From 2b4df899b11e9e418884d9f28b9978de91eb4217 Mon Sep 17 00:00:00 2001
From: marcel-dempers <aimvec@gmail.com>
Date: Sun, 8 Nov 2020 09:10:40 +1100
Subject: [PATCH 1/8] fluent-k8s-wip

---
 .../logging/fluentd/kubernetes/README.md      | 17 +++++++
 .../fluentd/kubernetes/elastic-demo.yaml      | 47 +++++++++++++++++++
 .../fluentd/kubernetes/kibana-demo.yaml       | 43 +++++++++++++++++
 3 files changed, 107 insertions(+)
 create mode 100644 monitoring/logging/fluentd/kubernetes/README.md
 create mode 100644 monitoring/logging/fluentd/kubernetes/elastic-demo.yaml
 create mode 100644 monitoring/logging/fluentd/kubernetes/kibana-demo.yaml

diff --git a/monitoring/logging/fluentd/kubernetes/README.md b/monitoring/logging/fluentd/kubernetes/README.md
new file mode 100644
index 0000000..bbe6422
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/README.md
@@ -0,0 +1,17 @@
+# Introduction to Fluentd on Kubernetes
+
+## We need a Kubernetes cluster
+
+Lets create a Kubernetes cluster to play with using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/)
+
+```
+kind create cluster --name fluentd --image kindest/node:v1.19.1
+```
+
+## Fluentd Manifests
+
+I would highly recommend to use manifests from the official fluentd [github repo](https://github.com/fluent/fluentd-kubernetes-daemonset) <br/>
+
+The manifests found here are purely for demo purpose. <br/>
+
+In this example I will use the most common use case and we'll break it down to get an understanding of each component.
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/elastic-demo.yaml b/monitoring/logging/fluentd/kubernetes/elastic-demo.yaml
new file mode 100644
index 0000000..d4cc2b2
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/elastic-demo.yaml
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: elasticsearch
+  labels:
+    app: elasticsearch
+spec:
+  selector:
+    matchLabels:
+      app: elasticsearch
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: elasticsearch
+    spec:
+      containers:
+      - name: elasticsearch
+        image: elasticsearch:7.9.1
+        imagePullPolicy: IfNotExists
+        ports:
+        - containerPort: 9200
+      env:
+      - name: node.name
+        value: "elasticsearch"
+      - name: cluster.initial_master_nodes
+        value: "elasticsearch"
+      - name: bootstrap.memory_lock
+        value: "true"
+      - name: ES_JAVA_OPTS
+        value: "-Xms512m -Xmx512m"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: elasticsearch
+  labels:
+    app: elasticsearch
+spec:
+  type: ClusterIP
+  selector:
+    app: elasticsearch
+  ports:
+    - protocol: TCP
+      name: http
+      port: 9200
+      targetPort: 9200
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/kibana-demo.yaml b/monitoring/logging/fluentd/kubernetes/kibana-demo.yaml
new file mode 100644
index 0000000..8f63c9d
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/kibana-demo.yaml
@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kibana
+  labels:
+    app: kibana
+spec:
+  selector:
+    matchLabels:
+      app: kibana
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: kibana
+    spec:
+      containers:
+      - name: kibana
+        image: kibana:7.9.1
+        imagePullPolicy: IfNotExists
+        ports:
+        - containerPort: 5601
+      env:
+      - name: ELASTICSEARCH_URL
+        value: "http://elasticsearch:9200"
+      - name: ELASTICSEARCH_HOSTS
+        value: "http://elasticsearch:9200"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kibana
+  labels:
+    app: kibana
+spec:
+  type: ClusterIP
+  selector:
+    app: kibana
+  ports:
+    - protocol: TCP
+      name: http
+      port: 5601
+      targetPort: 5601
\ No newline at end of file

From f9b9a3f1fed517fd4860a0f9cd2918f9028f4057 Mon Sep 17 00:00:00 2001
From: marcel-dempers <aimvec@gmail.com>
Date: Sun, 8 Nov 2020 16:00:38 +1100
Subject: [PATCH 2/8] fluent-k8s wip

