627,6 +2785,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -2744,6 +2914,11 @@ spec:
type: array
items:
type: string
+ issuingCertificateURLs:
+ description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt".
+ type: array
+ items:
+ type: string
ocspServers:
description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
type: array
@@ -2989,7 +3164,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: "cert-manager"
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: cert-manager.io
names:
@@ -3193,10 +3368,10 @@ spec:
- subscriptionID
properties:
clientID:
- description: if both this and ClientSecret are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
type: string
clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
type: object
required:
- name
@@ -3219,14 +3394,14 @@ spec:
description: name of the DNS zone that should be used
type: string
managedIdentity:
- description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
type: object
properties:
clientID:
description: client ID of the managed identity, can not be used at the same time as resourceID
type: string
resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID
+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
type: string
resourceGroupName:
description: resource group the DNS zone is located in
@@ -3235,7 +3410,7 @@ spec:
description: ID of the Azure subscription
type: string
tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
type: string
cloudDNS:
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
@@ -3441,13 +3616,13 @@ spec:
maxLength: 253
minLength: 1
namespace:
- description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
type: string
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
port:
- description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
type: integer
format: int32
maximum: 65535
@@ -3661,7 +3836,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -3691,6 +3866,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -3744,7 +3931,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -3774,6 +3961,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -3834,7 +4033,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -3864,6 +4063,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -3917,7 +4128,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -3947,6 +4158,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -4064,6 +4287,11 @@ spec:
type: array
items:
type: string
+ issuingCertificateURLs:
+ description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt".
+ type: array
+ items:
+ type: string
ocspServers:
description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
type: array
@@ -4309,7 +4537,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: acme.cert-manager.io
names:
diff --git a/tests/vendor/cert-manager/cert-manager.yaml b/tests/vendor/cert-manager/cert-manager.yaml
index e4363b08b..99ead8853 100644
--- a/tests/vendor/cert-manager/cert-manager.yaml
+++ b/tests/vendor/cert-manager/cert-manager.yaml
@@ -27,7 +27,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: cert-manager.io
names:
@@ -225,7 +225,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: cert-manager.io
names:
@@ -387,9 +387,83 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
+ profile:
+ description: "Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret."
+ type: string
+ enum:
+ - LegacyRC2
+ - LegacyDES
+ - Modern2023
literalSubject:
description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components."
type: string
+ nameConstraints:
+ description: "x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 \n This is an Alpha Feature and is only enabled with the `--feature-gates=NameConstraints=true` option set on both the controller and webhook components."
+ type: object
+ properties:
+ critical:
+ description: if true then the name constraints are marked critical.
+ type: boolean
+ excluded:
+ description: Excluded contains the constraints which must be disallowed. Any name matching a restriction in the excluded field is invalid regardless of information appearing in the permitted
+ type: object
+ properties:
+ dnsDomains:
+ description: DNSDomains is a list of DNS domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ emailAddresses:
+ description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ ipRanges:
+ description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation.
+ type: array
+ items:
+ type: string
+ uriDomains:
+ description: URIDomains is a list of URI domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ permitted:
+ description: Permitted contains the constraints in which the names must be located.
+ type: object
+ properties:
+ dnsDomains:
+ description: DNSDomains is a list of DNS domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ emailAddresses:
+ description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ ipRanges:
+ description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation.
+ type: array
+ items:
+ type: string
+ uriDomains:
+ description: URIDomains is a list of URI domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ otherNames:
+ description: '`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.'
+ type: array
+ items:
+ type: object
+ properties:
+ oid:
+ description: OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, "1.2.840.113556.1.4.221".
