diff --git a/operators/cert-manager/1.13.1/bundle.Dockerfile b/operators/cert-manager/1.13.1/bundle.Dockerfile new file mode 100644 index 00000000000..41011075483 --- /dev/null +++ b/operators/cert-manager/1.13.1/bundle.Dockerfile @@ -0,0 +1,21 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=cert-manager +LABEL operators.operatorframework.io.bundle.channels.v1=candidate,stable +LABEL operators.operatorframework.io.bundle.channel.default.v1=stable +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.25.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=unknown + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY ./manifests /manifests/ +COPY ./metadata /metadata/ +COPY ./tests/scorecard /tests/scorecard/ diff --git a/operators/cert-manager/1.13.1/manifests/acme.cert-manager.io_challenges.yaml b/operators/cert-manager/1.13.1/manifests/acme.cert-manager.io_challenges.yaml new file mode 100644 index 00000000000..1f331e48ca7 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/acme.cert-manager.io_challenges.yaml @@ -0,0 +1,1267 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + name: challenges.acme.cert-manager.io +spec: + group: acme.cert-manager.io + names: + categories: + - cert-manager + - cert-manager-acme + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.dnsName + name: Domain + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an + ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authorizationURL: + description: The URL to the ACME Authorization resource that this + challenge is a part of. + type: string + dnsName: + description: dnsName is the identifier that this challenge is for, + e.g. example.com. If the requested DNSName is a 'wildcard', this + field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, + it must be `example.com`. + type: string + issuerRef: + description: References a properly configured ACME-type Issuer which + should be used to create this Challenge. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + as failed. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + key: + description: 'The ACME challenge key for this challenge For HTTP01 + challenges, this is the value that must be responded with to complete + the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is + the base64 encoded SHA256 sum of the `.` text that must be set as the TXT + record content.' + type: string + solver: + description: Contains the domain solving configuration that should + be used to solve this challenge resource. + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 + challenge records. + properties: + clientID: + description: if both this and ClientSecret are left unset + MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset + MSI will be used + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + description: name of the Azure environment (default AzurePublicCloud) + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: managed identity configuration, can not be + used at the same time as clientID, clientSecretSecretRef + or tenantID + properties: + clientID: + description: client ID of the managed identity, can + not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, + can not be used at the same time as clientID + type: string + type: object + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 + challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge + records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required when + using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 + challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + required. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 challenge + records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + Cannot be set when SecretAccessKeyID is set. If neither + the Access Key nor Key ID are set, we fall-back to using + env vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. + If set, pull the AWS access key ID from a key within + a Kubernetes Secret. Cannot be set when AccessKeyID + is set. If neither the Access Key nor Key ID are set, + we fall-back to using env vars, shared credentials file + or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. + If neither the Access Key nor Key ID are set, we fall-back + to using env vars, shared credentials file or AWS Instance + metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API + that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). + The Gateway solver will create HTTPRoutes with the specified + labels in the same namespace as the challenge. This solver + is experimental, and fields / behaviour may change in the + future. + properties: + labels: + additionalProperties: + type: string + description: Custom labels that will be applied to HTTPRoutes + created by cert-manager while solving HTTP-01 challenges. + type: object + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager + creates an HTTPRoute. cert-manager needs to know which + parentRefs should be used when creating the HTTPRoute. + Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' + items: + description: "ParentReference identifies an API object + (usually a Gateway) that can be considered a parent + of this resource (usually a route). There are two + kinds of parent resources with \"Core\" support: \n + * Gateway (Gateway conformance profile) * Service + (Mesh conformance profile, experimental, ClusterIP + Services only) \n This API may be extended in the + future to support additional kinds of parent resources. + \n The API object must be valid in the cluster; the + Group and Kind must be registered in the cluster for + this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. + When unspecified, \"gateway.networking.k8s.io\" + is inferred. To set the core API group (such as + for a \"Service\" kind referent), Group must be + explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n There + are two kinds of parent resources with \"Core\" + support: \n * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, experimental, + ClusterIP Services only) \n Support for other + resources is Implementation-Specific." + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. + \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + referent. When unspecified, this refers to the + local namespace of the Route. \n Note that there + are specific rules for ParentRefs which cross + namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed + by something in the namespace they are referring + to. For example: Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way + to enable any other kind of cross-namespace reference. + \n ParentRefs from a Route to a Service in the + same namespace are \"producer\" routes, which + apply default routing rules to inbound connections + from any namespace to the Service. \n ParentRefs + from a Route to a Service in a different namespace + are \"consumer\" routes, and these routing rules + are only applied to outbound connections originating + from the same namespace as the Route, for which + the intended destination of the connections are + a Service targeted as a ParentRef of the Route. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route + targets. It can be interpreted differently based + on the type of parent resource. \n When the parent + resource is a Gateway, this targets all listeners + listening on the specified port that also support + this kind of Route(and select this Route). It's + not recommended to set `Port` unless the networking + behaviors specified in a Route must apply to a + specific port as opposed to a listener(s) whose + port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected + listener must match both specified values. \n + When the parent resource is a Service, this targets + a specific port in the Service spec. When both + Port (experimental) and SectionName are specified, + the name and port of the selected port must match + both specified values. \n Implementations MAY + choose to support other parent resources. Implementations + supporting other types of parent resources MUST + clearly document how/if Port is interpreted. \n + For the purpose of status, an attachment is considered + successful as long as the parent resource accepts + it partially. For example, Gateway listeners can + restrict which Routes can attach to them by Route + kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing + Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment + from this Route, the Route MUST be considered + detached from the Gateway. \n Support: Extended + \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section + within the target resource. In the following resources, + SectionName is interpreted as the following: \n + * Gateway: Listener Name. When both Port (experimental) + and SectionName are specified, the name and port + of the selected listener must match both specified + values. * Service: Port Name. When both Port (experimental) + and SectionName are specified, the name and port + of the selected listener must match both specified + values. Note that attaching Routes to Services + as Parents is part of experimental Mesh support + and is not supported for any other purpose. \n + Implementations MAY choose to support attaching + Routes to other resources. If that is the case, + they MUST clearly document how SectionName is + interpreted. \n When unspecified (empty string), + this will reference the entire resource. For the + purpose of status, an attachment is considered + successful if at least one section in the parent + resource accepts it. For example, Gateway listeners + can restrict which Routes can attach to them by + Route kind, namespace, or hostname. If 1 of 2 + Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment + from this Route, the Route MUST be considered + detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + type: array + serviceType: + description: Optional service type for Kubernetes solver + service. Supported values are NodePort or ClusterIP. + If unset, defaults to NodePort. + type: string + type: object + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: This field configures the annotation `kubernetes.io/ingress.class` + when creating Ingress resources to solve ACME challenges + that use this challenge solver. Only one of `class`, + `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` + on the created Ingress resources used to solve ACME + challenges that use this challenge solver. This is the + recommended way of configuring the ingress class. Only + one of `class`, `name` or `ingressClassName` may be + specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges. + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. Only one of `class`, `name` or `ingressClassName` + may be specified. + type: string + podTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + imagePullSecrets: + items: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + type: array + nodeSelector: + additionalProperties: + type: string + type: object + priorityClassName: + type: string + serviceAccountName: + type: string + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service. Supported values are NodePort or ClusterIP. + If unset, defaults to NodePort. + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: The ACME challenge token for this challenge. This is + the raw value returned from the ACME server. + type: string + type: + description: The type of ACME challenge this resource represents. + One of "HTTP-01" or "DNS-01". + enum: + - HTTP-01 + - DNS-01 + type: string + url: + description: The URL of the ACME Challenge resource for this challenge. + This can be used to lookup details about the status of this challenge. + type: string + wildcard: + description: wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + type: boolean + required: + - authorizationURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + type: object + status: + properties: + presented: + description: presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Used to denote whether this challenge should be processed + or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: Contains the current 'state' of the challenge. If not + set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/cert-manager/1.13.1/manifests/acme.cert-manager.io_orders.yaml b/operators/cert-manager/1.13.1/manifests/acme.cert-manager.io_orders.yaml new file mode 100644 index 00000000000..007911e8286 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/acme.cert-manager.io_orders.yaml @@ -0,0 +1,248 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + name: orders.acme.cert-manager.io +spec: + group: acme.cert-manager.io + names: + categories: + - cert-manager + - cert-manager-acme + kind: Order + listKind: OrderList + plural: orders + singular: order + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames` + or `ipAddresses`. This field must match the corresponding field + on the DER encoded CSR. + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR. + items: + type: string + type: array + duration: + description: Duration is the duration for the not after date for the + requested certificate. this is set on order creation as pe the ACME + spec. + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses that should be + included as part of the Order validation process. This field must + match the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be + marked as failed. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + required: + - issuerRef + - request + type: object + status: + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + properties: + token: + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + will be ignored. + type: string + url: + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + required: + - token + - type + - url + type: object + type: array + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + initialState: + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + required: + - url + type: object + type: array + certificate: + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + format: byte + type: string + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..c5bdaf73374 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + name: cert-manager-cluster-view +rules: +- apiGroups: + - cert-manager.io + resources: + - clusterissuers + verbs: + - get + - list + - watch diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..5407a5cdbe4 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,43 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: cert-manager-edit +rules: +- apiGroups: + - cert-manager.io + resources: + - certificates + - certificaterequests + - issuers + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - cert-manager.io + resources: + - certificates/status + verbs: + - update +- apiGroups: + - acme.cert-manager.io + resources: + - challenges + - orders + verbs: + - create + - delete + - deletecollection + - patch + - update diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..750afa6da59 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: cert-manager-view +rules: +- apiGroups: + - cert-manager.io + resources: + - certificates + - certificaterequests + - issuers + verbs: + - get + - list + - watch +- apiGroups: + - acme.cert-manager.io + resources: + - challenges + - orders + verbs: + - get + - list + - watch diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager-webhook_v1_configmap.