---
 .../configurations/containers-fluent.conf     |   2 +-
 .../configurations/file-fluent.conf           |   2 +-
 .../logging/fluentd/introduction/dockerfile   |   1 -
 .../logging/fluentd/kubernetes/README.md      | 100 +++++++++++++++++-
 .../{ => elastic}/elastic-demo.yaml           |  26 +++--
 .../kubernetes/{ => elastic}/kibana-demo.yaml |  12 +--
 .../fluentd/kubernetes/fluentd-configmap.yaml |  39 +++++++
 .../fluentd/kubernetes/fluentd-rbac.yaml      |  34 ++++++
 .../logging/fluentd/kubernetes/fluentd.yaml   |  52 +++++++++
 9 files changed, 247 insertions(+), 21 deletions(-)
 rename monitoring/logging/fluentd/kubernetes/{ => elastic}/elastic-demo.yaml (55%)
 rename monitoring/logging/fluentd/kubernetes/{ => elastic}/kibana-demo.yaml (72%)
 create mode 100644 monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
 create mode 100644 monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml
 create mode 100644 monitoring/logging/fluentd/kubernetes/fluentd.yaml

diff --git a/monitoring/logging/fluentd/introduction/configurations/containers-fluent.conf b/monitoring/logging/fluentd/introduction/configurations/containers-fluent.conf
index 49084ff..30cacf8 100644
--- a/monitoring/logging/fluentd/introduction/configurations/containers-fluent.conf
+++ b/monitoring/logging/fluentd/introduction/configurations/containers-fluent.conf
@@ -1,4 +1,4 @@
- <source>
+<source>
   @type tail
   format json
   read_from_head true
diff --git a/monitoring/logging/fluentd/introduction/configurations/file-fluent.conf b/monitoring/logging/fluentd/introduction/configurations/file-fluent.conf
index a0cf07a..0053a0b 100644
--- a/monitoring/logging/fluentd/introduction/configurations/file-fluent.conf
+++ b/monitoring/logging/fluentd/introduction/configurations/file-fluent.conf
@@ -1,4 +1,4 @@
- <source>
+<source>
   @type tail
   format json
   read_from_head true
diff --git a/monitoring/logging/fluentd/introduction/dockerfile b/monitoring/logging/fluentd/introduction/dockerfile
index 2ab00f0..b00f600 100644
--- a/monitoring/logging/fluentd/introduction/dockerfile
+++ b/monitoring/logging/fluentd/introduction/dockerfile
@@ -2,4 +2,3 @@ FROM fluent/fluentd:v1.11-debian
 
 USER root
 RUN gem install fluent-plugin-elasticsearch
-USER fluent
diff --git a/monitoring/logging/fluentd/kubernetes/README.md b/monitoring/logging/fluentd/kubernetes/README.md
index bbe6422..2b38b06 100644
--- a/monitoring/logging/fluentd/kubernetes/README.md
+++ b/monitoring/logging/fluentd/kubernetes/README.md
@@ -1,5 +1,13 @@
 # Introduction to Fluentd on Kubernetes
 
+## Prerequisites 
+
+You will need a basic understanding of Fluentd before you attempt to run it on Kubernetes.<br/> 
+Fluentd and Kubernetes have a bunch of moving parts.<br/> 
+To understand the basics of Fluentd, I highly recommend you start with this video: <br/> 
+
+<a href="https://youtu.be/Gp0-7oVOtPw" title="Fluentd"><img src="https://i.ytimg.com/vi/Gp0-7oVOtPw/hqdefault.jpg" width="50%" height="50%" alt="Fluentd" /></a>
+
 ## We need a Kubernetes cluster
 
 Lets create a Kubernetes cluster to play with using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/)
@@ -10,8 +18,96 @@ kind create cluster --name fluentd --image kindest/node:v1.19.1
 
 ## Fluentd Manifests
 
-I would highly recommend to use manifests from the official fluentd [github repo](https://github.com/fluent/fluentd-kubernetes-daemonset) <br/>
+I would highly recommend to use manifests from the official fluentd [github repo](https://github.com/fluent/fluentd-kubernetes-daemonset) for production usage <br/>
 
 The manifests found here are purely for demo purpose. <br/>
+The manifests in this repo are broken down and simplified for educational purpose. </br>
+<br/>
+In this example I will use the most common use case and we'll break it down to get an understanding of each component.
 