+ type: string
+ utf8Value:
+ description: utf8Value is the string value of the otherName SAN. The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+ type: string
privateKey:
description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy.
type: object
@@ -596,7 +670,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: acme.cert-manager.io
names:
@@ -761,10 +835,10 @@ spec:
- subscriptionID
properties:
clientID:
- description: if both this and ClientSecret are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
type: string
clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
type: object
required:
- name
@@ -787,14 +861,14 @@ spec:
description: name of the DNS zone that should be used
type: string
managedIdentity:
- description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
type: object
properties:
clientID:
description: client ID of the managed identity, can not be used at the same time as resourceID
type: string
resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID
+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
type: string
resourceGroupName:
description: resource group the DNS zone is located in
@@ -803,7 +877,7 @@ spec:
description: ID of the Azure subscription
type: string
tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
type: string
cloudDNS:
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
@@ -1009,13 +1083,13 @@ spec:
maxLength: 253
minLength: 1
namespace:
- description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
type: string
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
port:
- description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
type: integer
format: int32
maximum: 65535
@@ -1229,7 +1303,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -1259,6 +1333,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -1312,7 +1398,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -1342,6 +1428,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -1402,7 +1500,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -1432,6 +1530,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -1485,7 +1595,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -1515,6 +1625,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -1674,7 +1796,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: "cert-manager"
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: cert-manager.io
names:
@@ -1878,10 +2000,10 @@ spec:
- subscriptionID
properties:
clientID:
- description: if both this and ClientSecret are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
type: string
clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
type: object
required:
- name
@@ -1904,14 +2026,14 @@ spec:
description: name of the DNS zone that should be used
type: string
managedIdentity:
- description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
type: object
properties:
clientID:
description: client ID of the managed identity, can not be used at the same time as resourceID
type: string
resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID
+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
type: string
resourceGroupName:
description: resource group the DNS zone is located in
@@ -1920,7 +2042,7 @@ spec:
description: ID of the Azure subscription
type: string
tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
type: string
cloudDNS:
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
@@ -2126,13 +2248,13 @@ spec:
maxLength: 253
minLength: 1
namespace:
- description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
type: string
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
port:
- description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
type: integer
format: int32
maximum: 65535
@@ -2346,7 +2468,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -2376,6 +2498,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -2429,7 +2563,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -2459,6 +2593,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -2519,7 +2665,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -2549,6 +2695,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -2602,7 +2760,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -2632,6 +2790,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -2749,6 +2919,11 @@ spec:
type: array
items:
type: string
+ issuingCertificateURLs:
+ description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt".
+ type: array
+ items:
+ type: string
ocspServers:
description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
type: array
@@ -2994,7 +3169,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: "cert-manager"
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: cert-manager.io
names:
@@ -3198,10 +3373,10 @@ spec:
- subscriptionID
properties:
clientID:
- description: if both this and ClientSecret are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
type: string
clientSecretSecretRef:
- description: if both this and ClientID are left unset MSI will be used
+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
type: object
required:
- name
@@ -3224,14 +3399,14 @@ spec:
description: name of the DNS zone that should be used
type: string
managedIdentity:
- description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
type: object
properties:
clientID:
description: client ID of the managed identity, can not be used at the same time as resourceID
type: string
resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID
+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
type: string
resourceGroupName:
description: resource group the DNS zone is located in
@@ -3240,7 +3415,7 @@ spec:
description: ID of the Azure subscription
type: string
tenantID:
- description: when specifying ClientID and ClientSecret then this field is also needed
+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
type: string
cloudDNS:
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
@@ -3446,13 +3621,13 @@ spec:
maxLength: 253
minLength: 1
namespace:
- description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
type: string
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
port:
- description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
type: integer
format: int32
maximum: 65535
@@ -3666,7 +3841,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -3696,6 +3871,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -3749,7 +3936,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -3779,6 +3966,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -3839,7 +4038,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -3869,6 +4068,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -3922,7 +4133,7 @@ spec:
- topologyKey
properties:
labelSelector:
- description: A label query over a set of resources, in this case pods.
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
type: object
properties:
matchExpressions:
@@ -3952,6 +4163,18 @@ spec:
additionalProperties:
type: string
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
namespaceSelector:
description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
type: object
@@ -4069,6 +4292,11 @@ spec:
type: array
items:
type: string
+ issuingCertificateURLs:
+ description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt".