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager-webhook_v1_configmap.yaml new file mode 100644 index 00000000000..5d668cffa6a --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager-webhook_v1_configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: webhook + app.kubernetes.io/version: v1.13.1 + name: cert-manager-webhook diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager-webhook_v1_service.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager-webhook_v1_service.yaml new file mode 100644 index 00000000000..0fb13bdeb12 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager-webhook_v1_service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: webhook + app.kubernetes.io/version: v1.13.1 + name: cert-manager-webhook +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: webhook + type: ClusterIP +status: + loadBalancer: {} diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager.clusterserviceversion.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager.clusterserviceversion.yaml new file mode 100644 index 00000000000..a8c1162e91d --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager.clusterserviceversion.yaml @@ -0,0 +1,947 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "cert-manager.io/v1", + "kind": "Issuer", + "metadata": { + "name": "example-issuer" + }, + "spec": { + "selfSigned": {} + } + }, + { + "apiVersion": "cert-manager.io/v1", + "kind": "ClusterIssuer", + "metadata": { + "name": "example-clusterissuer" + }, + "spec": { + "selfSigned": {} + } + }, + { + "apiVersion": "cert-manager.io/v1", + "kind": "Certificate", + "metadata": { + "name": "example-certificate" + }, + "spec": { + "dnsNames": [ + "example.com" + ], + "issuerRef": { + "name": "example-issuer" + }, + "secretName": "example-certificate-tls" + } + }, + { + "apiVersion": "cert-manager.io/v1", + "kind": "CertificateRequest", + "metadata": { + "name": "example-certificaterequest" + }, + "spec": {} + }, + { + "apiVersion": "acme.cert-manager.io/v1", + "kind": "Order", + "metadata": { + "name": "example-order" + }, + "spec": {} + }, + { + "apiVersion": "acme.cert-manager.io/v1", + "kind": "Challenge", + "metadata": { + "name": "example-challenge" + }, + "spec": {} + } + ] + capabilities: Full Lifecycle + categories: Security + containerImage: quay.io/jetstack/cert-manager-controller:v1.13.1 + createdAt: '2023-10-03T16:49:57' + olm.skipRange: '>=1.13.0 <1.13.1' + operators.operatorframework.io/builder: operator-sdk-v1.25.0 + operators.operatorframework.io/internal-objects: |- + [ + "challenges.acme.cert-manager.io", + "orders.acme.cert-manager.io" + ] + operators.operatorframework.io/project_layout: unknown + repository: https://github.com/cert-manager/cert-manager + support: The cert-manager maintainers + labels: + operatorframework.io/arch.amd64: supported + operatorframework.io/arch.arm64: supported + operatorframework.io/arch.ppc64le: supported + operatorframework.io/arch.s390x: supported + name: cert-manager.v1.13.1 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: "A CertificateRequest is used to request a signed certificate from\ + \ one of the configured issuers. \n All fields within the CertificateRequest's\ + \ `spec` are immutable after creation. A CertificateRequest will either succeed\ + \ or fail, as denoted by its `Ready` status condition and its `status.failureTime`\ + \ field. \n A CertificateRequest is a one-shot resource, meaning it represents\ + \ a single point in time request for a certificate and cannot be re-used." + displayName: CertificateRequest + kind: CertificateRequest + name: certificaterequests.cert-manager.io + version: v1 + - description: "A Certificate resource should be created to ensure an up to date\ + \ and signed X.509 certificate is stored in the Kubernetes Secret resource\ + \ named in `spec.secretName`. \n The stored certificate will be renewed before\ + \ it expires (as configured by `spec.renewBefore`)." + displayName: Certificate + kind: Certificate + name: certificates.cert-manager.io + version: v1 + - description: Challenge is a type to represent a Challenge request with an ACME + server + displayName: (Internal) Challenge + kind: Challenge + name: challenges.acme.cert-manager.io + version: v1 + - description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + displayName: ClusterIssuer + kind: ClusterIssuer + name: clusterissuers.cert-manager.io + version: v1 + - description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + displayName: Issuer + kind: Issuer + name: issuers.cert-manager.io + version: v1 + - description: Order is a type to represent an Order with an ACME server + displayName: (Internal) Order + kind: Order + name: orders.acme.cert-manager.io + version: v1 + description: | + cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. + It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry. + + cert-manager has the following [built in issuers][]: + + * ACME: sign certificates using Let's Encrypt (or any other [ACME][] compliant signer). + * Vault: sign certificates using HashiCorp Vault. + * Venafi: sign certificates using Venafi Cloud or Venafi Trust Protection Platform. + * SelfSigned: the private key of the certificate will be used to sign the certificate. + * CA: a private key stored as a Kubernetes Secret will be used to sign the certificate. + + [built in issuers]: https://cert-manager.io/docs/configuration/#supported-issuer-types + [ACME]: https://datatracker.ietf.org/doc/html/rfc8555 + + cert-manager also supports [external issuers][], + which are out-of-tree components that provide support for other certificate authorities, such as: + [Google Cloud Certificate Authority](https://github.com/jetstack/google-cas-issuer), + [AWS Private Certificate Authority](https://github.com/cert-manager/aws-privateca-issuer), and + [Cloudflare Origin CA](https://github.com/cloudflare/origin-ca-issuer) + + [external issuers]: https://cert-manager.io/docs/configuration/external/ + + In order to configure cert-manager to issue certificates, you must first create an Issuer or ClusterIssuer. + These resources represent a particular signing authority and tell cert-manager how to handle your certificate requests. + The [Issuer Documentation][] has more detail. + + [configure cert-manager]: https://cert-manager.io/docs/configuration/ + [Issuer Documentation]: https://cert-manager.io/docs/concepts/issuer/ + + Once an Issuer has been configured, you can create a Certificate resource, + which is a definition of a certificate request that is to be honored by an issuer + and which is to be kept up-to-date. + This is the usual way that you will interact with cert-manager to request signed certificates. + The [Certificate Documentation][] has more detail. + + [Certificate Documentation]: https://cert-manager.io/docs/usage/certificate/ + displayName: cert-manager + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAQAAAAD3CAYAAADykopzAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAC4jAAAuIwF4pT92AAAAB3RJTUUH4wsNDyoByo6RwwAAfbRJREFUeNrtnXd4HNd19n8zs33RQbD33nsRRYpU783q7iV27MQtiZ04TmI7juM4jvsXx0ns2InVLcnqXaREiRJFUuy9kyAIkETfxfadmfv9cXcXCxDAzjYQJPE+z7JsmZk7c8+5557yHoVBFBQLv1Tf20deYAwwDZgBTAHGAsOACsADOAAt8X0TiAMRIAT4gXagBWgCziZejYn/twI+IACEgRggCjQsFbADbqAEKAeqgBpgaGIMwxL/r06MpywxJlfit2riWEbi2oKJ8TQCJ4HDwH7gIFCX+LwLtv1yVFGe2aUM5XxfwMWCXgS/GlgIrAYuQwr9EKQgFeLeG3QqiSDQgRSqNqSiaEEqhjY6lUMIiCZ+pyeOY0MKqRMptKVIAa5ECnp14lWJFO5SpEJLCrdG/hBIxdUMHAI2Am8D2xJj6IJBZVAYDCqAPNGD4GvAHOBDwC3ATKTADwQYaS+TTgtBQa7QWtprICAM7AVeAp4B9iSuPYVBRZAfBhVAHugm/DbkKv8Z4GakSTyIwuEs8CLwO2ATaYpgUAnkjkEFkAN6WPXnA18E7kaayYMoHlqBPwK/BHalfzCoCLLHoALIEt2Evwb4PPAFYHD29S9OAf8J/AbpBAUGlUC2GFQAFtFN8BXgWuDbwMrzfW2XON4BvgesSX9zUBFYw6ACsIBuwl8JfBX4MtJDPojzjxbg/yVe7ck3B5VAZgwqgAzoJvxzgB8gnXyD925gQSCdhH+HjBYAg0ogEwYncS/oweS/E/hXYOr5vrZB9IkDwN8Cz6W/OagIesagAugB3YTfhTT3/w6ZBDOIgY824PvAfyCTpIBBJdATBhVAN3QT/iHAPwGfRWa8DeLCQRz4NfAdpI8AGFQC3TGoANLQTfgnAj8Dbj/f1zWIvPAs8FfA8eQbg0qgE4MKIIFuwr8QmWiy/HxfVz4QqT96+HcPUNL+0eO/L1xsQCZq7Ui+MagEJC6CZ5s/ugn/NUjhn36+rysThJDCLIR8KYp8aSrYVAW7DRw2BYddwWGT/7drCpoGqqKgJerzDBNMITAMiBuCmC6IxyGmJ/6tg24KDPPccynIvy8A7AO+BLyVfGNQCQwqgO7Cfy/wU2D0+b6udKQLOYCqgNOu4HUpVJSoVJdq1JSr1JRrDClTqSzVKPeqlLoVPE4Fl0MqAFtC+DUFFEVJCa48tsAQYBigJ5RAJCYIRQUdYYEvaNLaYdDsN2nyGTT7TFr8Bu1Bk0BEEIsLzMT1pSuHAYY64C+RqcTAoBIYgM+of9BN8DWko+9fGADJPUKQEiZNBY9TYUiZxqghGuOG2hg/zMboITaGVmhUlqh4XVLA+2slFgKiuiAYEbQHTM62G5xq0qlt1DlxVqe+xaDFbxCKSqsBpNIaIJZCC/BN4LfIikjg0lUEA+OR9DO6Cb8T+BoyzOc9H9cjAGHKv20aVHhVRtfYmDrKzowxdiaOsDGySq7qDtvAfmQxXdAeNDndYnD0tM6BujiH6uOcatZpD5roRmLboJ7XyRcE/hnp5I0m37wUlcDAnk1FQDfhLwP+Ebk37NcwX3KVVxQodSuMqbExa5yDeRMcTBttY0SVDa/r4ng8wYigoVXn4Kk4u47F2FMbp65JJxARCHHerIMYMnX4n5BEKsClpwQujhlmEd2Efzjwb8DH+us+JIVeVaGqRGXaaDuLpzpZMMnBhGE2yr1q/ie5AOALmhw/o7P9aIwPDkc5dCpOa4cp703/KgMBPAh8A8k3AFxaSuCSUQDdhH8a8AvghmKfVwCmKSd1VYnKzHF2Lp/hYvEUB2OH2nDaL5lH0COicUFto86WwzHe3xdh78k4bQFTWgb9t014BfgLJBUZcOkogUti9nUT/pVI029BMc9pJrz2XqfC1NF2rpjt4vIZTiYMHxT63hCNC46d0dmwL8L6PVEO1ccJRQWKIi2DImMrssrzveQbl4ISuKhnYjfBV4H7gR8i2XmLguRqP6JKY/kMJ9fMdzN7vJ1S96Vh3hcKHWGT3cfjrN0R5v0DUc60GimroIioRW4HniAtX+piVgQXrQLoJvylyHTQryX+XVAkzXyHDaaNtnPdAjer57oYW2MbKKGvc64X0ZURdCBeJ0grqrZR5+3dEd7YFuZQfZyYXtTtgR/4MTJCEEi+ebEqgQH62HNHD3x9U5Ehn7vp5KYvCJJOPa9TYf4kB7cu87B8upOKkv5f7WNxQSgmCIRN/CGZuOMLmvjDJoGwIBgxCccE0bjM7DOMzsQdVQVNVXDYZIKR26ngdaqUuBXKPCrlXvkq86iUuOTn5yMc2RYweX9/lBc3h9hxNEYoKoqlCEzgSeBbyH4FKVxsiuCiUgA9JPfcgQzzzCrkeZIrfqlbYdk0J3cs97B4ihO3s/i3MxqXwt3YblDfYlDXJBNvzrYZtHSY+EMmoagUdN0QmGZnyjB0ZhP2hqQlkLQKNBVsmoLTLrMKy7wq1aUqwys1Rg2xMWaIxshqG0Mr1H7LUwhFBVsOR3nu/RCbDkQJRIqmCHYjad9e4CJlIb4oFEAPq/4o4OvAn1Bgk98wwetSWD7Dyd0rvCya7MBRJKeeEOAPmdS3GBw9HefQqThHz+g0tBi0dhiEowLdSAh1t7z8Qpv0ScWRUiaJHAabBh6XSlWpyqhqjUkj7EwdbWdSInmpzFM8aygaF2w9HOOP7wXZeCBKMCJS9Q0FRAeSePSnQJeJdjEoggteAXQTfjuyGcffA4sLeR7DBJddYclUB/et8rJ0mrMo3vxgRFDXpLPvZJxdx2McrI9zusUgEDbRE4mrA60IJ70oCaRSKHWrjKzWmDbaztwJDmaOtTN6iA1PEaykaFyw6WCUJ94J8sGhGLG4KIaz8AMkychLdHZUuuCVwACZQtmjh1V/GtLJ9xEKmNKbTE6ZNc7Bh6/0snqOq+CTuLXD5MCpOFsORdlxLMaJszq+oIlhdgr6QBF2q0gWLwnkNqLCqzJhuI0FkxwsnuJk6mg7lQX2lYSignW7Ijz+doC9tfHUsysgAsAjSGvgUPoHF6oiuMCmVY+CX4HM5vsqMLlQ50lO4NFDNO65wsttyzxUlRZuwrYFTPbWxnhvX5RtR2LUNemEonIJHUCFMwVDeoGTx6kwbqiNRVMcXD7Txayx9oJmQbZ0mLywMcRT7wapbzaKoUAPAz9HKgNf+gcXmiK4oKZZD624rkHu9a+igP3sDBNKXArXL3Lz0atKmDTCVpDjRuKCg6fivLM7wvv7oxw/oxOOCdmY7xJKE0gvfvI4FSYOt3H5TBerZjuZMspesK3V0dNxHn4zyOvbwoQiBd8WGMCbwI8Sf1+QTsILQgH0sOrPAr4CPIAs6CkIknvY2eMdfOb6ElbOcmLT8r9Fje0GG/ZHWbM9zO4TcfxBuZm/lIS+L5gJ30ZFicrcCQ6uXeDisulOasrz1+m6IXhnT5T/fb2DvbVxoODWgA94HJldui/9gwtBEQxoBdCD4A8FPo1sxTW+kOcyTKgsUblrhYcPr/YyJM/JZwo40hDnjW1h3toZ4USjjm5cnOZ9oZDcJtg1mDDcxtXz3Fy7wMWkEfa871mTz+CxdUGefi9Ee9AsRrTgOLJV2f+R1qoMBrYiGLBTsYea/duQTr7LCnme5Ko/b6KDz99UyrLpzrwmm24I9pyI88LmEOv3RGjyJVb7AXunByZME1BgWIXGqtlObl3mYeZYB7Y89LIQ8P6BKL9+uYNdx2NAwZWxADYCP0E2KRnwXAMDblr2sOovRO7z7wTchTyXaYLXrfChyz188pqSvFZ93RDsOBrjmQ0h3tsXpT1oDq72BUDSKqgsUVk5y8ldK7zMGZ+fImjyGfx+TYBnN4QIFt43ABAGnkGmFG9P/2CgKYIBMz17Mff/FPgzYGShz2ea0sz8wi2lXDPfnbNJaJqw60SMp9YHWb8ngi8kBgW/CEgqggqvyqo5Lu5Z6WH2eEfOlpVhwprtYf7r5Q6On9GLsSUAmTj0K7p1MIaBowgGxDTtIYX3BiRF14pCnyvJQLNqjosv3laWl4f/SEOcJ9aHWLMtTGtgcMXvDyQVQXWpyvUL3dxzhTfvZ/jLFzpYvyeSYjsuAt5FJhG9zgDjITyv07WXFN6vIVN4C+bdT8IUMo33w6u9fOLakpxLdJt8Bs9uCPHMhhCnW4sSZx5EBiTzNEZWa9y1wsMdy70MKcvtefpDJg+uCfD420GCUVEsf40P+B9kElFD8s3zrQTO27TtofnmDcB3gaXFOJ9hwqhqjS/eVsaNi9w57fticcGbuyI8tDbA/rp4ypoYxPlDMttv5lg7H7+mhCvnunIqSDJNeHlLiF+90EFDq1GsLQHAJmSB0evpb54vRXBepm8PxJxfRfK1VxbjfKYJs8fb+drd5cyf6MjpGIfq4/zfGwHe2hkhEiuK4yhvpGfbQWFDjkZ6HcIA5Pw3TJlUdM18F5+8toTJI3PjeN1+NMZP/uhjb228mM+4FWkJ/D/OMyFpvz/HbsI/Gdly+65iXEtSFlbPcfFXd5UxZkj2e8VQVPD8xhAPvxngVLPRnzx1vY9LdC3xTTYKKfOoDKtUGT/MTplHYe2OCGfbjLyVgKrI5CivS+FUk0FLx8Dk/E+WaY+p0fj41SXctsyTU4n2ySadnz7t553dkWK2RjORDUq+CRxNvtnfSqBfH1s34b8CmU+9sBjnEgI0De5c7uGLt5VRkUOu+cFTcX79inQQxY2BYe5rKlSXaVSVqgwt1xhZrTF2qI2xNTZGVmtUl6p4XSqKAj/+o4+H3wzmZc6aAkZXa/zHl6oZUaXR1mFyutXg+FmdI/VxDjfIhiAtfkMmOg0AyyiZTLR6jos/vamUKaOytwbaAia/fMHP8++HZFFW8Z79eeUi7Lcp3U3470JSLo0txrmEkCvix68p4TPXl+ByZDfMmC54+YMwv321g7rmou4Hs8ZHryrh/tVeytySmaevVOVn3w/xvUfb8zqfYcKKmU5+9vmqHvfWkZjgbLvBzmMxnt8omXpEDucpBgwTxtZofPbGUm5a7MaepW8gHBP89rUOHn4zSCwuiqkEapFb4GeSb/SXEihYAU1f6Cb8n0Q23xxRjHOZQhbyfOHWUj51bWnWZB1n2w3+/Tk/v3s9QFugKCmjOUNT4ZPXlTBnvAOnXUHtxSQxTAhFTLYeifHBwWiWZ+kKIeRKesVsV4+f2zSFCq/scbBqjotARHCgLn6+bxUgLTZfSLBxf5Rmv8m00Xa8LusP1K4pLJzswGVX2HU8RlwvmiVQgSxsOwPsAhix9Guc3vzTot+jwpS59YFuwv9ppPOjohjnMgWUe1S+fEcZd13uyfphbT8a4xfP+tl5PNZfVNRZQTfgdKvR5T0h5Hv1LZIarLZRp65JsgadbNLzXo01FSaP6GpC+0MmZ1oNStwqwyq1lJKs8Kr8+a2lHGmIs/1IbEBsB1RF9jF88t0ghxvifPXOsqwcwTZN4WPXlOBxKfz78x34Q2ax5sUQZK8KBdmshIVfqi+6JVBUC6Cb8N+H9HoWx9OfSBf92l1l3Lk8O+HXDXh+Y4gfPunjyGmZFTbAZD81xtFDbKyc1bkanzir87XftPL4OyHWbI+w5VCUo6d12gKyD18+SJbrfuTKEoZXyakSjQt+8ISPXz7v57WtYeqaDKaP6VxZXQ6FQNjk/QPRAeEYhE5SlYZWg00Ho5S6VaaMslsWZEWBmWMdVJeq7DgakyXcxRmbG1gFHCNRWVhsS6BoFkA34b8SufIXpfNuUvj/+u5yblqSXblAR9jkd68F+MM7QcKxonDKFRQnm3RicZHa2mgq6CaUeRSmjbYzolI6BaeMsnGgLs7DbwZyVgRCQFWpyoiqznUiFBXsPxmnPSjZhx9/O8CQcpXP3dhJvTi6xoZN6wwdDhRoKpxpM/jhkz5ONul8+roSSrJIBrv9Mg+qAj952p+q9SgCqpGy0gi8A8W1BIq+BUCG+n6KzPIrOJL54V/PQfhPtxr8/Fk/a7aHL4ikHkWBM60G/rDJELsUytE1Nn7yuSo0FYaUabgdSsr0njfBwRvbwtQ1GzmNTQgYVW3rQnPudSnMGe+gtcMkrks20iFlXQ3JcFR0yUcYSFAV6bj8/RsBGloMvnpnGcMrrRvCty7zAPDjp/34iqcExiBl5j6kNVA0FEUBpK3+HiQtd1HacAkBZW6Fv/hQGTdnKfyHTsX54VM+th2JDZg4diYoQGvApMlnpoROVWDi8J4fY7lXZUi5xskmI+c9zYRhXVuZOWwKf3VXGZ+4poS2gCQtnD2uq4/gcEMc3SAvayqdebjg91GRx391a5gmn8E37i3PKlR46zIPugE/fcZHIFy07cAiZGbsnwLhYlkBBTd4e/D431uMuyMEuJ0KX7ytjNsv82T12y2Ho/z979vYejhWtFVfCGkCJ19mAcxhRZHe/YaW3m16IZLtuA3e3x/lbFtuqz9IAe6p0KbMozJxhOT0WzTZ0UVBNPkM3tsXzcuHIgR4HApDK7TU/4sBVYEth2P8/e/b2HYkltVv71ju4c9vLcPlUIp2fchWdh9P/qeH2pm8UcwtwAxkYU/BzyEE2G0Kf3JDKfes9GY12d7eHeHfnvTR0FKc+L6ZWLWqSlVGVtuoKlExgdMtuty/6/ltNeI6nGzUu7wXiQne3x/l2Jk4tWd1apsMmnwG7QGTcDS3tGUBuB0K44d3XRn7qphrD5j810sdHK7PPY1WCCj1qHz9bumtf+mDME+uD9LiL05IVlPhUL3Otx9q4xv3lvca7uwORYF7r/ASCJv85tWOYoUI7cBfA28DBws/+gILZ5qG0oAvA5OKcdGqCg+s9vLxq71ZTbTXtob58R99NPvMooSohIBJw23cfpmHy2c6GV5lw5WQH19I8O6eCL99rSPnPTlIwaztpgBqG3W++0g7LR1GypfhsCt4Ew072gImkVh2y5RIOFZHpjkAI3HBb17pIBoXfOKaktQKDfDBoSi/erGD3SeyW0m7wxRw7QIXty6VkZwv3FzKkilOfvNqB1sORzHMwvtqNBXqmw2+91g7X7+7nOsXWttOaip84toSfCGTx94KFisBajLwJWS2oFnorUCxLIDlSPOl4BACbl7i5k9vKs0qs+vFzSF++rSftkBxhF9R4MbFbv7sllJG91BzUF2qcMdyD6OHaPzDg+155eifapZswu5EhmNVqcqcCXaCERvjhtoYU2NjTI3GqGob1WUqD64J8OhbwazGnSy1Tefub/GbvLQ5zOlWnfHDbNyzsrP9wu4TcbYdieZNoqoANeVal3uzaIqDyaMqeea9EI+/HeRMW+GtN1WFJp/JD5/wETfgFos+JYdN4fM3ldLqN3l5S7hYW8oPA48C7xf6wAXLA0hb/W1Ix19BuftA7qUvm+Hkb+8rz6oB5wsbQ0UN3Qghhf+b95VnpBVTVYV1OyM0+82cFYBNhesXulMhLK9LZdUcN7cs9XDdAjcLJjmYNMJOTblGiUtNNczIZq8qBKyY5eKqeZ0m8f66OM9vDBHXocSlctU8d+p+CgFv7YwQy93fmEJto0xgGl3T2UnIZZcNWBdOduIPmdQ1y9qDQprdigKhmGDbkRg15SpTLToGHXYZGTl0Ss/LuusDHqS/7kVAFDI3oGAKYMTSryX/uQT4x8RFFwymCVNG2vjWRyoYU2PdcHn5gzA/KWLIxhTSU/7tj1R0Ef4TZ3We2xhi57EYmgK+kMm7e6WZvL8unvvEVeQ5r5zjYlha+MphU3q1iOIGvL5NljFnc96bFruZO6Eza27N9gjv7pMJPtG44Op57hSpitupsH5PlGZf7ooNko5O2eprx9EYU0fbu9CD15RrrJrtYlS1Rn2LTmuHmfpdIaAosgZg+5EYQys1plgsK/a6VKaPtrPtSIzWjvzuQS8YA6wlQSZSKAVQjC3Ah5HJDAWDKaC6TOUvP1SeVZ33mu1hfvK0r5hJG4BcjdPN/s2HovzgDz5OnNFBkV5zVZFJR0aiYi7XMJeCTMapbzWYM6HnexWKmLQFTBpaDU6c1dm4P0owkv2k3HggypzxDsYNs9HYbvD6tjAg9+Bn2gz21MYYUSVN5QqvyuxxdvYXoA5AUaRFcag+TrPPQPrCOuFyKNx+mezI/Ni6AM9sCBFKNFgpBFQF2oImP/mjD4dNcgxYwZRRdv7yQ2V856F22gIFVwJDkLK1pZAHLYgCSDP/xwO3FvICBeC0KXzuxlIun+m0/LsN+6L8+I9+WjuKK/xJ0zSJmC54eG2AY6fjqf1wR6hzlVLVBDWZU8FhV/AFs48PGgbsPBZjxQwn/rBItArXOdmYbBeu09guW4VHYjIpJ9s9s6rIe7j7eIxhlRqBsKz6S97LmA4vbQ5z+QwXXpd8c9EUJ8++HypIEpAQcMMiN8v7eOYjqzX+4kPlnG03eH1bpKB+AVWRLcZ+9JQPj1N2g7aClbNcfPbGUn7+rJ+4UTillMBtyHqBk4VyBhbaArgWmFjQIwq4fbmHD62wvqPYdTzGD5/0yRh4EVN7hZD7v/QW2KaAaByUNPWfvhKYAmaNtfNnt5SiaQrferCNliz9AYoKL24Ksf1ojI6QiS8oBV1P0yXJ5CZFgVz9cooCHWGBP6Sfw3uoqbBhX4R/fKSNVbNdDC3XqGuW38vXHW4KGDvUxieuKcGedvHtQZO9tXEmj7Cltj++oMmZNqMotRuqAmcTqcPf+0QFc8ZbKyK6e4WHo6fjPP1eqNBFJZOQVYP/W6gDFlIBOIHbKeCQDVN6gD93Y4llnrcTZ3V++ISP2saiUT2noCgQ1wXBSKfkuewKq+Y42XL43DJcU8jEmn/8WAWTR9rRDcH0MXbW74lmJaQKEIwKDtbFJWNNgrWmGOPti/DUMGHNtghv7ohgtymYpihI/r9dg49e7WVCWoZjLC745fN+nt8YYsJwOx+5ysuyaU4eWxcsKn2Xqso59a9P+Pj+JysZPyyzyDjsCn96UylHT+tsPxor5HNRkTL2CJBfvDXtgHkhzfyfSgEJPU0Bwyo1vnx7meUecS1+abLtPRnvt6KeSEwWx6TjxsUeZo9znCMMCnDHZZ6UH8OmKYyosuWUSZZsKKqeZ36+pODF9cIIv2HC8hkublnS1eJ7Y0eEFzeH0Q2Zxv2Dx3189ufN/OHtosXfU9BU2Fcb58d/9NHSYW2QQyvk3B1aoRa6LuIyYAoUJjOwkGKyChhWqIPZNfj0dSWWa7cjMcF/vOjn/f3Rfq3oMwWs2xXBH+qcGNWlKp+6roQSV2eaqECuDOlOTFNAIFwUj/EFCSFgSJnKZ64vSfkVAOpbDH7/RgfRRBRDVSFuCOpbjGLss3uEqkqfyK9e8FtOqlo42cGnri3FXtii++FIOr3CjKtAx7Ej9yYFgWnCtQvc3Lnc2r5fCHh0XZAXNxV8z5URmgp7amO8sT3S5f1Vc1wpv4WemKRXzXUxZ3ynAmjyGRzIJyR4kSGZXjsvTekbJjy0NsDhBv0cM7/fqzcVeGFTiMfWBS1bbR9a4eHqee6C1IKk4RoKtH3P6yBpJshoCkTuaQoYP8zG524stczl9+bOCL9fEyh4YohVxA14eG2ABZMcqco8TYXP3VhKZYnG4fo4CyY5uGGRu0v9+Wtbw5xs0gd8GXJ/wDBh0WQH917h7fL+u3sjvLQ5NCAIWhQkecz/rQkwbpiNq+dlDg+6HQqfu6mUA3Vxagv3rBchy+tr8z1QoSyA+RSgf59Aknl+5vqSLg6gvnC4Ic4vn/fjD54/U1pVpKPov1/uIBztXBrKPNKc/ZdPVXLfKi/laczEHxyK8uhbwUKvDBckRILT4bM3llJV2nmPmv0mv3s9QEfxSm6zhqKAP2jyy+f9HGmwlvMwaYSNT11fgtOmFMpfMRqYB/n7AQqlAC6ne7ZGDjBNuGa+i+sXWcvD9odMfvl8B8fP6uedf05V4c2dYR5cey4DT/fJu2F/lH/5g4+z7flz9l8MEAJGD9G6bI8AnlwfZPeJgnrRCwJVhWNndH6Z4Ai0gpsWu7lqnqtQCt+OlLn8x1KAY3gpgPffFDBmiManryvpUl/eG4SAR94K8u7ewiaA5APDgP97I8DPnvFR16R38f7qhuD4GZ1fvuDnW79v48TZQdM/CUWF42d1/vuVjhTp6a7jMZ5+L5h3TkGxoKmwfm+ER9+y5g9w2hU+fX0Jo4ZohYoKLKUA6faFcCSMQYYA87sQFT58lfWWTu/ujfD428FidnTNGkqCgfaxdbJV+JwJDkZUaeg61DbpHDgZ52y7nOCDwt8JBZl///CbQbYejnHDIjdv75YFUwP5PgkBj78dZPZ4exei1t4wdZSdD6/28vNn/YUgEZmG3AocyucgOd/etL3H3cDj5KFMDBOWT3fyb39SSakn83J+ps3g679pZU9t/8X7s4UpzmWyuVCox84nkqtjksl3oMNI9J38yWeruhRn9QZ/yOSv/6eNTQfzDlfHkZyBz0LujUQKIT6LyEP4hZCMtp+4tsSS8BsmPLgm0K/JPrlAVaSZmP66ECb0+YaqXFiKUlNhb22cB9cGLCVClXlUPnGNl1J33lRidqTs5YV8RchJnoSfQsB1C9wsnWat2GL9nggvbBoYYaFBDAKktfL8xhDv7o1Y+v6y6S6uXeAuhC9gAZBbu+sE8lUAQ8lj/28KGF6l8cBqr6XVvMln8NvXOgZUWGgQg0gWTf32tY5E+XLfsGmS0m54pZavFTANKYM5IycFkLb/n4xMTcwJCrLZglVK5ifekYUfA9n0H8SlCU2FPSfiPLE+ZOn700bbuW1ZdlT2PWAEierbXPMB8hWlueQYijAFTBhu4w6LlN67jsd4ZoO1mzuIQZwvPLMhyO7j1gr17ljuYdwwWz5bAS9SBnNGPgpAQWYA5nZiRd6AkdWZPaeRuOChtYG8ePQGMYhiQ1EksehDbwaIxjNL9eghcgHMM9Q5P58f56MAyoFZufzQNGHySDs3Wsz4e2d3hHf3Rs97tt8gBpEJqgrr90R5Z7c1h+BNi91MHG7LJ0NwNlCW8/XmMdbRSAqwnG7S7cvcXXjle0NbwOTRdbJx5+DiP4iBjmRS06PrgrQHMkv1sEqN25Z58lncxiNlMSdkfdo0Z8NMcuj2a5qyl921FpsvvLY1zJ4BmA9+ISLZrizJEeiyK7jsClqCp9Awi9eG61KCpsLuEzFeS5CoZsL1i9yMz90XUI3swpWTIzCfVOCF5EArrihw0xIPwyys/mfbDJ5+L5hi0h1EbjCFXJmGVWrMHe9g9ng7Y2psKUpvf9ikrklnz4kYu47HaWw3EAymK+cDw4Cn3wtx1VxXRkt3eKXGTYvd/OrFjlxOZUPK4h9z/XEucJFD/b+ZqPq6boE1muVXtoQ5evr8V/pdyDBNGDVE447LPFy30M2YGluv1pRhwMkmnde3hXl+Y4iGluKSql7MUFU40hDnlS1hPnltScbvX7fQzbPvh6hvyamxyEJkUl402x9m9XjTTIyRyCSE7CDg6nluS409TrcavLCpMBTTlyIE0tq6Zr6Ln32+is/dVMr4YbY+t1KaJkOzn7+5lJ99voqr5rkoAMnvJQvTlAxCZ9oyJweNG2rjyrmuXLdg05E5AVlvA3LV77PIMgFICKgsVS03Xnx9W3iwZDYPaArcd4WX73yswnJ3m3RMHWXnux+v4N5V3pxpxS91qCocP6OnGqpkwo2L3FSWqLkogRFIn1z215jj2JaRZQ6yKWDpVCfTRmde/Zt8Bi9/EB5ky8kRQsgMyy/fXpba5+eCUrfKV24v47ZlnkHnYI4wTXh5c5hmf2YrYNpoO4unOnKxep1ImcwaucwOD7L7b1Zw2RWuX+S21D327d0Rjp4uHtf7xQzThHkTHXzhllLczt7vtRCyv1+mhBW3U+HPbi1l7gTHoELOAaoKR07HeXt35u253aZww0K3JUKcHrAcyDq32LKIpe0tJpBlApBM/LGxcHJmo6EjbPLKB+FzaLUGkRkC8LoUPnVdSa+9FIIRwevbwnz3kXa+/J8t/MV/t/KDP/h4e3eEcC901zXlGp+6rgSPq2CcdpcUdANe+SBEIJxZgy6a4mTSiJwSg2aTyMvJxg+QSxRgGdlWICmweo6LCm9mfbP1cIx9A7zWf6DCNGHxVCeXTe+5tLquSefnz/p5d2+ESKyz5v79/VGe3xhi1RwXX7qttEcn7WUznCya7OCdPf3bd+FiQJIzYOuRGKvn9B0BqyxRWTXHlUuT1WFImrD92fwo20epIfv/WbZRhICqEpWVszOH/nRD8OrWcK8r0SD6hk2Da+a5ejQhW/wm//K4j7U7IuiG/G46WUlUF7y2Ncz3H/fR1ENJq8uucNU8N7ZB4c8J4Zic21Ys21WzXVR6s3YGqkjZzOoJWfpymkkxliz3/6aAORMcTBqR2dg4clpny6HooOc/BwgBVaUqsyf0vM3643vBPmmokr0FNx2M8mQvJa1zxtupyM1LfclDVWDLoShHT2de2SeNsDF7vD0XZ+DlSI5Oy9uAbPX5KqQSsAxNhStmOS0193x7V4SWjsGKv1xgCplR1tPev8VvsmZ72JrgCli7I9yjFVBTrjGkPG8Si0sSiiL7HFgpEnLaFa6Y7cplqzWOLNuGZXMKO7I/ueXfCCGbJC6empnuqz1osn5PZDDrJA9Ulmi4egj5n2rWOd1qoFh4cooKZ9sN6lt62AY4FMo96uAjyhUC3tkTwRfM7OFbPMVJTfbKVkPKqOXEj4xTIs2UmAGszOZqTCHNxlHVmc3/3cdjg2m/ecKmgdKD+dQRNonp1hw3yfZXPTXAVBR5jkHkBhkS1Nl9IjNhyJgajVnjctoGrCKRpWtlG5CNuN1Glt1/NRUum+6yNGnW74kMOv/yRCQmMHqYMSUuFbtmzbgSQjr8ynpgaDZMLBFdDKJ3hKOC9Xsy5wTYNIXLpjtz2QYMB261+uU+D5+mQYYAH8rmKoSA6jLVUnvvxnaDLYdjg3v/PKAgMyiDkXMFdEyNjRHVGsJCbNkUcvUZPeRcrR2OCtoDgz6afKAosOVwtEcfS3csmOSgqjQnp+uHSJTqZ7ICrOqXq8iSe8wUMp981JDMy//uEzHqWwbz/vOBokBju0lDD3v36jKVGxe5LQmuTZXl2j1ZAGfaDEnLdr4HewFDVeBUs8HuE5mjAaNrbEwZmdM2YD5wpaXr6e2DNM3hBD5Mls0/FQUWTnJaSmvceCBKNOu8h0GkQ1Fk15ntR3s2L+9e4WX1XFevpB9CJJuzuntlq911PEZHeNACyBfRuGDjgczbAJddYcFkRy4K14GUWQf0bQVYsQAWYlGbJCEAr1NhngXzv8VvsuNYbHBVKQBMAet2RXpMOa0oUfnmfeXcs9JDiVvBMKWzTzfk3r7ErXDPFR7++t6eC4hCUcG6XRFL3W8G0TcUYMfRKK0dmW/m/ImOXFOwr8ZC0x4rqcAfBiqzObMwYWS1xoThmQ9/qD5OffMg8UQhkOSmf3t3lFuWnruKD63Q+MZ95dy8xMPmg1FOteiSMKRa47LpTuZOdGDvpVhr/Z4IO48NUrMVAqoqtwGH6+Msm953iHzicDsjqjSOntaztbyqgAeATX19qUcJTTMZpgK3ZztAgSxtrCzJPFu2H40RiorBiVUgROOCB9cGmDfRzugh5z5eu6awcLKDhZMdqa1Apol1qlnn/94IEImJQUVdIISjgu1HYxkVQGWpyrRRdo40WIzjdsWdwH8ARxZ+qb7HBqKZHufdyOyirKAqMHu8I+PEisQEuyw2URiENaiqtKp+/qw/IyutYqEJZ2uHyc+e8XPg1GB5diEhgJ3HY0QyhFWTspSjg3w8cFefx+/+RtrqPwy4P5eBeV0K00dn9hmebjM4fiY+6P0vMFQF3toZ4QdP+Djdmntd9almne8/3s5buyKDz6jAUBU4dkbnrIXnM32MPZ9S7AdIVO/25AzsS6ffjKwxzgrJ9N+ezM/uOFwfp3Uwrlw0vL4tzN/8tpV3dkeI69anT1wXvLkzwt/8to03d0YGHbRFgKJAW4fB4QYL4cAhGkNzr8GYC9zY24ddFECahigBPkoOtN9CwPhhNsot1P7vrY0T13O/iYPoG6oinYJ///s2vvVQe4IHoO9ZVNek848Pt/OtB9vYf3LQOismYrqUgUyoLFEZN9SWqwLQkLLshXOtgN6kdCU50H4lMWWkPWP6byQuOHhqMPhfbKiqZAF6dUuYv/ltG2u2901QuW53hBc3hwhHBx1+/YGDp+IZ06ttmsLkUfm08GAFslT4HKQecZpm0JChv5y6/tptMGlk5ott8ctmFIPmf/GhKDJEGIoKWjM4BnUDVEUZfC79AEWRfRhaLOQDTB5hx557IZYX+Ag9WPQ96fhZwPW5nEUIWXhihff/VLNOW8AcNDFzgGF2fVm1DBUyR5KsPg7Rw3UMIjuoioyy1Ddn3gePrbHhdeVFxnIDPbQQ60lSP0SWnP9JCKC6VO2VkDIdx8/oRGJicKXJAkJI5tj5E+3MGGtHVRQO18fZdTxGIJL5XpqmyDiBTAG6KdD6UAVCyMzBuRMcTBlpxzAF+0/G2XsyTlwffKbZIBITHDujsyQDZ0ZNhUpVqYovlHMtxghkXsCe9Ddt0EUj1AB35DoYIWB4lUapO/MlHjutyyaVg5PFEoSAMo/KF24p5dZlHkpc8saFY4L39kZ4ZUuYUESgaj2v4qaQx5icoUnImCEal89wpbYN6cJsJhqLup0Kty71sGKmE5dDfiEQNnluY5hfv+ynIzyoBKzCFHIxzIQyt8rwSo1jZ3JKCEriTuC/gOZkYlB3C2AVOYT+0jGq2paR/isaF5xsGnT/ZwNVhY9d7eWB1d4u77sdCtcucHPlXDem2bvgJRd+ewaNe818dydzrdJ1rgmkEtFUzunvUOJW+ehVXjpCJr95Nacml5csTjbqROOiz8I5h12xVFmbAXOQlGHPJN9IVwAa0vzPvo9UAopCj3Xk3eEPmZxtNy7oVUKIhFCJ3vfgSkKA8h2nKWBMtcYtS3v3y9o0CmJOqSo48nDM3LLUzQubQpKC7AJ8vpaeK4lnquSzGCeOpcCZdoNAWGSsnB1Vbcv3fA6kFfA8YADY0sz/ScDqfI5u02BEVWYF0NphSmKJPG9efyJpQisKOGwKXpdCqVulxK3gdig4bAqaJs1k3ZCmeTBi0hE2CYYFkbhIOcpUCym46RACRg2xUV068ONyQ8o1hldq1LcYKafjQFYEqeeKjGB5nPKZlrpVPE4Fh13BpkploBsyfB2KmHSEBYGwSTgmUlTf2T5XEvenPWDS2mFQXdb38x1ZpWHTyLdh7pXI5j5HFn6pvosFcBUwOtejCmT9shUHYKPPIBQd+PvE5ORwORRGVWvMGGNn+hg7Y2pslHvU1MOQXnCBaSZDbkqKb98UEIoIzrQZHGqIs682zvEzcfxhucRYjbXHdYFxAbBxJRWgTYOJw200+6WyNxNbh4EAIeRzsScWrGmj7cwca2f8MBuVJRoOW6fAJ58rCmiKVPLJcURigkafybEG6QA90hCntUOOVVUtcjAqMjzb6DOZMqrv79ZUaDjtCqGYyGfxHINUAkegcwtgR4YJ8rirUntaqQA822Zk9BabotOE7m8kBXlUtXSIXT7TydAKjbaAyZGGOGt3RGho0WntMAlGBDFdcvGZIsmvr2C3yf15uVdlWKXGhGE25k90cPNiN5G4YMfRGG/vjnCoXu7/+powqgK1jTonG3WmWaixOJ+obdQ52aRT5lH5/M2lVJdp7DoWY93uCPtPxgnHRE4rZSFgCiBBVbdkqpMrZrsYN9RGMGpy/IzOxv1R6poNWvwGgYjsm6gbnc9VVRVsmlwQytwqQys0xg21MWWUjVUJv8n+ujjrdkXYc0JGZqyMNaYLzlpoIV5ZIq2SUFTkIxgKMjX490A8qQDGA0vyubkCKHUrlFjoRnu23egzAuCwK4wfaqO2UScU7b8JY5hy5Zox1s5NS9wsmuykpcPgvb1RthyO0tBiEI6K1N6wi4Lq4i0TqXtS19RJ/2S3wZAyjdnj7Fwx28XfPVBBXZPOKx+E+eBQtNcJk+SUf+StAH97XwWebk0/DRPOtBpE9d5XhqQDb1iF2uczisaFvOcqqX1wki3IMAVxQyqkYZXaOTkcoajgkbcCtAdNNBV++KSPGWMcXDHLydfvLqex3eDVLWHePxDFFzT77bkmFfrYGhvXLXRxxSwXcUOw6UCUx9YFOHFWJxgRKdPaynNtEEaqfZemSsKVaaPsrJjl4ku3l+IPyh6M6/dEaO0w+7T0TFPyYmaC3HKqNOVPy7YE2d/jaFIBLEbGCXOGEFDmVVNhob7Q7DN7jUcLIVfOL9xSCsALG0NsPhTFH5IWQ6ETh5LmoMsu4+u3LvMwY6yd/Sfj/PwZH3tq46ntiqpYNNmVtL+6hdHOthmcbjV4a1eEsTU2rl3g5jM3lHDPFV5e/iDEhn1R2hIFUuljVRV4ZUsYU8BHrixhbI2GoiicbtV57v0Qa3dGiMX7iAIkxvml28q4a0XvzsRXt4Z5aE0Au01JCYRpilSyT1yX3A1Xz3dz+2UehldqCCE42WTwyFsBXt8WRlXk+Zp9Jm+3R3h3b4RR1RpXznPzwGovd6308NqWMO/sidDsk46RQqcdJ8dr02DqaDs3LXazbJqThladB9cG2HI4hi8oBUlJhDsz+lB7ea4AbR0mG/ZH2XggyrBKjVWzXdyy1M0dyz28uiXMC5tCROI9K2ghsEQS6nZItmYhyNc0HoWU+ZQCWEkOhT/dUe5RM4YAdUPQ2kf3H0UBX9DkR0/5uH6hm09cW8K9V3h5c2eEDfsjnG410I1O51K2K0hyRRNCClVVqcqiKU6uW+Bi1BAbWw9H+e7D7RxuiMu0WLWwe9fkRBMCjp/V+c0rHTy/McTV81zcvcLLXSu8vL0rwvq9EU4168T1zrEaJry0Ocz7+6KMrNZQEwqg2W/S05zoHKtAVWQ5aSDSd8peq9/kUEMc7RwzpPMvATy0NsArW0KMqLRhCkF9i3FOZme6UNU1Gzy4JsBLm0Osnu3ihsVSgby7L8LbuyLUNupE47k/V+gUegUo9SjMHu/gugVuZoyxc7ghzs+e9bHreFwSmyjFea4glfwf3gny2tYwK2Y6uXyWi00Ho9Q29pz6riQyApO+k95gt2OpyM4CNGR9wB9sSLqvhfkeUQh5cZmKgGI6+EKZ80brWwz+9/UAL24KsXKWi6vnu7hjuYejp+NsORRjf12Ms+0mwYiJYXRO9u43OP09TQWPQ6G6TGPKSBuLpjiZOdaObsKGfRF++UIHJ5t0hFl4we8JasJN3thu8Oi6IK9uDXPZdCfXLXBz02I3tY06Ww5H2Vsb50ybQSBiouvQ7DdoTKwY0lKQA0w3YTVVWjXVpSqTRto51axzuF7PnAqccHb1tSInj9HsM2lsj6XG0pd1lhxrW4fJ0xtCrNkRZulUJ9ctdHP1XDf1LTpbD8fYUxujvsUgEDaJG53Kuqfn2jl+2U6rslRlwjAbCyY5mDfRgcuhsO1IjO891s6hell5qvXDc00qA3/I5KUPwry1K4Jp9n1/fCGTuC7Oya9Ih01VKPMohWrNtgiosCFDAhMKMehST2a1HY0LguHMe5jkhGn2ywnz6tYwU0fZWTbdyXULXdy3ykMkJoXhbLtBi9/EH0qEZXS5T7epCk6HQqlboapUOm2GlmuUuFWCEZOD9XF+82oHe2rj+AImJCaTlRZahURywrQHTF7+IMybOyNMGmFj6TQnK2e5uPNyD7E4tKSN1RcyCUcFcUMkknMUnHa5T6wsVRlarjG0QqPUoxCJCX79SgBBYasvLZnNvfwmEBas2RHhnT0Rxg+TY1081cEtS93opiwWO9tu0Owz8IVMQpH0sUqB97qk03lohRxruUchbsCx03GeejfEjqMxmnyGtPb6QfB7G2umaj8FmUkZjQvcTqXP45V51EL5TSYC423IzL+sSD97Q6kFB2AkJmQHIIuDSL+JO47F2HEshtuhUFOhMrbGxpgaG8MrNSaPtOFxqjjscgVDkXvXuNHZ0OJIg866XRFONuqJFVWktgIDofQ1Oda4LthXG2dvbRyXXWFIucqYITbGDLUxokpj/DAbJe5E7oEqK/dSY40JfEGT2kad9/ZFONlocLrNIBg2zzXrB8BYDRMON+gcqtd54p0g1WUaY4ZojE2MdWyNHKvTnjZWAbou55E/ZFLforP5YJSTjToNrQb+kIlhdsblB9Cwe7kZ8rlZ6bpkxcluEZXAzKQCyMzfnWkMCud4p3tCNC4HmsszSWrwmC6oazI42WgA0USIRn6uqkrK1BKiM45riK5mY8rJNkAnR1IhxQ25vz7VbPB+gktejpOUQCgk97+dzrrUWBn4QpB8Dkaak3TzoVjqPmiqVOqKan2sAyXnwAoUIBYXGfkBQdLtFehROoE5NmB6oQbhdlqwAOJypcoXPQlvMiHH6vcvFPR07aYpV/2Lbaw9bStME0xEInn14hlrOuK6tb6LbkdBuRqmq+TA+tsTFIUeW1N3RywuMIy8EhkGMYiLC4oswY5Z4G102guqAMaqyBLgvKEqslY9E+J6IjGjYGMYxCAufMgci8zfc9gKqgCG2YCyQhxJ9o7PfGW6KfItZjivSMaaU+Pm3D12sqIsPYSVep3vAeQxVji34KXXsTKw/Q5Wxto9GSt9nMnEi0L4WJJ+Dd1CsYemdeZiFABlNsBVqJto5SZkQ2E1ECCQFgvIHPDKEpnbP6JSo6Zco7JExetWcNpknrhpQsyAUNTEFzRp9slw1plWg2a/kUo5PV/58FbHrKlQWaIxrFJleKWNoRUqlSWS7MVpl0UxQshVKxQ18YeEDMm2GZxpM2jyySiLaQ7csZqJueiwyRyWYRUaw6tkSLGqRKXUreJ0yOcqBVRGlPwhk5YOOdbTbQZN7bLq0zDPVRqW77nonGd9Ien4LZAQuWwUIAMw24FmuvieEj/6G8lKwFK3wpRRdhZNlsklE4fbqS5TU7XbssmmLAkVQqAkkmhsmsxDUBQ5cfwhk1PNOntq42w5JJN7mnzGgKqSS43dFKyY6eav7i6jpkxLpXcnx2okHJCpsSYIQpLZih0hk/oWg30nY2w5HGP3iRhn2wwZmrNYJVcsJFd6t0Nh/DAbCyc7WDDJwZRRdmrKtZSTrftYURQ0Ra7ANk1GmkxTZlaebpV1AVsPR9l5LEZDIlu1GGMtsFyoNqRvtd+UgGLBa1tZohKImETj/S8cpikTgcYM0Vg1x8U182Uqqcuh0BYwOXFW5/39EU42yaQcX9AkFJUOnGTRiT1RMVbqURlSpjF6iGyUOnG4nftXOXhglZeTTTrr90ZYuz3C/rp4xorA/obbqdAeMNl6OEZto87ZNoP2oEzIkdWPiW2fmhirW6W6TGVUtS0xVht3Lvdwz0ov9S0GG/ZFWLM9nKqt6G+rIFkJOKRcZfkMmW05b6KDMo9KIGxysslg1/EwtYkckbYO+VyjCR4HBanUnXZZ8FZdpjKyqvO53rTYzZ3LPZxtM9h4MMob28LsOBYjEC7sWAuUBZi6LTYgSo4U4LlcnGZhkn/i2hKGlms8syHIrhOdudvFnDDJSsBk4cj1C92MrNZo6TBZtzvCe3sj7D0Z52ybrAg00/aB0HVM3W9DkkSkqlRl8kgbs8c5WDLVyUevKuGuy71s2Bfh+Y0hth2NEbRYQlpMqKrCO7tlEU8wIlKxdiXTWBPfsdtkddzE4XaWTnOyYqaTe67wcvtlHjYfivL8+50FXsUea1Ipj67WuGaBm1uWuJkyyk4wIth+NMq7exOrdotOIIuxirSxlntUxg+zsXiKk5WznNyyxM3Ni91sOxrj+Y2ywMsX7LsDlmIxGc0KsWsWiNiADgqgAKw6MWxpiTq9HScSE9y42M2V81y8vz/KCxtDbD2SqAikcFl76YQfc8fYuWWJm6vnu6kqVTl6Wuc/XvDzViJzMKZ3deZlmwKrG7Lmu6FF553dEcq9KlfMcnHrMg+r57pYPdfFB4divLAxxKaD0VRjT+U8WAUKEEp0EFLI3gozzGSdQJRNB6M88qbKwikOblniYdl0Jytmuth+NMoLm8Js2BehxV/Y9nDphB+TRtm4fqGbGxe7GT3Expk2g4ffDPD6tgiH6yU/QT4JRKYpC3ma/TG2Ho7x+NtB5k10cNMSNytnOlk6tZK9J2P8+pUA7+6J9DhOQRZOdKOgPrQOG9CIbASa90230n/ObpMC3FtFo6LAI28FOFwf547lknl21WwXe07EWLsjzKaDUeqaDJlOjDV+tnSOt6T2dNhgZIXG/EkOrl3gZskUJ26nwt7aGP/1Uoi3d0dljXbCqVOQrYgC1WUaLrvCmTaDlz4Is253hIWTHNy+3MOKmS6Wz3ByoC7O2h1h3t8vK8hCEZG6X6mVqbey3x7GatfkPY9lwd2frzymK8m2gMkb2yK8uyfKnPF2br/Mw6o5Lr77MSdHT+s8uT7IsxtCxNMWkPRVTsmwYKSP1aZJwo/Z4xxcNc/FipkuqkpVTpzV+dWLHby+LUxdk45hFq4wKH2s/pDJ27sjbDwQYfoYB7culdbkkikO1u+O9DoWTcVS44+4XlALoNEGnESyheYFU0DUQq1JMn89RcTWA5KFIhv2R5k30cHNS9xcPtPF1+4upz1osv+k5MI/eCpOfYtBe8AkFDMTOQYiNSmSlW1JFpdyr5qoG7AzZ4Kd2eMcDK/UCEUF245EefkDKXTJstZC1gcIZKr0N+8vZ8pIO//2lI/390UJxwTr90b54FCMWeMkEckVs118+fYyPnWdycFTcXYek2M91WzQ2mESisqxGt3GqqaNtcwjvdqTRtiYM97Bq1vCvLkznO8wckJSQGK6YPMhWc8xbbSdmxZ7mD3eztl2g3jC4ZbcElSVydLyYETI5LFexuq0S//D0Aq55Zg93s6c8Q7G1tgwTMHek3F+/UqYt3dHOJNg3Sl0KXBPY9UN2Hksxt7aGE+/F8Km9aHIEsVcDntmtRuJi0I6yU/agIPALfkeSQBhC0uM0yHpsqzcxEhc8P5+ycYzbqiNy6Y7uXyGi+lj7Fw2XTZSCEZM2oMmvqAgEOlaIWfXZDVgiUsKf7lXhnY0VVZfHT2j88LGEO/ti3KovtM5VYzJYZowabid5TNclLgU/va+cr7zUDvbj8bQVJnzv/VIjJ3HYzz8ZjC1d5451s7CyU7JHReRhT6+oAw7hWOCuC4SxBcKLrskKy3zqFSUqJS6FWyaFKI3d0YKP6gcoKlyi7DnRJx9J32UuBT8YYHLrjBlpI2GVoMmn8m8CQ7+8kPlBCImHYnKx1jaWJ028LpUyjwq5SUqZW4Fu01WPp5s0vnDO0He3SupuXwJX0N/d6HSVLnOHaiLpyzJ3mC3kZEVGOT2OH8+kBQO2oDdQJw86MBBDjQYyWybuOxS01kZRHL/aZpw9LTOkQadP74bYniVXNmmjLQzbqiNYZUa5V6V6jLZkyDpTU+GcpJVY0dP69Q16RxpiHOkQedUs56qCOyPOvFFUxyphh5ja2x88/5yvv1gOwdOxVPnF0Ly6p04K5l+hlWqTBpuZ/JIG+OH2RheaaOiRGVMiQ2HXUk5VU0hlUgkJugICWobY5xq1jl6WudwfZzjZ3XUAdSHLWld+UMCj0vhczeWct8qL69tDfP9x9s5dEqSbI4eIlvNS8uRzmrA5FjDgvraGKeaDY6els/1ZJOeIiIt5mqf7Vh7g0AKvxUFEEzM1wJogBiw2wbsBdopQEpwIGwtl9ntUMhWjSWLPmK64MRZneNndNZsj6TMQKddroD2tImSpLCKJiqtJMlj5+5DUfuvmMTjVFg6rWv7p6mj7HzzfmkJ1DbqqYmSvCbd6Kx6fGuXDLk57Aouhxyv3SYpq9Pj1tG4FIxoougqfawDR/wlzESLsT+/tYz7V3lRVVg8xcGQMkkr/s3/bUuN1WHrmmugGyJVQReNC7n9E533LxdH7XlDIi/BZUEBZGJ0ygJtwF4bcAw4QZ4KQAjwhy1sAewKJS41L09mutAmowbhaCdhY3coiT8Uzk/1mGnKFb8nRt95Ex18475y/umRds60G+eYiV3GCikBz2WsAykD00y0OvvK7aXctcKb2tPWlEum3TNtBjG9s0Y+01gvKIHvBoGs88/kAxBIi6lATsDjwHEVaAG253s0RQF/0Ew1SegNDjuUWWAOyuX8KeLObq/znYMvgAWTHL1Spi+f4eTr95RRVaJaqpMYyGO1AlPIZK+v313G3Su9XRxaLofCjLGdivJCH6tVlHlUHBl8Y4Yh8AcLFjLdDrQlZ+S7QN62hS9oZgwF2jWFqlKt0BlNAxpOu8LS6X13f71mvpuv3FlGqbtgnG8DEqaAIWUq37i3nNuW9Zx+MmucPaMwXEwQQpLTZsoDsMqnaQEmUuZJKoAPgDP5HFGBFCdfJgwpLxiv2YCHKWBktcassZl9rLcv8/CFm8twOS5OJWCaMKxC45v3V3DDInev35s8wk5FiXpR3oOeoChY6qiVdGYXQHZOI2U+pQCOA1vzHURHWFhyUgyr0Po9JHO+IATMneCw9IAVBe5f7eVT15VkpFe/0GCaUhH+w4fLuXpe3wWowyslF+CFXDaeDVQVhlZknh+BsAz/FmBmbAFqoVMBRIHX8zqkkojJB6wpgEy5AAMZXbvl9PxKTl67BsumOS1rbU2FT15bwrxJjlQz0fONTGNNH3NPq7YQMHaojW9/tIKVszJXn7udCtPHnJ8WaMk04lzHmgscmsKwisyxyraAmW9bsCReQ4YBuzQHfRNpGuTUIUhBeqibfJln7dAKDbdTLaRDo6hI5wTQVBmyKXWrlHlkZZjbqaTi1KYAw5Cx/NpGneGVGnMnWJ/MvqDJofo4Lf7z2147GWt2JTLtSj1pHXNtaXwABkRjIpWw0xGWXZFjCXYbVZG19t+8v5xl05yWzz97nAO7Fiy6FZDkBFAVUkljZR61a3fgND6AZHdgf0jIzs8Rk1g8PUMx+/vscSmWLIAmn0E0v8agAPVIWQfAtu2Xo0i0CD8MrAfuy/XIcQNOt2bmNaoqU6nwqqnWTAMVSaEv9SiMG2pj5lgH08fI5KOactmnzZWYIGqi9j+ZpvnL5/385tUOZo93MKLKmrkT0wU/edrH2h2RVAXkeRm3EMwc4+CuFR7GD7PJ/gJu2fbN3m2sIsHOG9MFoYigLWDS0GJwuCHO7hOSD8Buk17ubDB5pI1yr9pnF6ncx5cQPKfC6CEa08c4mDnWzoRhNoZWapR5VNwJIhBN7WThNRMs03Fd9k9sD0ougCMNcfadjHPwVFymNevWSVAEUOFVqbLQ+v10q4Fu5p3R+A5wFGDbL0d1sQDiwDPAXXS1DCxDCNnRJxPK3DJP/cRZfcDFcZKrvcMmE3WumO3i8hlOJo2wUdrDJDbNTkLH9D7zSX7EMo+SymbMlA7qsCnMnSDz9s8nTAGzx9m59wrvOe/rRmf6cbIyU1NlT4hSt2waOn2Mnavnu4jGBT9/1s+T64N883/bWDbNweduKrXkDxlRJXs+NPtjBYvvJwuAxtbYuHyG7A48fYydylL1nGkoLbnOsZIYq00Fh1ulxC0t2amj7Kye40I3ZNPbXcdk1+ctR6K0+BN9DzMUMw2r1Cz11KhvNvLNAowDzwKpVbq7oK8D9pNHcVB9s05cF30ShLocCmNqNDYd7P04CmCzKdLk6Yf6+OTez+tUmD/JwS1LPVw23dlFM/tDcnWrbZQpxWcSJBmdBStykjhsCq0dJnZN4c0dEXSjnXBU4HIofPLaEiYM712/3rLUw5bDMV7dEj6vKazhmOBwQ5zaszonmyTNV1vAIBgWRBOEICpgs4HbIbcINWUaI6tl45IxNTaGVWhcMdvFi5tCHD8j03qtNI8FyX8/ZZSd7Udj+T1XOhX6rHF2bl7iYdVsFyOrO5VQOCo43WqkWpufbpV9DpPdepK+mPTW4NXlGqOqZAOTsUMlZdqoao1R1W6uW+jm6Ok4r28L8/q2MA0ZFsUxNbaMacAxXVDfYoE1tG/sA95Of8MG0hRIbAPOAM+TowJQkGZKR1hQVdr3gCYMt/ct1Arcu9KDKWDtjghn22UhdKE7+CTNwXKvytJpDm5f5mHxVKdMV0bSW+0+EWfD/gg7j8mc8/S+dX01OVUV6bh5ZkNInsuUGYvf+0RFr1lfbofCn91SyvEzOgcTNQL9DU1VWL9Xdrr1hWQ/wkxb8eS9UBUpJDXlKlNG2TnVLOfD+GE2vnx7WZ8rnSlkMpnXraAb0B7IvYFEUqF7nApzJji4bZmblbNcVCSaa0ZigoOn4mzYH2Xb4SgnGvVEHkt2Y3XaFarLVCaPtLNsmpNl052MHyqzPqeNtlNdqvHjp329LtqqAhOHZza4O0JSSeW5ED4HnAUp89Czqf808KfkkBqsKNDSYdLsNzLuaSYOt+GyK71yoctOqQpfvbOMu1Z4WbM9zLpdEY6f1VOpsLmwySRZXQXSQz9qiMblM1zcsMjN7HH2lOVyutXgrZ0R3tge5uApWSmYfk6rgpmeoqqqCu/ui/D+/iir5/buDR831MbX7y7j2w+1c6bVyFnppY81mxRoBan4ktef7fmjcdkuvLZRCnBlicpX7yzL6NnffDDKz5/1M6JSQzcFWw7FLN/ndMZeTYWactn1+cZFbhZNceJNFGG1BUw27Ivw6pYwu07E8AdF6v7kMla5MsvOTe/sjlBTobFsmpObl7hZMMnB6TYd0+x9vrgcSp8WYRJNPlkKnof8NyK3+F3Q05l3A2uBB7I9g6LIWGVdk8HUUX0/7DE1klH3TFvvWm1vbYxQVDBphI1JI0q59wovu0/E2Hwwyp7aOA0tOh2hzjJR6Dk0k9xC2DVZQjqsQmPaGDtLpjpYOMnZxRw8flbntS1hXtsW5mRjgYkjkNVcD78VYP5kB+V9OMaWTHXyjXvL+cEffDS2n6sETJMePeTJsdpU8LhVhparTB1t59hpnX0nrTcHzXfLpSoy3azUrfDl28u4Zr67z+8HI4KH1gY4UBenvlknpstipqQjVmQYq9upMKRM9ohcNMXJ4ilOxg+zpZ7b2Xap0F/aHOLgqTgxvXA9IdOVa1O7wfMbQ7y5I8z8SQ7qm3uf38mU6NFDMiuAumadQCQvh+gbwJ7ub6bOnLYNiAOPAneSA2V4TIejp+NcM7/vnw4p0xhdo9HQavTo5NFU2F0b57uPtHPrUjfzJzmoKlVZPcfF6jkuAhFBY5tBQ6vcszUnuwNHpeNGkKiRT3QHri7VGF4p96jDKzXKSzodP9G44ECd3LOt2xWhobV4xBGaCtsTXHEfv7qkz+9eOdeFpsGPnvJxstFIKaIJw+3SgnIoqXZo6d2Bq0oldfnIKtlgs6JE5Z8fbWdPbX776WxgmlBZqvLl28u4c3lmxrk12yXb04JJDv7qrjJCUcHpFkkv3p5GvJreHbjErVJVkhyrpPSuKtVSz8ww4UhDnDd3Rnh9W5jjZ+RqXMxOwUmLLxQTvLs32icPgRBy/19dlvlijjboqfbmOSCMlGkdOs1/6N3b/zawGViVy9kON8RTK2dvcDkUpo6ys/lg75MyFhe8tjXM+j0Rpo6ys3KWkyVTnUwYbqPMo1IywsbEET0PIZOzNBwVnGrW2X40xvq9EXYfj9OeyEsodvjNMOGxdUEWT3EyI4NZfMUsF5UlKj9/xs+2IzHiOtQ16WgqLJrsYNEUJ1NH2akpV3t1vCY7MvdXwMUw5Rbvq3eWsXpO5jWkvtngoTcD2DSFj17lZc743nvVZnquSZN89/E47+6NsPVINJWb0p9doK1yKU4bbc9YBqwbUqbywEZkiP8cdJGeNCvADzwCrKQzW9DywE+clQ6VTH6AWRaSPTS1szX4zuMxSt0BxtTYmDrKzpSRdsbUaAwplw0rZJxaST3kZPZaJC4Ihk1aOmQr6aMNOofq45w4q9MW6Gwl3V8ON1WBhhaDX7/cwfc+UZGx5fPscQ7+9TOVPL9RepWPnZYx9j21MZ5YH2JYhcrEEXamj7YzZZQ9QXMmufmPnZbOxP11saISgiSdbi67wjXznXz+5jImjchs2uqG4PdrAxxt0HE7FV7bGqau2WBsjY1hFSplXhmTt9skLz+J/APDgKguCEYEbQHZUTjpOD12RqfZZxA3OC9MQFZhT0QmMsEXlHT0OZr/JnL174Cuqz/0He9/CRkSnJXN2RRFtniub9GpKu276/jUUbLowworbFI4A2HBvto4e2vjKbptt0PB7ZQKwJHo0AOdhCDJFTAclSGs5L4yW4deIaGpsH5vhMfeDvLZG0ozjn9ImcZnri/hzuUeth1J0Fkfj6XCV8fP6Ly1M4wjQbiiG3QJYalFKJ1NCr2iyGSW+RMd3LxUetvdFsN9r2+L8NKmEIoir/eN7RHWbI9gt0kr0e2UCiBJCKImiV4S5CfhqHxFuo91ADABZbp3lSUqU0ZmVgCnmnUa23OOAOxFynKPOEcBpFkB9cCT5KAAghEZYunLlAMYWSVjxk0+68ke3XMCdEPgDwn8oU5G3ORfScKI5F/J+vGBMjFMEx5+M8jE4faMPpMkqkpVrl3g5pr5bpp8Bofr4+w6EWf/yRi1jQYtHZ0tudJ79SXvSS6Ztd2ZdwGcdtk6bNIIyYe/bLqTySNslogtkzhQF+e/X+4glJb1mL5/D0QEgbDR83OFLmQg6b+9EGAKmDDMzoiqzElRB0/FCUZErgrgCWSK/zmrP2TO+HsS+BwwiiyQJH28e0Xf3mS3U2a+fXAoP+dUlyYOA9Tc6+26/SGTXzznY1iFyuwMCrP7b4dWyD52K2a5iOuC1oDJ6RaDk02yDqG+2aDRJ7vcBCKyVNvrVDIe1xSgJJxttgSxaqlLoapMS3XDmTJKOiKHV2qWuOy6o8ln8LNn/NQ26r0Kbjrjz4X0XK1i3kR7xsQoIWD3iZhsIZf9PagDnurrC5kUwH7gReDz2ZxVQWr39qDZKwtOEgsmOXA7FEu90S9GqArUNRr88Ekf3/tEJeOH5VYmabcpDKvQGJbodQBSkCMxWZyTLNIZW9P38a+Y7eosePJI1t2KBKNymUcWPuW7pw5GBP/vOT8fHIpeUKt2IeFxKiyYlLk4qi0gqeFzvOUvIFm/e1z9oRcFkLYNEEgHwofJoo24okJ9i2S2rSzpe1WbNtrOyGqNY2f0AeusKTZUVVpM//J4O9/5aCWjhhSmVaOqyInmcWrUlFv7zcThNiYOL7H25RwQiQl+9aKfV7aEL4hK0GLANGFUtcaUUZn3/yfO6jS0GijZK0of8BgZdn1WDrsZWUFkGQpy/7breGbTfkiZxtwJjkuG/aU3qCp8cDjG9x5rp64p75zvAYlITPCfL3XwxPril/kOZAhg7kSHpfj/zmOyX2QOunIdCdafvtDrFaSZDBGkJslqVgoB247EMpr2igKXTXdeUhxwvUFVYNOBKN95qJ1D9XnFfQccAmGTXzzn59F1AQzjotzSW4bDJud8pnsQi8uOVTksjnGkzEahd/MfrMf41yLDCZahKtJ7makSCiRl1oiqS4cCqi+oiUzBv/+/NjYdiJ7vyykIzrYZ/MsffDzxTjDVVvxShSlgVLWNuRYcvqdaDA7Wx3PZGu8hjfSjL/SpANI0x1lkJZFlKAo0+w12WtgGDK/UWDh5cBuQhKrCkQadbz3YxpPrgxe0g3TX8Rjf/L82XklwHFzCsg9Iy3jRFIclBqCdx2K5dk5+FmiCvld/yC7L7zmgOZur0A3YuD+akdtOUWDVbJelziiXClQVmvwmP3nazw+f9KXqEy4URGKCJ9cH+cbv2th2JHbJOni7w+VQuGK2K6NQGyZsPJBZdnpAE7Kk3xKyUQB7gQ3ZXImiyBWgwQKRwbyJDsYPt6Wy9AYht1ExXfD0eyG+9utW1mwPd2mhPVBxoC7Odx5u58d/9HOmzbhkQ33dYSZqJOZOyGz+1zfr7D6ek+J8F0n8YQkZH02aCRFFahbLM1BVZBnmtiOZtwFVpSpXzLJOGnmpINniKylU33vUx8FTA9NBeLrV4L9e7uAv/ruV17aG0Y3zx2s4UHHFbFfG3BiALUdiuaT/mkgZjUFm8x+y5/57G5ldNNbqD3QD3tkT4ealbuwZUpmunOvmj++GUlV55wMFbL1cUKiqpOl6fmOIzQej3LrUze2XeRg79PyHT04167yxLcKLm0McPyOtvcFVvyuS3X+utFAdGdMF6/dE0M2s72MdWYbsLc2etMSgE8AmslAAamIbcOKMnjHxYeooGwsnO1izI3JeGj0KIbnokl2EB5q3OlnH0Nhu8NvXA7y+LcwNi9zcuNjDxOG2fr1eU8DRhjivbg2zZnuEuia9k3loEOfATDj/Jo/KLHLHz+Rs/r9PouGHldUfsrcAdGANcK/VHygKtPhN3t0bzagA7DaFGxa5Wb83it7Pe13DlGnJX7y1lO1HY/zvGwEisZwLMIqKZFFTXbPB/7wW4IVNYVbOcnLDIjezxjnwOIt30ZGYYE+tJC1dvydKY7uRYjsegLcK6Mr9nyxs6m8LxWVXuGGRJ6MVDPDu3ggtHWa2CkAgZTMrb3Eu9uP7SE+jZc5AU8C63RHuXunJyA+/dJqTaaPt7DpunQ8uHyQr5q5d4OIv7ixj9BAbCyc7EcBvXu0Y0E7J5ARpbDd46t0Qr20NM3Ocg5UznSyY7GDMEBslbjXv+xiMSEbabUdivLMnwp4TMfwh0a8EG7kguZ2bMdbOiplOhlfZaA8YbDkcY/vRGLF4/yh4w4Q5EyQFXSb4giZv747kQv/diCT+yAqWFUDaNuAY0su42upvNRUOnYqz41iMVbP73gOVe1VuWuxmbz/QV5lChmXuX+XlT24oSTHWqircfpmHFzaFONVsDHizNklDFYwKNh2I8sHBKGUelRFVGmNqbEwaYeP2yzyWSk9B5m98cDDG6TaDU82Sa+Bkk077eSBPyRUCyRV4z0ovn7m+hCFpvQg+cqXgxc0hfvVih2xOU+Tna1PhpsVuS81Rth+Ncahez+X+7kX2+LRs/kNuFkAQqWksKwCQDqzXt4ZZMdOVcXBXzXPx1LvBohYImSZUl6l84ZZS7lzuTZGIpK43KojFB65Z2xPSuQ78IRNf0GT/STmIHcdi/MMDFRkLjc60GfzgDz7e3RtJmc5wYZBsdL8Xd63w8tU7y84pV3Y7Fe69wks0LqsSi9mD0TRll6Or5mZ2/ukGvL4tTCQmcrnPG4FQtj/K9XFuROYbWz+RApsORjligdtseKXGTYvdRRM+w4RJI23808cruWflucIP8lqbz3N/vnyQpLjWNCm0G/dH+adH2znV3HtORkOrwT8/1s47eyJAJ3mmpg48h2hfME1YOcvFF24p7ZOr4JalHiaPtBd1m6cocNMSj6XMv8MNcTYfjOay6MXIwfyH3BXAHhINBrK5Ec0+k9e3WWt7deNiN2OHFrY+IMlqc/kMJ//66Uoun9lz3kE4Kli3KzJguvMWAqoqefe/96ivRyVQ32zwvUfbeW9vThNwwMA0YdIIG1+5oyzVBEQ3BM++H+L7j7dz9HTn2CtLVCaNsGEWKQfdFLLHww2L3Ja+//rWcK6pv2fIslYniawUQNreoh44lPXZFNnlx0qB0OghNm5eUjgrQAjZF+DulR6+98lKJvfBxXbgVJx9Jy++9NWkEvjuI+2cTCs5rmvS+adH29m4PzqgnXqZIARUlKh85Y5OQtK4Lvjd6wF++ISPx9YFefq9YJffTBlpx+uSFPHdW7vnCwW4ZambUdWZV//6ZoM3d0Zy3XMeBBogu/0/5NgEFMkzvg24OpsfqYqcbGt3hPn4NZlJJ25Z6uHVLWGOn83PF5AkYPzMDSXcs9LbxSw0hSy7TKdmemd3BH9Ieoi7m4e5dCMaSFBV2HIoxncfbudPbigF4Levdch8/QtY+EH2CvjTm0pZlZZss25XhN+9FiCqC7wulZlju3ri717pZfZ4Bw2tOkdPS4dnbaPOqWY9r62BKWTa7y1LM/dEAFizI0xdc87zfBuybD9r5JNGtg2ZepjVtDFNePmDMDctcTOkrG/NOKpa487lHn7xnD/nixRCtqb+5v3lXLugqykWiQme2RBi1jh7Kj+72W+w6WCUco9CZanGkDKV4ZUaNeUa7UGTDftl7PtCtg5UFbYdjbH/f1oB6aC90IXfMGWN/d0ruwrcqCE2xg+3sf9kjOsXus8hX/W6FBZOdrAQR+o4Rxri/OWvWzmTRy8+VYEPXW4t8tLkM3j5gzDCJBfmHwMpizkhawWQFg7cC7QCQ7K6Map0dry5I8J9q7wZv3/zUjevbQuzrzae0yQVyIc8bXRXk7/Zb/DL5zs4ejrODYuqO2+IqvCl28qoKlOpLlUpcau47EpqIuw6HuMHf/Bx4FROddoDBmqChjv574sBgQT3YXVaY9qZY+18/5OVvLE9zB2XeTKScGqq5LFo68g9PGiYMGe8nZuWWFz9t0c42pDb/EbK4D7I3vwHyIl8bsTSr4H0PN4BjMj296YJrQGTK+e4M2ateZwqDpvCe/uiOe3NFAU6IoJAWLB8hhObpnD0tM73H/fxxrYwNy3xcPW8zlVBti63MaRMw+tSsWtKl4kwrFKjulRj3e7IgE4SutSgKrIY6UhDnMkj7VSnWZdVpSqLpzhTeR4xXbbtOnZaJxwT2DUFp13BFLBhX4SfP+unLY/8AKdN4Yu3lzHPQtVfs8/g58/6afLlfL59wH8AkdObf5r1j/PZArQjrYCF2f5QTWjZN7aHeWB1Zivgmvlu1myP8PbuSE5xaAV4dUuIco/C1NF2Hn4zyMFTcVRVYbjF5JguAw8OSv5Axbt7o5xqbuOLt5VyzXx3j9bNO7sjfOvBdnRT4HGqjKqW/Q3CMcG2IzHaAlmn4aZgmLBqtpOrLcT9AV7bFuFwfc6rP0gZ9OX643wsAIAJwA25HMM0obHdZNUcFyWuvkdvt8l+8+v3RHPOz5f86nHe3h2h2W+iqfI9VYGFk5047QrBiCAQETjtPVNfR+OCR94K8l8vdRCKDsw6gUsdqgLtAZP3D0SJx2H6WAeObj0To7rMTG1oNYjFBU0+kwOnpAMwGs+9hFkI2RD1r+8pt1SleabN4GdP+3IN/SXxfyRyAHKxAPJVAF5kYVBmfuNuUBS5DajwqiycnJkHYESVjdYOk53HY3kLXqqRiAKnmg027I+yfk+UJ9eHqG8xWDDJcU4CSWuHyf97zs9DawOy0eag8A9YKArE4rD9WIyTjTrTx9gp93YuMjXlGpdNd9IRFhw9HU8VBxUiwnPfKi93LvdYOs5j64K8vi2Sz+ofAn6GrNLtPwVwevNPk0rAQCqAilyOI4TMPls+PTNJgqLA+GE2thyK0Zz7fqlHtPhNTjUbLJ7q5PM3l3bZP4Jsd/4vj/t4fVsEkws7DHghwxSdMfpMzyD5+dEGnR3HYoypsTFqSOeqXOJWWT7DSVzHEn19xmszYfpYO1+/uzzla+gLx07r/PxZP/5wXotJHfBTwJ+LAxByzwRM4ixwONcfqwqcajIs88SPqNL49PUluJ1KTj3ueoIpoMSl8NmbSviHD1ecE7bZsC/K3/6ujff2RVNluIPofxgmjK2x8clrS5g+2m7ZIayqsP9knL//fRtPvRvsUmbutCvMGe9AyzMMIgR4XAqfua6E4ZWZ11TThD+8E6Q+/0KzQ8gqwJyRrwKIANvzOYCiwKtbwmw7Yo0C++p5Lm5c7EYUwA8nBNSUyxyBL9xchtfV+TR0Q5JafvuhNo405FSdNYgCIJmlu2q2k3/7k0r+8kNl/M295Qyr0CyzSKsqNPtNfvJHP//+fAf+kJw8LX6TR94K5M26LJDVflfNs+b423I4ymtbC9IZaTsJ7v9cUQg+qa3IrUBO2wlFkf3PHlwTZMYYRxch7Al2m8Knrythz4kYh+v1vBJYTAGLpzjPydbyh0z+59UAT64PEonnniQzUOnFLhQYpmw7/sCVXj5ypTdVTrtgkoMr57p4/O2gZeaoZN7Dw28GONmoc9tlHtbuCLP9aH4p36YJU0fb+fR1pdgsXEwgInhwbYD2oJnvoqKTRwJQEjk3oUtzBAqkHyDnhnKqAg0tOsMrtXNSNXtCuVelskRlw/4ocT33PbkC+IKCySPtjEk0zTzZqPOvT/h4YVMI3cg9ScYUsi+fpip5XeOliCRrz+xxdv7m3nI+dLm3SwLP/ro4z2wI0pilLyj53eNndd7aGeZQvZ6XghYCStwKX7+nnHkTrXV2fvb9EE+uD1r6bgY0Aj8CmnPd/0MeFkBaRmAd0g8wLJ/RxA14+M0gi6c4GWehQ+5V89zsPhHnobWBnM+pJFiLf/6sn4qSCnxB6enff1LGZXMKNyInxsJJDj57YynhmOCRNwPsOh675LviWIEpZGfiW5e6+cz1pV3yNKJxSYr6v28EaGgxsGlyBc72nqqKtC7yfRSKAvdc4bVE9AmS6++RN4PE81hY0nAIKXt5oRBbgA5gC7Ayn4OoiuyE+vu1Ab55f3lG7jRNhU9eW8LBU3E2Hsi9zbSmytzvv/jvVqIxgS9k5m7yC7BpcOtSD1+4pTRVA75osoOXPwjzv6930JxfzPeihhAwZojG528u5fpFXVmk65sNfv1qB698ECJuSJ/A9YvcPP1eKG8zPhcYJiyf4eQT15RYmi9xXfD7NXL7UaC6iw+Q5Dx5oVCc0huAL+V7vKRDcNk0p6Ua6qpSlS/fXsap5lbqW/LzqDa1yxLlnE1+UyaBfOb6Eu69omvFYblX5cNXetE0+NGTvsEeiL1AUaRS7+6T2Xwwyk+e9nOgLkZ1qcZ9q718eLWXcq/KxOF2vvabVs629R95iylgTI3GV24vs8TxD7BmR4TXt4VzKfbpCTpZNunpDYXybW8HTud7EEWRZBy/fa3DcovsWePs/PmtZXidSl69BZU8kkBME6aMsvFPH6/gY1eX9MpCM6xCu+Cr7ooJU8gGKN0ZoY+f1TnSEGfuBAc/+EwlX7i5NJXYM2OsrOTsL6WapI7/81vLmDHWWv7byUad377WQTiaU5vvnlAP7CjEgXJ2AkKXhKAAcAUwLd8LStKIh6KCy2c6LcVoJ42wE9EFO48Vn0g0HUlG4dVzXPzDhyvOcQR135++/EGYzQcvPqKRgkGR++QRVRpT06o3xw+zM2mEnY9dXcKMMZ3vx3XBC5vCvLApRDAiUs+jmLdXVeGT15Zy/2qvpQUjGhf84rmOQpOtrAN+C5j5OAChcBZADIvtiK1AUeHVrWFe2myNPkxV4VPXlnL9Qne/rQSmkOSSn7y2hO9+vIIJwzt3P4Ypr39/XSf/YUwX7DvZvwrqQoOC5Cb49SsdHKrvvHclLoWbl3Rl1jnbZvBvT/n41yd8NLabzBlv5/bLPJS48rME+4Ip4IZFbrnvt6hlXtwU4vWtBTP9k1hLlpycvaGQl/U2WXYP7g0KUnP+z6sd7DtpbZxel8JX7ihj0WRH0bn8DFNmJf7tfeV88bayLnTPgYjgP1/084tn/V1WiGafyYmz+iXlABSiM33XqkyqCpxsMvjPFzsIhM99kKYJ7+2L8vX/aeWJdyQJ7j0rPfzos1V892MVfPhKa065bGGYsHiKg6/cUZYxVyWJPbUxfvu6ZCMq4GNvJMv2X30h71uVZoIcQHomC3NhCtS3GPzyeT9tAWsSPbxS46/vKWfyyOJ1GTaFTET5109XctsyT5fogxDwP6928JtXA1R41S4r1rEzcZr91stMRdr5DDOLjqznGSJxvTZN0q6PrbExskrD45T19lZWZ02F9Xsj/OGdc53ce0/G+PZDbew8FmPcMI2/u7+cb9xbzvBKDUWRxTgThhWWTDbp4/mbe2QGohW0dpj88vkOGvJ0TveAD0jwceZr/kPhogAg04JfAG4q1AE1FTYejPK71zv46h3lPdJ3d8e00Xa+cW8533mondNthb35qgK3LHHzxdvLepwIigLjh9oYWqEye3zXCrR9J+NELVJvCQHDqzQ+cU0JsYRv4/39USLxgq4kBYdpSlLOVXNcrJrtYsJwGyUuBd2Q+RYb9kV4cXOYMxaei2nCI28FmTXOwWXTO6tFh1ZoTBlpZ/Y4B1+8rZSp3drN7T4ek81lCzimkdUa37i3PGNruyR0QzqyNx/MPTzdCwSy+29O/H89odCtZV9HliaOL+SQ//huiEkj7Ny53BrF0pKpTr5+dznff7yd1jzIHbpcRqLg45alnj5XgTsv9zB1tL2Lsoobgn0n45ZXcVPAnPGOFFlKfLXg31/o4OG1gS4eruRWR1HOP62XKWRE5st3lLFkivMcRTeyWmPBJAcrZrkkPXdD39shRZGr6K9e7GDCcFvqng+r0PjBpytx2JQuprgvaPLYuiB/eCdYsG4/ppBWzNfvKWfxFOut65/fGObpDVn36LCC48AbhTxgXlGAJNKiAe3AFGBJoS5QUWSW4IG6ODPGOBhpgWIZYMJwG1WlKluPxOTKWQAOgZguSUXKPSpjh9oIRQUPrglw8JTOhBH2FPFETbnWpaS4yWfy0NpAimnYCm5Z4mHBJBlV0FSFcq/K2h2RFCGK3aZwzTw3M8bY0Q0IRUTOZq+wWGLbG0whufe+94lK5ox39Hmc4ZUaNlXh3b2ZFzE1kakZ1yXhp5rQcm6H0oXkY09tjB8+4eP5jaGCNXQ1BZR7VL52dznXL7TG6w/wwaEoP3rKhy+UO7FIH3gYeAwKY/5DgRQAdKkN8AN3AdbyIy1AUSAQFhxuiLNkqrOLad0Xpo22U+ZW2HYkRqxA+fhtQck2s/1ojJc2h3nlgzAbD0Q5dEpn1BCNYT2Ug+6pjfPMhpAlv0SSxPTT15V2KU32ulQ2HYhS32IgEhbCDz5TyY2LPFy3wI3XpbD1SCwrD7gpZOegUrdKqVvBMMm6LbpIlFP/7X1d8+EbWg3++G6ITQejqIr0zNc1G6zdEeHVrWFOZ8G4e/S0zshq2znmfjQueHZDiH970s++k/GCUbabAkrdCn/xoXJuv8ya1Qkyk/WfH/NR22gUwxHZBnwTOAW5kX/0hEJvAQA2A68B9xfyoMm67p8+7ec7H6uwnIF11wovhgn//ryfYCT/1UFVZKjq/f2yCjO5x3tnT4T9dTEeWO3l/lVeStJIIfafjEvqbQvnFiaMqrZ1CSuCLCxaNs2ZEvKZY+0p4onqMpVpo+2oioJpcaMhBCyf7uTOyz2MqbHhcSocO63zny/5OdxgnZ8+uV1ZPLXTRG7tMPmnR9rZeEDeo9+vCVBVqlLmUZk6Wm7lyj0q63ZFLBF7hGOC37zawbTRtlRDl/oWg1+/0sGrW8LE9Jx66fU6nlK3jChZ3XImx/zTp30cqMuL368vvIJMuS8oCqYA0oqDYsB/AzcC5YW8WFWVgvarF/187a7yjBTPICfQvVfIpI1/f95PRzh/0yy9CWcSWqLm/NevdDBttJ2Vs6QBZJjSc2213bNACndFDwpu2XQnD78ZIBgVzBnfNelo+9EY0bg1QUj2SvizW0u7HGfcUBt2G3zzf9uyUpaTRtpwpWU/bjsSZeth2WLM61K4YraLFTOdzJ3gYNQQG6oit2jbj8Ys7ddVBWrP6vznSx18495yDtXH+dWLHeyvixfU/2EKKEsI/10rrCX6gFRQ//GCn3f3Fq2zUjvwaxKx/0KZ/1AcCwBgPfBH4DMFP7IiSyqrSjX+9KZSSxNeUWSbaLum8Ivn/LQHC+MY7A5VkcIVT8tibmw3OFxvPf5vU2H+JEePumLySDtTRtmpTfDcJRGISDZbqzCF7J83cfi5Xu2l05wsmerkzZ2RLGrtu34xHBOp+P/yGS6++/GKc4q7Jo+wM32Mnff3Ry2dR1Ulm++Jszotftn5uJDCZgqo9Kp89UNl3H6Zx3IUQTfgd6938PzGUDFTEJ8C3ivGgQuqr9I0kw78AjhZ6AtWAMOAh9YGeOKdoOU9r6JID/037iunplwtWp5AXJetuJOobdQ5a7GTULK33cxecsw9ToVl051MHWVnZJp/4GSjnlX7NAVJhNJTQovDpnDtAjf2LJaGuia9S/7+2MSWAqQCjMbOfUguh3KOFZMJpoBjZ3T8eVRs9nhcE4aWa/zt/eXckYXwCwF/eDvAw2uDBSkv7gW1SFnSobCrPxRYAXTDLuDnyPZhBYWiyLZe//mSnxc2ZRduuXGRm29/pIIxQ7WiZAwqCrywKcRz74doD5gcqIsTt0g5ZQpJfDqqulP6WjtMWvydF7p8upOr57twpJncu47H8FsMfQlkOHPx1E7hixsi1SUIZMbb2BpryTSKAofq45xt77zG8cNtjE9wOhxukOXaDS0GB0/FuyjscUM1bFnOwEL3ZjRMGDvUxrc/WpGVtx/guY0h/uvlDqIFiDL1dnlI0s89RTk6BYwCJJEWEgTZtGBG4lVQKApE47DzWIwRVRqTRlhnJh871MascQ4O1cdpbC9sfX5SOW08GOXNHRHe3x+1nAoqhGyLnvQfAKzdGWb38VjKw15RojJ+mC1VcWiY8OhbQcuOO2HKrcQnri1J+VD21sbZdSyeSnTxulTqm3V2Hsvc/iw53nkTnUxMOC5ddoX2oOCDQ1F0A7YeifHCpjB1TTpXz3elCrxOnNV5c2fkvGU5mokWXt/6SEVWcX6QZes/eVqy+hYxB+MZ4DtIv1rBV38okgWQdqEdwD+Q6F1W8ItP8An+6CmfbK2cBeZOcPAvn6rkitnOFAVVoSB56QXHz0pz1er8cDmUVOwf5DVtORRj3e4I4ai8QodN6UI73eI3OHAqblmJCWQqc0VaKHXTwSjPvh9KnQPgyrluSj3WCmuicVmzn46bFruZPsaObgoafQbBiMk187uSfDS0GOjnoclSkrVp1RwX3/9kZdZbkTXbw/z4j76i+ZIS2IuUnQAUR/ihuFuAJPYBXydP+uJeB6BI7/sPn2jnrSyVwLihNr778UruvUI6CAtdRZaNuWoKGFGpdWli2h4w2XcyxuH6OEdP91wUdeS0ztksUp5ddoWl0zpXu3BMsPVwjD21sS7Vi9PH2Jk51lqdvaLAxkSOQhIjqjS+9eEKPnpVCR+/uoQffbaqC8mLL2Tyzp5Ivxc5CAF2TeG+VV6++7EKSx180rFme5gfPumjpaOown8W+BqyvqaoKJoC6KaxXgG+gUwSKvwgFGj0mfzgiXbWbLdWQpxEZYnK1+4u4yt3SHaX89XwUwiYPd7OkPLOXdmJszoNrQYdIcGmgz2zP+86FiMSs+5jGFmtdampb2gxONwQpyNkpuL2IB2OV811WYqyqArUNes8935Xf8yMsbIu46/vKeey6c7UsXRD8PDaALuPx/qVICXJ2vQXd5bxV3eV9Rhq7QtvbJPCn01RVw7wAX+DzKUBirf6QxF8AOno5g/YidwSrAKys7ksQFEgmAiHDSnXLBdugEy1nTvBwZSRdo6e0Qveecgqbl3mYX5aNt2bO8O8szuaMlmld77zwqJxmYpcZ7HBhJkwe29Z0tm6SlNlx+PLprtYPMXRJZOxNJGsE7DSvUbAkQadIeUqU0bae/1+e9Dk168EeHRdMOusw3xgmtKq+eb9Fdy0xJ11M5CXNof40VP+Yq/8HcDfAr9LvlFM4YciKwA4RwlsQSY1XAFk53WxAEWBUFSatKVuheljHFlNsDE1NpZNc9IelLX7/c3iG4kJmeduV4gbshFpbaMU7mBEtjcfmlaIVNdk8NDaoKSasnCdNhU+dnVJl5Ral0Nh+mg7c8Y7zkljLvOoHK7XOXDKmjMwGhdsORSl2W9S5lZxOpRULUezz+TdvVF+8ayf17eG+034zQRR602L3fzdA+XMGpdl6NGEp94N8vNnO4q95/chreT/JrExKrbwQz/2rUhkCSbP+XHg38iTSrw3mAK8ToU/ubGUj13l7bJqWkE4JnjmvRC/XxPgbLvRb12BkpO1plzD61I42aijG52ffeWOMj59XWf7hVe2hPn2g22W9ulCyEKc//5KdaoHghWs2xXhb/+3zXIoM+lQLfOojKjUKPeq6Kagqd3gTJss7Okvs98w5Zg/eW0JH7rcYylzNB0xXW5Vfvt6wLKSzRFnkH6yR+lH4Yd+sACS6GE7sBtYBNQU+lyKIhNyth+NEYwI5oy3d4mbZ4JdU5gzwcHciQ4a2w0amo0U31wxoSQyCQNhQau/a1a/AFo7DGaMkWnCmqrw0uYw245Y4xg0BSyb5uRDl3tSVXUtfpNdx2PUNRmcbDI4dlrnZJNOdamaul8VXpX390cth0uT5KrRuKDZb3KqxeB0q4E/LFKfFxtCSCWzfIaTb95fzrUL3Ja69qSjIyxLkR9cGyAaL+p17wW+ADybfKO/hB/OQ+eqNEsAYDayu8mNxTiXENJBdf0iN1+9s8wym0s6/CGTp9aHePydAI3tebdzyns8Q8pVJo2QZCM7jsZobLdeVfeNe8u5b5U39f8f/9HHE+8EpUIQYAqBoih86yPl3JpGzf0fL/j5zauBC6I/omHC0AqVD68u4e6Vni50bVZxps2QW5Vt4WIr/peRDr+9yTf6U/ihHy2AJLpZAo3Aq4l/z6PAzsHkgzvcoHOgLs7UUV297FbgtCssmOxg3kQH7QGTU806Rj86r7qPJxQR1DUZHGnQCWVhljrtMvQ1eoiN9oDJ8xtDPLpO+g9SvH1C5ra3dJiMHqLR6jc50SgTgg7VW881OB8wTbDbJEPzN+4r54ZF7l7p2fvC/pNx/vnxdtbvjeZFFZ8BHcDPkGZ/Kl2+v4UfzmPvym6WgAbcCfwj0iooOAxTptl+9Y4yy11cuyMUFby6Jcyj6wIcPS37yg1koUiHosDUUXZGD9GoazI4dibea89CkehrmHTg6boYsJyESZ/D5BE2PnpVCdcvcqfqELI6DvDWjgi/eM5PbWNRu0HvQs7z50hLkz8fwg/nuXltNyUAMAkZBvkIYL0Y2yJMU3bp+eS1JTyw2os7h4kCshb9yfVBXtwcotlnFjw/vVgwTbnSq0pmR1xS4AfqsJKMwzXlKrcu83DvSq9ltqjuCEUFj60L8ODaIP4CVxmmnwbJ6PND4Fj6B+dL+GGAPN9uisAB3IFkP1lQ6HOJBAvO9Qvc/NmtpYwekltFtAD2nojx+NtB3t4dkTwD6gC5oRcxBFKRlXkUVs9x8cBqb9ahvXTUNen86sUO1mwPFzPsuw34AXLVT6Vbnk/BT2LAzNcerIHRwJeRnAJDCn2+ZGLIF28rZcVMV84PPm4Ith6K8cT6IJsORglGBhVBMZAUfK9L4bLpTu69wsviKY6svfup4wlJPf6rFzo4eKpoLD7NwP8Av0S280phIAg/DMB52k0RKMiuw3+NjBRYT++zgOSW4IHVXj58pdcy12BPiMYFmw9GeXpDiA8ORglExAWzNRjISJr6JW6FpVOd3LXCw5KpzpwcfEm0B00efUsyCBfJ5I8hnds/QhJ5pFwoA0XwkxiQ07MHa6AEuBf4C2BuIc+VDPMsnebk8zeXdknFzQXRuExHfn5jiI0HorQFzAFB232hIRmVqCxRWT7Dye3LPCyY7MhL8EHmhvz3yx18cCharBDfTqSH/ym6te8eaMIPA1QBJNGDIhgDfB74E2B4Ic9lmNKh9MDqEu5Z6cnLGgBZ8LLvZJzXtoZ5Z0+EhhYDw2Rwe9AHkma+psqipVWzXdy4WFKf52rqJ9EeNHlqvVz1m3xFyec4jTT3f02CuTeJgSj4SVwQc7EHRbAY+Ctk6DA7Gpc+kEwcWjTFyWduKGHJVGdBVu66Jp31e6O8uUM2DE0Sbg5aBRLJ1b7EpTB9jJ1r5ru5YrYzZwdt92NvPhjld691pBiVC7zqh5BZfD8FtqZ/MJAFP4kLagp2UwRO4FZk3fTyQp7HMGUK7K3L3Dyw2luQiQiSvHPvCUnwselAlFPNeqpfwaWmDJJC77B1FmGtnuti9jiH5eabmXCqWeexdUFe3BzGFyz4qi+A94EfIzP6UrXUF4LgJ3HBTbserIGhyC3BnyMjBwVBMsFk4nAbH17t5YbF7i5MPPmisd1gx7EY7+2LsvNojNNtusw5R7ZHv+AeTAYIJB2ZAJx2GFFlY/5EBytmOpk30dGlyjFf+EMmr24N8/jbQY6fKUrCVh3wH8iy3ab0Dy4k4YcLeJ71oAjmI/Oq76KApcbJCr2Fk5x85Covy2c4u7SlyhdCyPZXe2tjfHAolijO0QkmWn0l01EvtAeV5DBIbqu8LoUxNTbmTnCwZKqTWePsDKvQCiqY0bhs2PLougDbj8TQzYJbVhEk3f2PkM6+FC40wU/iQptX56CbInAB9yCzCWcV8jxGIga9YqaL+1Z5mD/RaalbcbZoD5qcOKOzuzbG7uMxjjToNLYbhKKdvf8GYngxGa5LXp/HqTC0QmPySDtzJ9iZPd7BhGG2vJ2rPUE3YPvRKE+8E2TDvijBaOE6BaVhD/CvSAWQ4p67UAU/iQE2jXJDHynFH6OAPQqTXuoKr2yBfdcKD3PGO4qWN26YsgS4rsngcH2cg/Vxjp/ROdNm4AuaROOiC7V50lIolnJIbovSuRM1VRYalXtl/f+E4TamjrYzZaSdsTUalaVa0e6PbsDuEzGefi/IO3uiqWYhBR5+GHiIAZbCWyhcFAogiR5Sih8Avo1UCAVDcrWrLFG5YraTOy7zMGeCo6Bbg94QigpaO2SNfV2zQV2TTkOLQWO7QVvApCNsEokJYrrAMDqFljTm494URKpLcOKPpD9CUyUbscshGYkrS1SGVmiMqtYYU2Nj9BCNEVUaVaVaToU42SKmC3Ydi/HcxhDr90ZpDxStHuMI8F3gDwywFN5C4aJSANCjNTAP+Bfg5kKfK6kIyj2SaffWZZ5eO+4UE6YJkbggEDbxh0x8QUF7ULbP8oVMAmGTYEQQjskGIHFdWg7pJrtNBZtNwWlXcDsUvC6FErdKuUel3KtSUaJS4VUp9SiUuFRcdqVfCT1BRlG2HIry4uYQmw9G8YeKmm35IvB3SOKaFC4m4YeLUAEk0U0RVCGLi75IAfMGkkgqArdTYfY4OzcucrNilovhlf1Ot5ARyfCbEKJLxZ+iKAM2HHm61eC9fRFe2xJmT21np+UiCX4Y+Hfkfr8t+ebFJvhJDMDHXTh0UwI24NPA9ygSFyHIfbtNk/3xVs52cfU8F9NH27Pmo7vUEY4JDtTFeWtnhPV7ItQ1S37EIrMSnUE24/g9iV58cPEKP1zkCgB63BJcj+xZWPB2ZelIrrTlHoVZ4x2snuNi2TQnY2psFwS11vmAbsj+ApsORHl7d4S9tTH8oX7LmtyLrDVZk/7mxSz8cAkogCS6KYJ5SDPvimKfN7k90FTZgXbeRAeXz3SyYJKDEVW2ooQSLyTohqChxWD70Rgb9kXZeTxGky9RN9F/4c63ga8g2XqAi1/wk7hkFACcowTGIfO37+qv8yeVgU2DoRUas8baWTLNybwJDsaktdS+2BGKCuqadHYei7H5UJR9tXEafQa6cV5yHJ5C1pXUJd+4VIQfLjEFAOcogWpkhOBP6GeC1HTLoMKrMmG4zJKbO8HB5JE2asq1vEtfBwqicUFju8GR0zq7jsXYdSLG8TM6vqDZ3yt9OgzgN8DfA63JNy8l4YdLUAHAOUrAi5wEf0URuhVZQXoWndOuUF2mMn6ojelj7EwbbWfCcBvDKjRK3OqA9x8YpuTUb2w3OH5GdhU6UBen9qxOS4dBNBFNP8/ZjBFkEc8PkNV8wKUn/HCJKgA4RwnYkXvA7wCl5/va0hWCXZM9+oZVaIyp0ZgwzM64YTZGVmvUlGuUeRTcDrXffQm6IfMK/EFBk9+gvsWg9qzOibNxTjbJxKSOkEk80dloAKUv+5HP+T+4SJN7ssHAeCTnEd1aln0SmfI59HxfVzqSRTXJuL1NA7dDodSjUlWqUlOmMbRCo6ZCZUiZRmWJSplHpcSl4HbK5B67pmDTQFWVlDAmBTJ5fFOAaQp0Q3IdRuOCcFQQiAj8IZO2DpNmv0GTT67wTT6D1oBMPorERKqNWTIdeYAIfDrOIgvGHqKfW3ANVAy8R3Qe0M0auA34BTDhfF9XX0im93bvC6ipUkHYNdlk1Jl4OWzgsCs40hVBYjthmp2CHzMEsbggpsu9ezSe/L/MHjS6tU9XFVJpwwMcx5BW3kvJNy514YcL4rn1D7opgRVIJtf55/u6coVI/XFuLUAmpNcC0P3fFya2I7NA30++MSj8Ehf4cy0suimBmUhL4NrzfV2DyAuvA18FDiTfGBT+Tgxwn3L/otvE2Ad8AniQtBZOg7hgYAL/h/TrDAp/Lxi0AHpAN0ugBNmX4GvIkOEgBj4CyDDfj0mj5h4U/nMxqAB6QQ/NSz8M/DMyg3AQAxcnkHkdjzMAmm8OdAwqgAzopgiWIsOEV57v6xpEj3gTyQT1QfKNQcHvG4MKwAK6KYFhyC3BnzIAkoYGAUAH8F9Ik78x+eag8GfGoAKwiB62BLcB3wIWnu9ru8SxFcnx8CIyvx8YFH6rGFQAWaC/OxgPok80Ab9lAHfevRAwqAByQA8djJcjs8xuQUYNBlE8dCCz+X4BbGIAd969EDCoAHJED9aAE+kc/CwyeajifF/jRYY24A1kA863kS24UxgU/twwqADyRA+KwIFsXnovcAMwGVltOFBgpr3SeUHVtNdAQRxJzf0q8CRyvz8o+AXEoAIoEHpQBAAjgWXAVcASYCLSMnAU6LQCSV4ZQ7LZBpHlru1Ikovkqw3wIc3nELIePk4n8aUNqaRcyGSnUqA8ca1Vaa8KoAy5zXElxmGjcPMolrjW48Bm4C2kmX+6+xcHBb8wGFQABUYvigCgEqkAZiHrDKYAY4AapLC5kQKVXIEFUkijSKENIIW4FekAO5t4nUGGvpqRwuOnq5AXAknl4EEqgCqk03MoMiw6PPHvmsRn5Ugl4kZujex0zjWTToXlS4ylDjiMJObch6zca+vpQgYFv7D4/4e71LADeWVKAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTExLTEzVDE1OjMzOjQ3KzAwOjAwe+FmswAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0xMS0xM1QxNTozMzo0NyswMDowMAq83g8AAAAASUVORK5CYII= + mediatype: image/png + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - cert-manager.io + resourceNames: + - issuers.cert-manager.io/* + - clusterissuers.cert-manager.io/* + resources: + - signers + verbs: + - approve + - apiGroups: + - cert-manager.io + resources: + - certificates + - certificates/status + - certificaterequests + - certificaterequests/status + verbs: + - update + - patch + - apiGroups: + - cert-manager.io + resources: + - certificates + - certificaterequests + - clusterissuers + - issuers + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - certificates/finalizers + - certificaterequests/finalizers + verbs: + - update + - apiGroups: + - acme.cert-manager.io + resources: + - orders + verbs: + - create + - delete + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete + - patch + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch + - update + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/status + verbs: + - update + - patch + - apiGroups: + - certificates.k8s.io + resourceNames: + - issuers.cert-manager.io/* + - clusterissuers.cert-manager.io/* + resources: + - signers + verbs: + - sign + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - acme.cert-manager.io + resources: + - challenges + - challenges/status + verbs: + - update + - patch + - apiGroups: + - acme.cert-manager.io + resources: + - challenges + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - issuers + - clusterissuers + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - '' + resources: + - pods + - services + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - create + - delete + - update + - apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - get + - list + - watch + - create + - delete + - update + - apiGroups: + - route.openshift.io + resources: + - routes/custom-host + verbs: + - create + - apiGroups: + - acme.cert-manager.io + resources: + - challenges/finalizers + verbs: + - update + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - clusterissuers + - clusterissuers/status + verbs: + - update + - patch + - apiGroups: + - cert-manager.io + resources: + - clusterissuers + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - cert-manager.io + resources: + - certificates + - certificaterequests + verbs: + - create + - update + - delete + - apiGroups: + - cert-manager.io + resources: + - certificates + - certificaterequests + - issuers + - clusterissuers + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/finalizers + verbs: + - update + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - httproutes + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + - httproutes/finalizers + verbs: + - update + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - cert-manager.io + resources: + - issuers + - issuers/status + verbs: + - update + - patch + - apiGroups: + - cert-manager.io + resources: + - issuers + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - acme.cert-manager.io + resources: + - orders + - orders/status + verbs: + - update + - patch + - apiGroups: + - acme.cert-manager.io + resources: + - orders + - challenges + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - clusterissuers + - issuers + verbs: + - get + - list + - watch + - apiGroups: + - acme.cert-manager.io + resources: + - challenges + verbs: + - create + - delete + - apiGroups: + - acme.cert-manager.io + resources: + - orders/finalizers + verbs: + - update + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + serviceAccountName: cert-manager + - rules: + - apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - get + - create + - update + - patch + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update + - patch + serviceAccountName: cert-manager-cainjector + - rules: + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + serviceAccountName: cert-manager-webhook + deployments: + - label: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + name: cert-manager + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + strategy: {} + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: '9402' + prometheus.io/scrape: 'true' + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + spec: + containers: + - args: + - --v=2 + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=kube-system + - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.13.1 + - --max-concurrent-challenges=60 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: quay.io/jetstack/cert-manager-controller:v1.13.1 + imagePullPolicy: IfNotPresent + name: cert-manager-controller + ports: + - containerPort: 9402 + name: http-metrics + protocol: TCP + - containerPort: 9403 + name: http-healthz + protocol: TCP + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + enableServiceLinks: false + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: cert-manager + - label: + app: cainjector + app.kubernetes.io/component: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cainjector + app.kubernetes.io/version: v1.13.1 + name: cert-manager-cainjector + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cainjector + strategy: {} + template: + metadata: + labels: + app: cainjector + app.kubernetes.io/component: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cainjector + app.kubernetes.io/version: v1.13.1 + spec: + containers: + - args: + - --v=2 + - --leader-election-namespace=kube-system + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: quay.io/jetstack/cert-manager-cainjector:v1.13.1 + imagePullPolicy: IfNotPresent + name: cert-manager-cainjector + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + enableServiceLinks: false + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: cert-manager-cainjector + - label: + app: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: webhook + app.kubernetes.io/version: v1.13.1 + name: cert-manager-webhook + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: webhook + strategy: {} + template: + metadata: + labels: + app: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: webhook + app.kubernetes.io/version: v1.13.1 + spec: + containers: + - args: + - --v=2 + - --secure-port=10250 + - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) + - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca + - --dynamic-serving-dns-names=cert-manager-webhook-service.$(POD_NAMESPACE).svc + - --tls-cert-file=/apiserver.local.config/certificates/apiserver.crt + - --tls-private-key-file=/apiserver.local.config/certificates/apiserver.key + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: quay.io/jetstack/cert-manager-webhook:v1.13.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: 6080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: cert-manager-webhook + ports: + - containerPort: 10250 + name: https + protocol: TCP + - containerPort: 6080 + name: healthcheck + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 6080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + enableServiceLinks: false + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: cert-manager-webhook + permissions: + - rules: + - apiGroups: + - coordination.k8s.io + resourceNames: + - cert-manager-controller + resources: + - leases + verbs: + - get + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + serviceAccountName: cert-manager + - rules: + - apiGroups: + - coordination.k8s.io + resourceNames: + - cert-manager-cainjector-leader-election + - cert-manager-cainjector-leader-election-core + resources: + - leases + verbs: + - get + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + serviceAccountName: cert-manager-cainjector + - rules: + - apiGroups: + - '' + resourceNames: + - cert-manager-webhook-ca + resources: + - secrets + verbs: + - get + - list + - watch + - update + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + serviceAccountName: cert-manager-webhook + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - TLS + - secrets + - security + - certificates + links: + - name: Documentation + url: https://cert-manager.io/ + - name: Release Notes + url: https://cert-manager.io/docs/release-notes + maintainers: + - email: cert-manager-maintainers@googlegroups.com + name: The cert-manager maintainers + maturity: stable + minKubeVersion: 1.19.0-0 + provider: + name: The cert-manager maintainers + url: https://cert-manager.io/ + version: 1.13.1 + webhookdefinitions: + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: cert-manager-webhook + failurePolicy: Fail + generateName: validate.webhooks.cert-manager.io + matchPolicy: Equivalent + rules: + - apiGroups: + - cert-manager.io + - acme.cert-manager.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - '*/*' + sideEffects: None + targetPort: https + timeoutSeconds: 10 + type: ValidatingAdmissionWebhook + webhookPath: /validate + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: cert-manager-webhook + failurePolicy: Fail + generateName: mutate.webhooks.cert-manager.io + matchPolicy: Equivalent + rules: + - apiGroups: + - cert-manager.io + - acme.cert-manager.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - '*/*' + sideEffects: None + targetPort: https + timeoutSeconds: 10 + type: MutatingAdmissionWebhook + webhookPath: /mutate diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager.io_certificaterequests.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager.io_certificaterequests.yaml new file mode 100644 index 00000000000..a6cc361c039 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager.io_certificaterequests.yaml @@ -0,0 +1,268 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + name: certificaterequests.cert-manager.io +spec: + group: cert-manager.io + names: + categories: + - cert-manager + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Approved")].status + name: Approved + type: string + - jsonPath: .status.conditions[?(@.type=="Denied")].status + name: Denied + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + type: string + - jsonPath: .spec.username + name: Requestor + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `Ready` status condition and its `status.failureTime` + field. \n A CertificateRequest is a one-shot resource, meaning it represents + a single point in time request for a certificate and cannot be re-used." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specification of the desired state of the CertificateRequest + resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + properties: + duration: + description: Requested 'duration' (i.e. lifetime) of the Certificate. + Note that the issuer may choose to ignore the requested duration, + just like any other requested attribute. + type: string + extra: + additionalProperties: + items: + type: string + type: array + description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + type: object + groups: + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + items: + type: string + type: array + x-kubernetes-list-type: atomic + isCA: + description: "Requested basic constraints isCA value. Note that the + issuer may choose to ignore the requested isCA value, just like + any other requested attribute. \n NOTE: If the CSR in the `Request` + field has a BasicConstraints extension, it must have the same isCA + value as specified here. \n If true, this will automatically add + the `cert sign` usage to the list of requested `usages`." + type: boolean + issuerRef: + description: "Reference to the issuer responsible for issuing the + certificate. If the issuer is namespace-scoped, it must be in the + same namespace as the Certificate. If the issuer is cluster-scoped, + it can be used from any namespace. \n The `name` field of the reference + must always be specified." + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: "The PEM-encoded X.509 certificate signing request to + be submitted to the issuer for signing. \n If the CSR has a BasicConstraints + extension, its isCA attribute must match the `isCA` value of this + CertificateRequest. If the CSR has a KeyUsage extension, its key + usages must match the key usages in the `usages` field of this CertificateRequest. + If the CSR has a ExtKeyUsage extension, its extended key usages + must match the extended key usages in the `usages` field of this + CertificateRequest." + format: byte + type: string + uid: + description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: "Requested key usages and extended key usages. \n NOTE: + If the CSR in the `Request` field has uses the KeyUsage or ExtKeyUsage + extension, these extensions must have the same values as specified + here without any additional values. \n If unset, defaults to `digital + signature` and `key encipherment`." + items: + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + username: + description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation + and immutable. + type: string + required: + - issuerRef + - request + type: object + status: + description: 'Status of the CertificateRequest. This is set and managed + automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + ca: + description: The PEM encoded X.509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + unknown/not available. + format: byte + type: string + certificate: + description: The PEM encoded X.509 certificate resulting from the + certificate signing request. If not set, the CertificateRequest + has either not been completed or has failed. More information on + failure can be found by checking the `conditions` field. + format: byte + type: string + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`, `InvalidRequest`, + `Approved` and `Denied`. + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `InvalidRequest`, `Approved`, `Denied`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager.io_certificates.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager.io_certificates.yaml new file mode 100644 index 00000000000..ef4eac378c8 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager.io_certificates.yaml @@ -0,0 +1,559 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + name: certificates.cert-manager.io +spec: + group: cert-manager.io + names: + categories: + - cert-manager + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.secretName + name: Secret + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: "A Certificate resource should be created to ensure an up to + date and signed X.509 certificate is stored in the Kubernetes Secret resource + named in `spec.secretName`. \n The stored certificate will be renewed before + it expires (as configured by `spec.renewBefore`)." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specification of the desired state of the Certificate resource. + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + properties: + additionalOutputFormats: + description: "Defines extra output formats of the private key and + signed certificate chain to be written to this Certificate's target + Secret. \n This is an Alpha Feature and is only enabled with the + `--feature-gates=AdditionalCertificateOutputFormats=true` option + set on both the controller and webhook components." + items: + description: CertificateAdditionalOutputFormat defines an additional + output format of a Certificate resource. These contain supplementary + data formats of the signed certificate chain and paired private + key. + properties: + type: + description: Type is the name of the format type that should + be written to the Certificate's target Secret. + enum: + - DER + - CombinedPEM + type: string + required: + - type + type: object + type: array + commonName: + description: "Requested common name X509 certificate subject attribute. + More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + NOTE: TLS clients will ignore this value when any subject alternative + name is set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). + \n Should have a length of 64 characters or fewer to avoid generating + invalid CSRs. Cannot be set if the `literalSubject` field is set." + type: string + dnsNames: + description: Requested DNS subject alternative names. + items: + type: string + type: array + duration: + description: "Requested 'duration' (i.e. lifetime) of the Certificate. + Note that the issuer may choose to ignore the requested duration, + just like any other requested attribute. \n If unset, this defaults + to 90 days. Minimum accepted duration is 1 hour. Value must be in + units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." + type: string + emailAddresses: + description: Requested email subject alternative names. + items: + type: string + type: array + encodeUsagesInRequest: + description: "Whether the KeyUsage and ExtKeyUsage extensions should + be set in the encoded CSR. \n This option defaults to true, and + should only be disabled if the target issuer does not support CSRs + with these X509 KeyUsage/ ExtKeyUsage extensions." + type: boolean + ipAddresses: + description: Requested IP address subject alternative names. + items: + type: string + type: array + isCA: + description: "Requested basic constraints isCA value. The isCA value + is used to set the `isCA` field on the created CertificateRequest + resources. Note that the issuer may choose to ignore the requested + isCA value, just like any other requested attribute. \n If true, + this will automatically add the `cert sign` usage to the list of + requested `usages`." + type: boolean + issuerRef: + description: "Reference to the issuer responsible for issuing the + certificate. If the issuer is namespace-scoped, it must be in the + same namespace as the Certificate. If the issuer is cluster-scoped, + it can be used from any namespace. \n The `name` field of the reference + must always be specified." + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + keystores: + description: Additional keystore output formats to be stored in the + Certificate's Secret. + properties: + jks: + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will be updated immediately. If the issuer provided a CA + certificate, a file named `truststore.jks` will also be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef` containing the issuing + Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the JKS keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will be updated immediately. If the issuer provided a CA + certificate, a file named `truststore.p12` will also be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef` containing the issuing + Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the PKCS12 keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + type: object + literalSubject: + description: "Requested X.509 certificate subject, represented using + the LDAP \"String Representation of a Distinguished Name\" [1]. + Important: the LDAP string format also specifies the order of the + attributes in the subject, this is important when issuing certs + for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` + More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More + info: https://github.com/cert-manager/cert-manager/issues/3203 More + info: https://github.com/cert-manager/cert-manager/issues/4424 \n + Cannot be set if the `subject` or `commonName` field is set. This + is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` + option set on both the controller and webhook components." + type: string + privateKey: + description: Private key options. These include the key algorithm + and size, the used encoding and the rotation policy. + properties: + algorithm: + description: "Algorithm is the private key algorithm of the corresponding + private key for this certificate. \n If provided, allowed values + are either `RSA`, `ECDSA` or `Ed25519`. If `algorithm` is specified + and `size` is not provided, key size of 2048 will be used for + `RSA` key algorithm and key size of 256 will be used for `ECDSA` + key algorithm. key size is ignored when using the `Ed25519` + key algorithm." + enum: + - RSA + - ECDSA + - Ed25519 + type: string + encoding: + description: "The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. \n If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified." + enum: + - PKCS1 + - PKCS8 + type: string + rotationPolicy: + description: "RotationPolicy controls how private keys should + be regenerated when a re-issuance is being processed. \n If + set to `Never`, a private key will only be generated if one + does not already exist in the target `spec.secretName`. If one + does exists but it does not have the correct algorithm or size, + a warning will be raised to await user intervention. If set + to `Always`, a private key matching the specified requirements + will be generated whenever a re-issuance occurs. Default is + `Never` for backward compatibility." + enum: + - Never + - Always + type: string + size: + description: "Size is the key bit size of the corresponding private + key for this certificate. \n If `algorithm` is set to `RSA`, + valid values are `2048`, `4096` or `8192`, and will default + to `2048` if not specified. If `algorithm` is set to `ECDSA`, + valid values are `256`, `384` or `521`, and will default to + `256` if not specified. If `algorithm` is set to `Ed25519`, + Size is ignored. No other values are allowed." + type: integer + type: object + renewBefore: + description: "How long before the currently issued certificate's expiry + cert-manager should renew the certificate. For example, if a certificate + is valid for 60 minutes, and `renewBefore=10m`, cert-manager will + begin to attempt to renew the certificate 50 minutes after it was + issued (i.e. when there are 10 minutes remaining until the certificate + is no longer valid). \n NOTE: The actual lifetime of the issued + certificate is used to determine the renewal time. If an issuer + returns a certificate with a different lifetime than the one requested, + cert-manager will use the lifetime of the issued certificate. \n + If unset, this defaults to 1/3 of the issued certificate's lifetime. + Minimum accepted value is 5 minutes. Value must be in units accepted + by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." + type: string + revisionHistoryLimit: + description: "The maximum number of CertificateRequest revisions that + are maintained in the Certificate's history. Each revision represents + a single `CertificateRequest` created by this Certificate, either + when it was created, renewed, or Spec was changed. Revisions will + be removed by oldest first if the number of revisions exceeds this + number. \n If set, revisionHistoryLimit must be a value of `1` or + greater. If unset (`nil`), revisions will not be garbage collected. + Default value is `nil`." + format: int32 + type: integer + secretName: + description: Name of the Secret resource that will be automatically + created and managed by this Certificate resource. It will be populated + with a private key and certificate, signed by the denoted issuer. + The Secret resource lives in the same namespace as the Certificate + resource. + type: string + secretTemplate: + description: Defines annotations and labels to be copied to the Certificate's + Secret. Labels and annotations on the Secret will be changed as + they appear on the SecretTemplate when added or removed. SecretTemplate + annotations are added in conjunction with, and cannot overwrite, + the base set of annotations cert-manager sets on the Certificate's + Secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a key value map to be copied to the + target Kubernetes Secret. + type: object + labels: + additionalProperties: + type: string + description: Labels is a key value map to be copied to the target + Kubernetes Secret. + type: object + type: object + subject: + description: "Requested set of X509 certificate subject attributes. + More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + \n The common name attribute is specified separately in the `commonName` + field. Cannot be set if the `literalSubject` field is set." + properties: + countries: + description: Countries to be used on the Certificate. + items: + type: string + type: array + localities: + description: Cities to be used on the Certificate. + items: + type: string + type: array + organizationalUnits: + description: Organizational Units to be used on the Certificate. + items: + type: string + type: array + organizations: + description: Organizations to be used on the Certificate. + items: + type: string + type: array + postalCodes: + description: Postal codes to be used on the Certificate. + items: + type: string + type: array + provinces: + description: State/Provinces to be used on the Certificate. + items: + type: string + type: array + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + items: + type: string + type: array + type: object + uris: + description: Requested URI subject alternative names. + items: + type: string + type: array + usages: + description: "Requested key usages and extended key usages. These + usages are used to set the `usages` field on the created CertificateRequest + resources. If `encodeUsagesInRequest` is unset or set to `true`, + the usages will additionally be encoded in the `request` field which + contains the CSR blob. \n If unset, defaults to `digital signature` + and `key encipherment`." + items: + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + - secretName + type: object + status: + description: 'Status of the Certificate. This is set and managed automatically. + Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + items: + description: CertificateCondition contains condition information + for an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `Issuing`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up + till now. This field gets removed (if set) on a successful issuance + and gets set to 1 if unset and an issuance has failed. If an issuance + has failed, the delay till the next issuance will be calculated + using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is set only if the lastest issuance for + this Certificate failed and contains the time of the failure. If + an issuance has failed, the delay till the next issuance will be + calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts + - 1). If the latest issuance has succeeded this field will be unset. + format: date-time + type: string + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the + secret named by this resource in `spec.secretName`. + format: date-time + type: string + notBefore: + description: The time after which the certificate stored in the secret + named by this resource in `spec.secretName` is valid. + format: date-time + type: string + renewalTime: + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. + format: date-time + type: string + revision: + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager.io_clusterissuers.