-In this example I will use the most common use case and we'll break it down to get an understanding of each component.
\ No newline at end of file
+## Fluentd Docker
+
+I would recommend to start with the official [fluentd](https://hub.docker.com/r/fluent/fluentd/)
+docker image. <br/>
+You may want to build your own image if you want to install plugins.
+In this demo I will be using the `fluentd` elasticsearch plugin <br/>
+It's pretty simple to adjust `fluentd` to send logs to any other destination in case you are not an `elasticsearch` user. <br/>
+
+<br/>
+
+Let's build our [docker image](https://github.com/marcel-dempers/docker-development-youtube-series/blob/master/monitoring/logging/fluentd/introduction/dockerfile) in the introduction folder:
+
+
+```
+cd monitoring\logging\fluentd\introduction
+
+#note: use your own tag!
+docker build . -t aimvector/fluentd-demo
+
+#note: use your own tag!
+docker push aimvector/fluentd-demo
+
+```
+
+## Fluentd Namespace
+
+I like to run certain infrastructure components in their own namespaces. <br/>
+If you are using the official manifests, they may be using the `kube-system` namespace instead. <br/>
+You may want to carefully adjust it based on your preference <br/>
+Let's create a `fluentd` namespace: <br/>
+
+```
+kubectl create ns fluentd
+
+```
+## Fluentd Configmap
+
+In my [fluentd introduction video](https://youtu.be/Gp0-7oVOtPw), I talk about how `fluentd` allows us to simplify our configs using the `include` statement. <br/> 
+This helps us prevent having a large complex file.
+
+<br/>
+
+We have 3 files in our `fluentd-configmap.yaml` :
+* fluent.conf: Our main config which includes all other configurations
+* pods-fluent.conf: `tail` config that sources all pod logs on the `kubernetes` host
+* file-fluent.conf: `match` config to capture all logs and write it to file for testing log collection
+* elastic-fluent.conf: `match` config that captures all logs and sends it to `elasticseach`
+
+Let's deploy our `configmap`:
+
+```
+kubectl apply -f .\monitoring\logging\fluentd\kubernetes\fluentd-configmap.yaml
+
+```
+
+## Fluentd Daemonset
+
+Let's deploy our `daemonset`:
+
+```
+kubectl apply -f .\monitoring\logging\fluentd\kubernetes\fluentd-rbac.yaml 
+kubectl apply -f .\monitoring\logging\fluentd\kubernetes\fluentd.yaml
+
+kubectl -n fluentd get pods
+```
+
+
+NOT message:("pattern not matched") and NOT message:("/var/log/containers/")
+
+
+
+
+## Demo ElasticSearch and Kibana
+
+```
+kubectl create ns elastic-kibana
+
+kubectl -n elastic-kibana apply -f .\monitoring\logging\fluentd\kubernetes\elastic\elastic-demo.yaml
+kubectl -n elastic-kibana apply -f .\monitoring\logging\fluentd\kubernetes\elastic\kibana-demo.yaml
+```
+
+## Kibana
+
+```
+kubectl -n elastic-kibana port-forward svc/kibana 5601
+```
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/elastic-demo.yaml b/monitoring/logging/fluentd/kubernetes/elastic/elastic-demo.yaml
similarity index 55%
rename from monitoring/logging/fluentd/kubernetes/elastic-demo.yaml
rename to monitoring/logging/fluentd/kubernetes/elastic/elastic-demo.yaml
index d4cc2b2..e4064b7 100644
--- a/monitoring/logging/fluentd/kubernetes/elastic-demo.yaml
+++ b/monitoring/logging/fluentd/kubernetes/elastic/elastic-demo.yaml
@@ -14,21 +14,27 @@ spec:
       labels:
         app: elasticsearch
     spec:
+      initContainers:
+      - name: vm-max-fix
+        image: busybox
+        command: ["sysctl", "-w", "vm.max_map_count=262144"]
+        securityContext:
+          privileged: true
       containers:
       - name: elasticsearch
         image: elasticsearch:7.9.1
-        imagePullPolicy: IfNotExists
+        imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 9200
-      env:
-      - name: node.name
-        value: "elasticsearch"
-      - name: cluster.initial_master_nodes
-        value: "elasticsearch"
-      - name: bootstrap.memory_lock
-        value: "true"
-      - name: ES_JAVA_OPTS
-        value: "-Xms512m -Xmx512m"
+        env:
+        - name: node.name
+          value: "elasticsearch"
+        - name: cluster.initial_master_nodes
+          value: "elasticsearch"
+        - name: bootstrap.memory_lock
+          value: "false"
+        - name: ES_JAVA_OPTS
+          value: "-Xms512m -Xmx512m"
 ---
 apiVersion: v1
 kind: Service