+ type: array
+ items:
+ type: string
ocspServers:
description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
type: array
@@ -4314,7 +4542,7 @@ metadata:
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
# Generated labels
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
group: acme.cert-manager.io
names:
@@ -4498,7 +4726,7 @@ metadata:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
---
# Source: cert-manager/templates/serviceaccount.yaml
apiVersion: v1
@@ -4512,7 +4740,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
---
# Source: cert-manager/templates/webhook-serviceaccount.yaml
apiVersion: v1
@@ -4526,35 +4754,7 @@ metadata:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
----
-# Source: cert-manager/templates/controller-config.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: cert-manager
- namespace: cert-manager
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
-data:
----
-# Source: cert-manager/templates/webhook-config.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: cert-manager-webhook
- namespace: cert-manager
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
-data:
+ app.kubernetes.io/version: "v1.14.1"
---
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -4566,7 +4766,7 @@ metadata:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
@@ -4598,7 +4798,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
@@ -4624,7 +4824,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
@@ -4650,7 +4850,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
@@ -4685,7 +4885,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
@@ -4723,7 +4923,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
@@ -4783,7 +4983,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
@@ -4820,7 +5020,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rules:
- apiGroups: ["cert-manager.io"]
@@ -4837,7 +5037,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -4860,7 +5060,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
@@ -4885,7 +5085,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["signers"]
@@ -4905,7 +5105,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
@@ -4931,7 +5131,7 @@ metadata:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
@@ -4947,7 +5147,7 @@ metadata:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -4967,7 +5167,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -4987,7 +5187,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -5007,7 +5207,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -5027,7 +5227,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -5047,7 +5247,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -5067,7 +5267,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -5087,7 +5287,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -5107,7 +5307,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -5127,7 +5327,7 @@ metadata:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -5150,7 +5350,7 @@ metadata:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
# Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
@@ -5176,7 +5376,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
@@ -5197,7 +5397,7 @@ metadata:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
rules:
- apiGroups: [""]
resources: ["secrets"]
@@ -5222,7 +5422,7 @@ metadata:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -5245,7 +5445,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -5267,7 +5467,7 @@ metadata:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -5289,7 +5489,7 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
type: ClusterIP
ports:
@@ -5313,7 +5513,7 @@ metadata:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
type: ClusterIP
ports:
@@ -5337,9 +5537,10 @@ metadata:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
replicas: 1
+ revisionHistoryLimit:
selector:
matchLabels:
app.kubernetes.io/name: cainjector
@@ -5352,7 +5553,7 @@ spec:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
serviceAccountName: cert-manager-cainjector
enableServiceLinks: false
@@ -5362,7 +5563,7 @@ spec:
type: RuntimeDefault
containers:
- name: cert-manager-cainjector
- image: "quay.io/jetstack/cert-manager-cainjector:v1.13.3"
+ image: "quay.io/jetstack/cert-manager-cainjector:v1.14.1"
imagePullPolicy: IfNotPresent
args:
- --v=2
@@ -5377,6 +5578,7 @@ spec:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
nodeSelector:
kubernetes.io/os: linux
---
@@ -5391,9 +5593,10 @@ metadata:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
replicas: 1
+ revisionHistoryLimit:
selector:
matchLabels:
app.kubernetes.io/name: cert-manager
@@ -5406,7 +5609,7 @@ spec:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
@@ -5420,13 +5623,13 @@ spec:
type: RuntimeDefault
containers:
- name: cert-manager-controller
- image: "quay.io/jetstack/cert-manager-controller:v1.13.3"
+ image: "quay.io/jetstack/cert-manager-controller:v1.14.1"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
- - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.13.3
+ - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.1
- --max-concurrent-challenges=60
ports:
- containerPort: 9402
@@ -5440,11 +5643,25 @@ spec:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ # LivenessProbe settings are based on those used for the Kubernetes
+ # controller-manager. See:
+ # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
+ livenessProbe:
+ httpGet:
+ port: http-healthz
+ path: /livez
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 15
+ successThreshold: 1
+ failureThreshold: 8
nodeSelector:
kubernetes.io/os: linux
---
@@ -5459,9 +5676,10 @@ metadata:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
replicas: 1
+ revisionHistoryLimit:
selector:
matchLabels:
app.kubernetes.io/name: webhook
@@ -5474,7 +5692,7 @@ spec:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
spec:
serviceAccountName: cert-manager-webhook
enableServiceLinks: false
@@ -5484,7 +5702,7 @@ spec:
type: RuntimeDefault
containers:
- name: cert-manager-webhook
- image: "quay.io/jetstack/cert-manager-webhook:v1.13.3"
+ image: "quay.io/jetstack/cert-manager-webhook:v1.14.1"
imagePullPolicy: IfNotPresent
args:
- --v=2
@@ -5527,6 +5745,7 @@ spec:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
env:
- name: POD_NAMESPACE
valueFrom:
@@ -5545,7 +5764,7 @@ metadata:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
@@ -5553,20 +5772,18 @@ webhooks:
rules:
- apiGroups:
- "cert-manager.io"
- - "acme.cert-manager.io"
apiVersions:
- "v1"
operations:
- CREATE
- - UPDATE
resources:
- - "*/*"
+ - "certificaterequests"
admissionReviewVersions: ["v1"]