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager.io_clusterissuers.yaml new file mode 100644 index 00000000000..f088bf8e437 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager.io_clusterissuers.yaml @@ -0,0 +1,1698 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + name: clusterissuers.cert-manager.io +spec: + group: cert-manager.io + names: + categories: + - cert-manager + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used + to validate the certificate chain presented by the ACME server. + Mutually exclusive with SkipTLSVerify; prefer using CABundle + to prevent various kinds of security vulnerabilities. If CABundle + and SkipTLSVerify are unset, the system certificate bundle inside + the container is used to validate the TLS connection. + format: byte + type: string + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a new account + but will expect the account key to be supplied via an existing + secret. If false, the cert-manager system will generate a new + ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is not supported + by all ACME servers like Let's Encrypt. If set to true when + the ACME server does not support it it will create an error + on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + properties: + keyAlgorithm: + description: 'Deprecated: keyAlgorithm field exists for historical + compatibility reasons and should not be used. The algorithm + is now hardcoded to HS256 in golang/x/crypto/acme.' + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + URL encoded data. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server + outputs multiple. PreferredChain is no guarantee that this one + gets delivered by the ACME endpoint. For example, for Let''s + Encrypt''s DST crosssign you would use: "DST Root CA X3" or + "ISRG Root X1" for the newer Let''s Encrypt root CA. This value + picks the first certificate bundle in the ACME alternative chains + that has a certificate with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: 'INSECURE: Enables or disables validation of the + ACME server TLS certificate. If true, requests to the ACME server + will not have the TLS certificate chain validated. Mutually + exclusive with CABundle; prefer using CABundle to prevent various + kinds of security vulnerabilities. Only enable this option in + development environments. If CABundle and SkipTLSVerify are + unset, the system certificate bundle inside the container is + used to validate the TLS connection. Defaults to false.' + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + items: + description: An ACMEChallengeSolver describes how to solve ACME + challenges for the issuer it is part of. A selector may be + provided to use different solving strategies for different + DNS names. Only one of HTTP01 or DNS01 must be provided. + properties: + dns01: + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left + unset MSI will be used + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + description: name of the Azure environment (default + AzurePublicCloud) + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + description: name of the DNS zone that should be + used + type: string + managedIdentity: + description: managed identity configuration, can + not be used at the same time as clientID, clientSecretSecretRef + or tenantID + properties: + clientID: + description: client ID of the managed identity, + can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, + can not be used at the same time as clientID + type: string + type: object + resourceGroupName: + description: resource group the DNS zone is located + in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 + challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with + Cloudflare. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 + challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + Cannot be set when SecretAccessKeyID is set. If + neither the Access Key nor Key ID are set, we + fall-back to using env vars, shared credentials + file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. + If set, pull the AWS access key ID from a key + within a Kubernetes Secret. Cannot be set when + AccessKeyID is set. If neither the Access Key + nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance + metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. + If neither the Access Key nor Key ID are set, + we fall-back to using env vars, shared credentials + file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + mechanism. + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community + API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). + The Gateway solver will create HTTPRoutes with the + specified labels in the same namespace as the challenge. + This solver is experimental, and fields / behaviour + may change in the future. + properties: + labels: + additionalProperties: + type: string + description: Custom labels that will be applied + to HTTPRoutes created by cert-manager while solving + HTTP-01 challenges. + type: object + parentRefs: + description: 'When solving an HTTP-01 challenge, + cert-manager creates an HTTPRoute. cert-manager + needs to know which parentRefs should be used + when creating the HTTPRoute. Usually, the parentRef + references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' + items: + description: "ParentReference identifies an API + object (usually a Gateway) that can be considered + a parent of this resource (usually a route). + There are two kinds of parent resources with + \"Core\" support: \n * Gateway (Gateway conformance + profile) * Service (Mesh conformance profile, + experimental, ClusterIP Services only) \n This + API may be extended in the future to support + additional kinds of parent resources. \n The + API object must be valid in the cluster; the + Group and Kind must be registered in the cluster + for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. + When unspecified, \"gateway.networking.k8s.io\" + is inferred. To set the core API group (such + as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). + \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. + \n There are two kinds of parent resources + with \"Core\" support: \n * Gateway (Gateway + conformance profile) * Service (Mesh conformance + profile, experimental, ClusterIP Services + only) \n Support for other resources is + Implementation-Specific." + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. + \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of + the referent. When unspecified, this refers + to the local namespace of the Route. \n + Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace + references are only valid if they are explicitly + allowed by something in the namespace they + are referring to. For example: Gateway has + the AllowedRoutes field, and ReferenceGrant + provides a generic way to enable any other + kind of cross-namespace reference. \n ParentRefs + from a Route to a Service in the same namespace + are \"producer\" routes, which apply default + routing rules to inbound connections from + any namespace to the Service. \n ParentRefs + from a Route to a Service in a different + namespace are \"consumer\" routes, and these + routing rules are only applied to outbound + connections originating from the same namespace + as the Route, for which the intended destination + of the connections are a Service targeted + as a ParentRef of the Route. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this + Route targets. It can be interpreted differently + based on the type of parent resource. \n + When the parent resource is a Gateway, this + targets all listeners listening on the specified + port that also support this kind of Route(and + select this Route). It's not recommended + to set `Port` unless the networking behaviors + specified in a Route must apply to a specific + port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName + are specified, the name and port of the + selected listener must match both specified + values. \n When the parent resource is a + Service, this targets a specific port in + the Service spec. When both Port (experimental) + and SectionName are specified, the name + and port of the selected port must match + both specified values. \n Implementations + MAY choose to support other parent resources. + Implementations supporting other types of + parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose + of status, an attachment is considered successful + as long as the parent resource accepts it + partially. For example, Gateway listeners + can restrict which Routes can attach to + them by Route kind, namespace, or hostname. + If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST + be considered successfully attached. If + no Gateway listeners accept attachment from + this Route, the Route MUST be considered + detached from the Gateway. \n Support: Extended + \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a + section within the target resource. In the + following resources, SectionName is interpreted + as the following: \n * Gateway: Listener + Name. When both Port (experimental) and + SectionName are specified, the name and + port of the selected listener must match + both specified values. * Service: Port Name. + When both Port (experimental) and SectionName + are specified, the name and port of the + selected listener must match both specified + values. Note that attaching Routes to Services + as Parents is part of experimental Mesh + support and is not supported for any other + purpose. \n Implementations MAY choose to + support attaching Routes to other resources. + If that is the case, they MUST clearly document + how SectionName is interpreted. \n When + unspecified (empty string), this will reference + the entire resource. For the purpose of + status, an attachment is considered successful + if at least one section in the parent resource + accepts it. For example, Gateway listeners + can restrict which Routes can attach to + them by Route kind, namespace, or hostname. + If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST + be considered successfully attached. If + no Gateway listeners accept attachment from + this Route, the Route MUST be considered + detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + type: array + serviceType: + description: Optional service type for Kubernetes + solver service. Supported values are NodePort + or ClusterIP. If unset, defaults to NodePort. + type: string + type: object + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: This field configures the annotation + `kubernetes.io/ingress.class` when creating Ingress + resources to solve ACME challenges that use this + challenge solver. Only one of `class`, `name` + or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` + on the created Ingress resources used to solve + ACME challenges that use this challenge solver. + This is the recommended way of configuring the + ingress class. Only one of `class`, `name` or + `ingressClassName` may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges. + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. Only one of `class`, `name` or `ingressClassName` + may be specified. + type: string + podTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + imagePullSecrets: + items: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + type: array + nodeSelector: + additionalProperties: + type: string + type: object + priorityClassName: + type: string + serviceAccountName: + type: string + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service. Supported values are NodePort + or ClusterIP. If unset, defaults to NodePort. + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceAccountRef: + description: A reference to a service account that will + be used to request a bound token (also known as "projected + token"). Compared to using "secretRef", using this field + means that you don't rely on statically bound tokens. + To use this field, you must configure an RBAC rule to + let cert-manager request a token. + properties: + name: + description: Name of the ServiceAccount used to request + a token. + type: string + required: + - name + type: object + required: + - role + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64-encoded bundle of PEM CAs which will be used + to validate the certificate chain presented by Vault. Only used + if using HTTPS to connect to Vault and ignored for HTTP connections. + Mutually exclusive with CABundleSecretRef. If neither CABundle + nor CABundleSecretRef are defined, the certificate bundle in + the cert-manager controller container is used to validate the + TLS connection. + format: byte + type: string + caBundleSecretRef: + description: Reference to a Secret containing a bundle of PEM-encoded + CAs to use when verifying the certificate chain presented by + Vault when using HTTPS. Mutually exclusive with CABundle. If + neither CABundle nor CABundleSecretRef are defined, the certificate + bundle in the cert-manager controller container is used to validate + the TLS connection. If no key for the Secret is specified, cert-manager + will default to 'ca.crt'. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which will be + used to validate the certificate chain presented by the + TPP server. Only used if using HTTPS; ignored for HTTP. + If undefined, the certificate bundle in the cert-manager + controller container is used to validate the chain. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastPrivateKeyHash: + description: LastPrivateKeyHash is a hash of the private key associated + with the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager.io_issuers.