diff --git a/monitoring/logging/fluentd/kubernetes/kibana-demo.yaml b/monitoring/logging/fluentd/kubernetes/elastic/kibana-demo.yaml
similarity index 72%
rename from monitoring/logging/fluentd/kubernetes/kibana-demo.yaml
rename to monitoring/logging/fluentd/kubernetes/elastic/kibana-demo.yaml
index 8f63c9d..c58524b 100644
--- a/monitoring/logging/fluentd/kubernetes/kibana-demo.yaml
+++ b/monitoring/logging/fluentd/kubernetes/elastic/kibana-demo.yaml
@@ -17,14 +17,14 @@ spec:
       containers:
       - name: kibana
         image: kibana:7.9.1
-        imagePullPolicy: IfNotExists
+        imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 5601
-      env:
-      - name: ELASTICSEARCH_URL
-        value: "http://elasticsearch:9200"
-      - name: ELASTICSEARCH_HOSTS
-        value: "http://elasticsearch:9200"
+        env:
+        - name: ELASTICSEARCH_URL
+          value: "http://elasticsearch:9200"
+        - name: ELASTICSEARCH_HOSTS
+          value: "http://elasticsearch:9200"
 ---
 apiVersion: v1
 kind: Service
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml b/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
new file mode 100644
index 0000000..18bbbb5
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
@@ -0,0 +1,39 @@
+#@include file-fluent.conf
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fluentd-config
+  namespace: fluentd
+data:
+  fluent.conf: |-
+    ################################################################
+    # This source gets all logs from local docker host
+    @include pods-fluent.conf
+    @include elastic-fluent.conf
+  pods-fluent.conf: |-
+    <source>
+      @type tail
+      read_from_head true
+      tag kubernetes.*
+      path /var/log/containers/*.log
+      pos_file /var/log/fluentd-containers.log.pos
+      exclude_path ["/var/log/containers/fluent*"]
+      <parse>
+        @type json
+        time_format %Y-%m-%dT%H:%M:%S.%NZ
+      </parse>
+    </source>
+  file-fluent.conf: |-
+    <match **>
+      @type file
+      path /tmp/file-test.log
+    </match>
+  elastic-fluent.conf: |-
+    <match **>
+      @type elasticsearch
+      host "#{ENV['FLUENT_ELASTICSEARCH_HOST'] || 'elasticsearch.elastic-kibana'}"
+      port "#{ENV['FLUENT_ELASTICSEARCH_PORT'] || '9200'}"
+      index_name fluentd-k8s
+      type_name fluentd
+    </match>
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml b/monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml
new file mode 100644
index 0000000..2dff202
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fluentd
+  namespace: fluentd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fluentd
+  namespace: fluentd
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: fluentd
+roleRef:
+  kind: ClusterRole
+  name: fluentd
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: fluentd
+  namespace: fluentd
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd.yaml b/monitoring/logging/fluentd/kubernetes/fluentd.yaml
new file mode 100644
index 0000000..2a99992
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/fluentd.yaml
@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: fluentd
+  namespace: fluentd
+  labels:
+    k8s-app: fluentd-logging
+    version: v1
+spec:
+  selector:
+    matchLabels:
+      k8s-app: fluentd-logging
+      version: v1
+  template:
+    metadata:
+      labels:
+        k8s-app: fluentd-logging
+        version: v1
+    spec:
+      serviceAccount: fluentd
+      serviceAccountName: fluentd
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      containers:
+      - name: fluentd
+        imagePullPolicy: "Always"
+        image: aimvector/fluentd-demo
+        env:
+          - name:  FLUENT_ELASTICSEARCH_HOST
+            value: "elasticsearch.elastic-kibana"
+          - name:  FLUENT_ELASTICSEARCH_PORT
+            value: "9200"
+        resources:
+          limits:
+            memory: 200Mi
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        volumeMounts:
+        - name: fluentd-config
+          mountPath: /fluentd/etc
+        - name: varlog
+          mountPath: /var/log
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: fluentd-config
+        configMap:
+          name: fluentd-config
+      - name: varlog
+        hostPath:
+          path: /var/log
\ No newline at end of file