# This webhook only accepts v1 cert-manager resources.
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent
- timeoutSeconds: 10
+ timeoutSeconds: 30
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
@@ -5586,15 +5803,15 @@ metadata:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.13.3"
+ app.kubernetes.io/version: "v1.14.1"
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- - key: "cert-manager.io/disable-validation"
- operator: "NotIn"
+ - key: cert-manager.io/disable-validation
+ operator: NotIn
values:
- "true"
rules:
@@ -5613,7 +5830,7 @@ webhooks:
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent
- timeoutSeconds: 10
+ timeoutSeconds: 30
failurePolicy: Fail
sideEffects: None
clientConfig:
diff --git a/tests/vendor/kpack/release-0.12.3.yaml b/tests/vendor/kpack/release-0.13.2.yaml
similarity index 95%
rename from tests/vendor/kpack/release-0.12.3.yaml
rename to tests/vendor/kpack/release-0.13.2.yaml
index ad4e5d2b1..1b1c916b5 100644
--- a/tests/vendor/kpack/release-0.12.3.yaml
+++ b/tests/vendor/kpack/release-0.13.2.yaml
@@ -109,6 +109,9 @@ spec:
- name: Ready
type: string
jsonPath: .status.conditions[?(@.type=="Ready")].status
+ - name: UpToDate
+ type: string
+ jsonPath: .status.conditions[?(@.type=="UpToDate")].status
conversion:
strategy: Webhook
webhook:
@@ -203,6 +206,9 @@ spec:
- name: Ready
type: string
jsonPath: .status.conditions[?(@.type=="Ready")].status
+ - name: UpToDate
+ type: string
+ jsonPath: .status.conditions[?(@.type=="UpToDate")].status
names:
kind: ClusterBuilder
listKind: ClusterBuilderList
@@ -365,7 +371,7 @@ metadata:
name: build-init-image
namespace: kpack
data:
- image: gcr.io/cf-build-service-public/kpack/build-init@sha256:92c6835bb9ea48c90042df0f96eef1b34e06ccf593c39ab79831e4b21f374423
+ image: gcr.io/cf-build-service-public/kpack/build-init@sha256:fb6d8b324e2f041adb4766d65eec7bee884f84b272eb3ecf0a5c739e96a07b33
---
apiVersion: v1
kind: ConfigMap
@@ -373,7 +379,7 @@ metadata:
name: build-init-windows-image
namespace: kpack
data:
- image: gcr.io/cf-build-service-public/kpack/build-init-windows@sha256:c3eb52275df6d6abef7841741cc2106920b4f6f509da2d5d9334aaf671fbe584
+ image: gcr.io/cf-build-service-public/kpack/build-init-windows@sha256:e38940a1d2137c8aa5a94368a206cc78a1b54bd6a09a825a66df0f9cc08c8652
---
apiVersion: v1
kind: ConfigMap
@@ -381,7 +387,7 @@ metadata:
name: build-waiter-image
namespace: kpack
data:
- image: gcr.io/cf-build-service-public/kpack/build-waiter@sha256:549daf44199a7e94afd8cbbcbe8837185d597d1a61548d27eafafd83bb1fa1bc
+ image: gcr.io/cf-build-service-public/kpack/build-waiter@sha256:1422962f7a08c701f362fa043fce889bb4537579ce9dea256625a745356812dc
---
apiVersion: v1
kind: ConfigMap
@@ -389,7 +395,7 @@ metadata:
name: rebase-image
namespace: kpack
data:
- image: gcr.io/cf-build-service-public/kpack/rebase@sha256:955f76d02b4885d08f25071246021feae1a5622f5f8032ee53b1f23b689c7f2a
+ image: gcr.io/cf-build-service-public/kpack/rebase@sha256:8db2aceeb340f8686db8b603bbec4aec1682e237b514b8ee05a778714ede5938
---
apiVersion: v1
kind: ConfigMap
@@ -397,7 +403,7 @@ metadata:
name: lifecycle-image
namespace: kpack
data:
- image: gcr.io/cf-build-service-public/kpack/lifecycle@sha256:0b1cd35012f7152053c42e0d6835cbb5b7c9c24207a0627f556bd931e678f8d7
+ image: gcr.io/cf-build-service-public/kpack/lifecycle@sha256:199043ac6fd40f772decb804ca92cdcbb22b76cf8db622761e25c39c2925d3b7
---
apiVersion: v1
kind: ConfigMap
@@ -405,7 +411,7 @@ metadata:
name: completion-image
namespace: kpack
data:
- image: gcr.io/cf-build-service-public/kpack/completion@sha256:9a7b149ec23fa85bee6dbbc5fbc1e6d65228685768e56709967499cc66fe62df
+ image: gcr.io/cf-build-service-public/kpack/completion@sha256:591b577d8286f3eb7583660c59990aa3939878dd69dd1a99897e09d2dc962806
---
apiVersion: v1
kind: ConfigMap
@@ -413,7 +419,7 @@ metadata:
name: completion-windows-image
namespace: kpack
data:
- image: gcr.io/cf-build-service-public/kpack/completion-windows@sha256:82d62a33b017680904975e33f76cd7256f3a987b84bd1e774a4262958ff9c43f
+ image: gcr.io/cf-build-service-public/kpack/completion-windows@sha256:f3fb747b55278fabe808ba1b8447b30cd6857567b73acb2bad3123afb509d453
---
apiVersion: apps/v1
kind: Deployment
@@ -429,7 +435,7 @@ spec:
metadata:
labels:
app: kpack-controller
- version: 0.12.3
+ version: 0.13.2
spec:
securityContext:
runAsNonRoot: true
@@ -450,12 +456,14 @@ spec:
capabilities:
drop:
- ALL
- image: gcr.io/cf-build-service-public/kpack/controller@sha256:6a6e49d1bed164f151d2f8b9fbe24edd6a99c467fd6a747fb7b061a4c3529fc5
+ image: gcr.io/cf-build-service-public/kpack/controller@sha256:c401a8c1d45f9a24d36568a2f202fd78363cb3ed0dddb36b95e7cc65fc6f536c
env:
- name: ENABLE_PRIORITY_CLASSES
value: "false"
- name: INJECTED_SIDECAR_SUPPORT
value: "false"
+ - name: EXPERIMENTAL_GENERATE_SLSA_ATTESTATION
+ value: "false"
- name: INSECURE_SSH_TRUST_UNKNOWN_HOSTS
value: "true"
- name: CONFIG_LOGGING_NAME
@@ -468,6 +476,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ - name: SYSTEM_SERVICE_ACCOUNT
+ value: controller
- name: BUILD_INIT_IMAGE
valueFrom:
configMapKeyRef:
@@ -552,6 +562,7 @@ rules:
resources:
- secrets
- pods/log
+ - namespaces
verbs:
- get
- apiGroups:
@@ -857,7 +868,7 @@ spec:
labels:
app: kpack-webhook
role: webhook
- version: 0.12.3
+ version: 0.13.2
spec:
securityContext:
runAsNonRoot: true
@@ -878,7 +889,7 @@ spec:
capabilities:
drop:
- ALL
- image: gcr.io/cf-build-service-public/kpack/webhook@sha256:c5eed46c43ffeed170d4a7047734fb102a8af21681cad66badff578464692eb3
+ image: gcr.io/cf-build-service-public/kpack/webhook@sha256:1064ab5d533f841461eded30980395710b195f36d7e3199e8ef04979d35fa077
ports:
- name: https-webhook
containerPort: 8443