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager.io_issuers.yaml new file mode 100644 index 00000000000..9f57e9ca5ab --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager.io_issuers.yaml @@ -0,0 +1,1697 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + name: issuers.cert-manager.io +spec: + group: cert-manager.io + names: + categories: + - cert-manager + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used + to validate the certificate chain presented by the ACME server. + Mutually exclusive with SkipTLSVerify; prefer using CABundle + to prevent various kinds of security vulnerabilities. If CABundle + and SkipTLSVerify are unset, the system certificate bundle inside + the container is used to validate the TLS connection. + format: byte + type: string + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a new account + but will expect the account key to be supplied via an existing + secret. If false, the cert-manager system will generate a new + ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is not supported + by all ACME servers like Let's Encrypt. If set to true when + the ACME server does not support it it will create an error + on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + properties: + keyAlgorithm: + description: 'Deprecated: keyAlgorithm field exists for historical + compatibility reasons and should not be used. The algorithm + is now hardcoded to HS256 in golang/x/crypto/acme.' + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + URL encoded data. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server + outputs multiple. PreferredChain is no guarantee that this one + gets delivered by the ACME endpoint. For example, for Let''s + Encrypt''s DST crosssign you would use: "DST Root CA X3" or + "ISRG Root X1" for the newer Let''s Encrypt root CA. This value + picks the first certificate bundle in the ACME alternative chains + that has a certificate with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: 'INSECURE: Enables or disables validation of the + ACME server TLS certificate. If true, requests to the ACME server + will not have the TLS certificate chain validated. Mutually + exclusive with CABundle; prefer using CABundle to prevent various + kinds of security vulnerabilities. Only enable this option in + development environments. If CABundle and SkipTLSVerify are + unset, the system certificate bundle inside the container is + used to validate the TLS connection. Defaults to false.' + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + items: + description: An ACMEChallengeSolver describes how to solve ACME + challenges for the issuer it is part of. A selector may be + provided to use different solving strategies for different + DNS names. Only one of HTTP01 or DNS01 must be provided. + properties: + dns01: + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left + unset MSI will be used + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + description: name of the Azure environment (default + AzurePublicCloud) + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + description: name of the DNS zone that should be + used + type: string + managedIdentity: + description: managed identity configuration, can + not be used at the same time as clientID, clientSecretSecretRef + or tenantID + properties: + clientID: + description: client ID of the managed identity, + can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, + can not be used at the same time as clientID + type: string + type: object + resourceGroupName: + description: resource group the DNS zone is located + in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 + challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with + Cloudflare. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 + challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + Cannot be set when SecretAccessKeyID is set. If + neither the Access Key nor Key ID are set, we + fall-back to using env vars, shared credentials + file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. + If set, pull the AWS access key ID from a key + within a Kubernetes Secret. Cannot be set when + AccessKeyID is set. If neither the Access Key + nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance + metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. + If neither the Access Key nor Key ID are set, + we fall-back to using env vars, shared credentials + file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + mechanism. + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community + API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). + The Gateway solver will create HTTPRoutes with the + specified labels in the same namespace as the challenge. + This solver is experimental, and fields / behaviour + may change in the future. + properties: + labels: + additionalProperties: + type: string + description: Custom labels that will be applied + to HTTPRoutes created by cert-manager while solving + HTTP-01 challenges. + type: object + parentRefs: + description: 'When solving an HTTP-01 challenge, + cert-manager creates an HTTPRoute. cert-manager + needs to know which parentRefs should be used + when creating the HTTPRoute. Usually, the parentRef + references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' + items: + description: "ParentReference identifies an API + object (usually a Gateway) that can be considered + a parent of this resource (usually a route). + There are two kinds of parent resources with + \"Core\" support: \n * Gateway (Gateway conformance + profile) * Service (Mesh conformance profile, + experimental, ClusterIP Services only) \n This + API may be extended in the future to support + additional kinds of parent resources. \n The + API object must be valid in the cluster; the + Group and Kind must be registered in the cluster + for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. + When unspecified, \"gateway.networking.k8s.io\" + is inferred. To set the core API group (such + as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). + \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. + \n There are two kinds of parent resources + with \"Core\" support: \n * Gateway (Gateway + conformance profile) * Service (Mesh conformance + profile, experimental, ClusterIP Services + only) \n Support for other resources is + Implementation-Specific." + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. + \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of + the referent. When unspecified, this refers + to the local namespace of the Route. \n + Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace + references are only valid if they are explicitly + allowed by something in the namespace they + are referring to. For example: Gateway has + the AllowedRoutes field, and ReferenceGrant + provides a generic way to enable any other + kind of cross-namespace reference. \n ParentRefs + from a Route to a Service in the same namespace + are \"producer\" routes, which apply default + routing rules to inbound connections from + any namespace to the Service. \n ParentRefs + from a Route to a Service in a different + namespace are \"consumer\" routes, and these + routing rules are only applied to outbound + connections originating from the same namespace + as the Route, for which the intended destination + of the connections are a Service targeted + as a ParentRef of the Route. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this + Route targets. It can be interpreted differently + based on the type of parent resource. \n + When the parent resource is a Gateway, this + targets all listeners listening on the specified + port that also support this kind of Route(and + select this Route). It's not recommended + to set `Port` unless the networking behaviors + specified in a Route must apply to a specific + port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName + are specified, the name and port of the + selected listener must match both specified + values. \n When the parent resource is a + Service, this targets a specific port in + the Service spec. When both Port (experimental) + and SectionName are specified, the name + and port of the selected port must match + both specified values. \n Implementations + MAY choose to support other parent resources. + Implementations supporting other types of + parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose + of status, an attachment is considered successful + as long as the parent resource accepts it + partially. For example, Gateway listeners + can restrict which Routes can attach to + them by Route kind, namespace, or hostname. + If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST + be considered successfully attached. If + no Gateway listeners accept attachment from + this Route, the Route MUST be considered + detached from the Gateway. \n Support: Extended + \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a + section within the target resource. In the + following resources, SectionName is interpreted + as the following: \n * Gateway: Listener + Name. When both Port (experimental) and + SectionName are specified, the name and + port of the selected listener must match + both specified values. * Service: Port Name. + When both Port (experimental) and SectionName + are specified, the name and port of the + selected listener must match both specified + values. Note that attaching Routes to Services + as Parents is part of experimental Mesh + support and is not supported for any other + purpose. \n Implementations MAY choose to + support attaching Routes to other resources. + If that is the case, they MUST clearly document + how SectionName is interpreted. \n When + unspecified (empty string), this will reference + the entire resource. For the purpose of + status, an attachment is considered successful + if at least one section in the parent resource + accepts it. For example, Gateway listeners + can restrict which Routes can attach to + them by Route kind, namespace, or hostname. + If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST + be considered successfully attached. If + no Gateway listeners accept attachment from + this Route, the Route MUST be considered + detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + type: array + serviceType: + description: Optional service type for Kubernetes + solver service. Supported values are NodePort + or ClusterIP. If unset, defaults to NodePort. + type: string + type: object + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: This field configures the annotation + `kubernetes.io/ingress.class` when creating Ingress + resources to solve ACME challenges that use this + challenge solver. Only one of `class`, `name` + or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` + on the created Ingress resources used to solve + ACME challenges that use this challenge solver. + This is the recommended way of configuring the + ingress class. Only one of `class`, `name` or + `ingressClassName` may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges. + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. Only one of `class`, `name` or `ingressClassName` + may be specified. + type: string + podTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + imagePullSecrets: + items: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + type: array + nodeSelector: + additionalProperties: + type: string + type: object + priorityClassName: + type: string + serviceAccountName: + type: string + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service. Supported values are NodePort + or ClusterIP. If unset, defaults to NodePort. + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceAccountRef: + description: A reference to a service account that will + be used to request a bound token (also known as "projected + token"). Compared to using "secretRef", using this field + means that you don't rely on statically bound tokens. + To use this field, you must configure an RBAC rule to + let cert-manager request a token. + properties: + name: + description: Name of the ServiceAccount used to request + a token. + type: string + required: + - name + type: object + required: + - role + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64-encoded bundle of PEM CAs which will be used + to validate the certificate chain presented by Vault. Only used + if using HTTPS to connect to Vault and ignored for HTTP connections. + Mutually exclusive with CABundleSecretRef. If neither CABundle + nor CABundleSecretRef are defined, the certificate bundle in + the cert-manager controller container is used to validate the + TLS connection. + format: byte + type: string + caBundleSecretRef: + description: Reference to a Secret containing a bundle of PEM-encoded + CAs to use when verifying the certificate chain presented by + Vault when using HTTPS. Mutually exclusive with CABundle. If + neither CABundle nor CABundleSecretRef are defined, the certificate + bundle in the cert-manager controller container is used to validate + the TLS connection. If no key for the Secret is specified, cert-manager + will default to 'ca.crt'. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which will be + used to validate the certificate chain presented by the + TPP server. Only used if using HTTPS; ignored for HTTP. + If undefined, the certificate bundle in the cert-manager + controller container is used to validate the chain. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastPrivateKeyHash: + description: LastPrivateKeyHash is a hash of the private key associated + with the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager_v1_configmap.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager_v1_configmap.yaml new file mode 100644 index 00000000000..0bc7293c9d1 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager_v1_configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + name: cert-manager diff --git a/operators/cert-manager/1.13.1/manifests/cert-manager_v1_service.yaml b/operators/cert-manager/1.13.1/manifests/cert-manager_v1_service.yaml new file mode 100644 index 00000000000..3a6b0557747 --- /dev/null +++ b/operators/cert-manager/1.13.1/manifests/cert-manager_v1_service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + name: cert-manager +spec: + ports: + - name: tcp-prometheus-servicemonitor + port: 9402 + protocol: TCP + targetPort: 9402 + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + type: ClusterIP +status: + loadBalancer: {} diff --git a/operators/cert-manager/1.13.1/metadata/annotations.yaml b/operators/cert-manager/1.13.1/metadata/annotations.yaml new file mode 100644 index 00000000000..df833d83b9a --- /dev/null +++ b/operators/cert-manager/1.13.1/metadata/annotations.yaml @@ -0,0 +1,15 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: cert-manager + operators.operatorframework.io.bundle.channels.v1: candidate,stable + operators.operatorframework.io.bundle.channel.default.v1: stable + operators.operatorframework.io.metrics.builder: operator-sdk-v1.25.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: unknown + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/cert-manager/1.13.1/tests/scorecard/config.yaml b/operators/cert-manager/1.13.1/tests/scorecard/config.yaml new file mode 100644 index 00000000000..8829d4610ac --- /dev/null +++ b/operators/cert-manager/1.13.1/tests/scorecard/config.yaml @@ -0,0 +1,70 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.8.0 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.8.0 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.8.0 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.8.0 + labels: + suite: olm + test: olm-crds-have-resources-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.8.0 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.8.0 + labels: + suite: olm + test: olm-status-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}