From 992d78042f65073f3ebcf0106ec99f54c2e04b86 Mon Sep 17 00:00:00 2001
From: marcel-dempers <aimvec@gmail.com>
Date: Wed, 11 Nov 2020 18:42:16 +1100
Subject: [PATCH 3/8] fluent wip

---
 kubernetes/cloud/azure/getting-started.md     |   2 +-
 .../logging/fluentd/kubernetes/README.md      |  24 +--
 .../logging/fluentd/kubernetes/counter.yaml   |  10 ++
 .../fluentd/kubernetes/dockerfiles/Gemfile    |  22 +++
 .../kubernetes/dockerfiles/Gemfile.lock       | 152 ++++++++++++++++++
 .../fluentd/kubernetes/dockerfiles/dockerfile |  42 +++++
 .../kubernetes/dockerfiles/entrypoint.sh      |   3 +
 .../dockerfiles/plugins/parser_kubernetes.rb  |  68 ++++++++
 .../plugins/parser_multiline_kubernetes.rb    |  69 ++++++++
 .../fluentd/kubernetes/fluentd-configmap.yaml |  34 +++-
 .../logging/fluentd/kubernetes/fluentd.yaml   |   8 +-
 11 files changed, 421 insertions(+), 13 deletions(-)
 create mode 100644 monitoring/logging/fluentd/kubernetes/counter.yaml
 create mode 100644 monitoring/logging/fluentd/kubernetes/dockerfiles/Gemfile
 create mode 100644 monitoring/logging/fluentd/kubernetes/dockerfiles/Gemfile.lock
 create mode 100644 monitoring/logging/fluentd/kubernetes/dockerfiles/dockerfile
 create mode 100644 monitoring/logging/fluentd/kubernetes/dockerfiles/entrypoint.sh
 create mode 100644 monitoring/logging/fluentd/kubernetes/dockerfiles/plugins/parser_kubernetes.rb
 create mode 100644 monitoring/logging/fluentd/kubernetes/dockerfiles/plugins/parser_multiline_kubernetes.rb

diff --git a/kubernetes/cloud/azure/getting-started.md b/kubernetes/cloud/azure/getting-started.md
index fd6e452..4035f80 100644
--- a/kubernetes/cloud/azure/getting-started.md
+++ b/kubernetes/cloud/azure/getting-started.md
@@ -20,7 +20,7 @@ az login
 
 az account list -o table
 SUBSCRIPTION=<id>
-az account set --subscription <SubscriptionId-id-here>
+az account set --subscription $SUBSCRIPTION
 
 ```
 
diff --git a/monitoring/logging/fluentd/kubernetes/README.md b/monitoring/logging/fluentd/kubernetes/README.md
index 2b38b06..c5b6868 100644
--- a/monitoring/logging/fluentd/kubernetes/README.md
+++ b/monitoring/logging/fluentd/kubernetes/README.md
@@ -8,6 +8,9 @@ To understand the basics of Fluentd, I highly recommend you start with this vide
 
 <a href="https://youtu.be/Gp0-7oVOtPw" title="Fluentd"><img src="https://i.ytimg.com/vi/Gp0-7oVOtPw/hqdefault.jpg" width="50%" height="50%" alt="Fluentd" /></a>
 
+The most important components to understand is the fluentd `tail` plugin. <br/>
+This plugin is used to read logs from containers and pods on the file system and collect them.
+
 ## We need a Kubernetes cluster
 
 Lets create a Kubernetes cluster to play with using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/)
@@ -39,7 +42,7 @@ Let's build our [docker image](https://github.com/marcel-dempers/docker-developm
 
 
 ```
-cd monitoring\logging\fluentd\introduction
+cd .\monitoring\logging\fluentd\kubernetes\
 
 #note: use your own tag!
 docker build . -t aimvector/fluentd-demo
@@ -69,8 +72,12 @@ This helps us prevent having a large complex file.
 
 We have 3 files in our `fluentd-configmap.yaml` :
 * fluent.conf: Our main config which includes all other configurations
-* pods-fluent.conf: `tail` config that sources all pod logs on the `kubernetes` host
-* file-fluent.conf: `match` config to capture all logs and write it to file for testing log collection
+* pods-kind-fluent.conf: `tail` config that sources all pod logs on the `kind` cluster.
+  Note: `kind` cluster writes its log in a different format
+* pods-fluent.conf: `tail` config that sources all pod logs on the `kubernetes` host in the cloud. <br/>
+  Note: When running K8s in the cloud, logs may go into JSON format.
+* file-fluent.conf: `match` config to capture all logs and write it to file for testing log collection </br>
+  Note: This is great to test if collection of logs works
 * elastic-fluent.conf: `match` config that captures all logs and sends it to `elasticseach`
 
 Let's deploy our `configmap`:
@@ -91,19 +98,18 @@ kubectl apply -f .\monitoring\logging\fluentd\kubernetes\fluentd.yaml
 kubectl -n fluentd get pods
 ```
 
-
-NOT message:("pattern not matched") and NOT message:("/var/log/containers/")
-
-
-
-
 ## Demo ElasticSearch and Kibana
 
 ```
 kubectl create ns elastic-kibana
 
+# deploy elastic search
 kubectl -n elastic-kibana apply -f .\monitoring\logging\fluentd\kubernetes\elastic\elastic-demo.yaml
+kubectl -n elastic-kibana get pods
+
+# deploy kibana
 kubectl -n elastic-kibana apply -f .\monitoring\logging\fluentd\kubernetes\elastic\kibana-demo.yaml
+kubectl -n elastic-kibana get pods
 ```
 
 ## Kibana
diff --git a/monitoring/logging/fluentd/kubernetes/counter.yaml b/monitoring/logging/fluentd/kubernetes/counter.yaml
new file mode 100644
index 0000000..0dc4deb
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/counter.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: counter
+spec:
+  containers:
+  - name: count
+    image: busybox
+    args: [/bin/sh, -c,
+            'i=0; while true; do echo "$i: $(date)"; i=$((i+1)); sleep 1; done']
diff --git a/monitoring/logging/fluentd/kubernetes/dockerfiles/Gemfile b/monitoring/logging/fluentd/kubernetes/dockerfiles/Gemfile
new file mode 100644
index 0000000..1d6417c
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/dockerfiles/Gemfile
@@ -0,0 +1,22 @@
+# AUTOMATICALLY GENERATED
+# DO NOT EDIT THIS FILE DIRECTLY, USE /templates/Gemfile.erb
+
+source "https://rubygems.org"
+
+gem "fluentd", "1.11.5"
+gem "oj", "3.8.1"
+gem "fluent-plugin-multi-format-parser", "~> 1.0.0"
+gem "fluent-plugin-concat", "~> 2.4.0"
+gem "fluent-plugin-grok-parser", "~> 2.6.0"
+gem "fluent-plugin-prometheus", "~> 1.6.1"
+gem 'fluent-plugin-json-in-json-2', ">= 1.0.2"
+gem "fluent-plugin-record-modifier", "~> 2.0.0"
+gem "fluent-plugin-detect-exceptions", "~> 0.0.12"
+gem "fluent-plugin-rewrite-tag-filter", "~> 2.2.0"
+gem "elasticsearch", "~> 7.0"
+gem "fluent-plugin-elasticsearch", "~> 4.1.1"
+gem "elasticsearch-xpack", "~> 7.0"
+gem "fluent-plugin-dedot_filter", "~> 1.0"
+gem "fluent-plugin-kubernetes_metadata_filter", "~> 2.5.0"
+gem "ffi"
+gem "fluent-plugin-systemd", "~> 1.0.1"
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/dockerfiles/Gemfile.lock b/monitoring/logging/fluentd/kubernetes/dockerfiles/Gemfile.lock
new file mode 100644
index 0000000..6cba863
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/dockerfiles/Gemfile.lock
@@ -0,0 +1,152 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    concurrent-ruby (1.1.7)
+    cool.io (1.7.0)
+    domain_name (0.5.20190701)
+      unf (>= 0.0.5, < 1.0.0)
+    elasticsearch (7.9.0)
+      elasticsearch-api (= 7.9.0)
+      elasticsearch-transport (= 7.9.0)
+    elasticsearch-api (7.9.0)
+      multi_json
+    elasticsearch-transport (7.9.0)
+      faraday (~> 1)
+      multi_json
+    elasticsearch-xpack (7.9.0)
+      elasticsearch-api (>= 6)
+    excon (0.78.0)
+    faraday (1.1.0)
+      multipart-post (>= 1.2, < 3)
+      ruby2_keywords
+    ffi (1.13.1)
+    ffi-compiler (1.0.1)
+      ffi (>= 1.0.0)
+      rake
+    fluent-config-regexp-type (1.0.0)
+      fluentd (> 1.0.0, < 2)
+    fluent-plugin-concat (2.4.0)
+      fluentd (>= 0.14.0, < 2)
+    fluent-plugin-dedot_filter (1.0.0)
+      fluentd (>= 0.14.0, < 2)
+    fluent-plugin-detect-exceptions (0.0.13)
+      fluentd (>= 0.10)
+    fluent-plugin-elasticsearch (4.1.4)
+      elasticsearch
+      excon
+      fluentd (>= 0.14.22)
+    fluent-plugin-grok-parser (2.6.2)
+      fluentd (>= 0.14.6, < 2)
+    fluent-plugin-json-in-json-2 (1.0.2)
+      fluentd (>= 0.14.0, < 2)
+      yajl-ruby (~> 1.0)
+    fluent-plugin-kubernetes_metadata_filter (2.5.2)
+      fluentd (>= 0.14.0, < 1.12)
+      kubeclient (< 5)
+      lru_redux
+    fluent-plugin-multi-format-parser (1.0.0)
+      fluentd (>= 0.14.0, < 2)
+    fluent-plugin-prometheus (1.6.1)
+      fluentd (>= 0.14.20, < 2)
+      prometheus-client (< 0.10)
+    fluent-plugin-record-modifier (2.0.1)
+      fluentd (>= 1.0, < 2)
+    fluent-plugin-rewrite-tag-filter (2.2.0)
+      fluent-config-regexp-type
+      fluentd (>= 0.14.2, < 2)
+    fluent-plugin-systemd (1.0.2)
+      fluentd (>= 0.14.11, < 2)
+      systemd-journal (~> 1.3.2)
+    fluentd (1.11.5)
+      cool.io (>= 1.4.5, < 2.0.0)
+      http_parser.rb (>= 0.5.1, < 0.7.0)
+      msgpack (>= 1.3.1, < 2.0.0)
+      serverengine (>= 2.2.2, < 3.0.0)
+      sigdump (~> 0.2.2)
+      strptime (>= 0.2.2, < 1.0.0)
+      tzinfo (>= 1.0, < 3.0)
+      tzinfo-data (~> 1.0)
+      yajl-ruby (~> 1.0)
+    http (4.4.1)
+      addressable (~> 2.3)
+      http-cookie (~> 1.0)
+      http-form_data (~> 2.2)
+      http-parser (~> 1.2.0)
+    http-accept (1.7.0)
+    http-cookie (1.0.3)
+      domain_name (~> 0.5)
+    http-form_data (2.3.0)
+    http-parser (1.2.1)
+      ffi-compiler (>= 1.0, < 2.0)
+    http_parser.rb (0.6.0)
+    jsonpath (1.0.5)
+      multi_json
+      to_regexp (~> 0.2.1)
+    kubeclient (4.9.1)
+      http (>= 3.0, < 5.0)
+      jsonpath (~> 1.0)
+      recursive-open-struct (~> 1.1, >= 1.1.1)
+      rest-client (~> 2.0)
+    lru_redux (1.1.0)
+    mime-types (3.3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2020.1104)
+    msgpack (1.3.3)
+    multi_json (1.15.0)
+    multipart-post (2.1.1)
+    netrc (0.11.0)
+    oj (3.8.1)
+    prometheus-client (0.9.0)
+      quantile (~> 0.2.1)
+    public_suffix (4.0.6)
+    quantile (0.2.1)
+    rake (13.0.1)
+    recursive-open-struct (1.1.3)
+    rest-client (2.1.0)
+      http-accept (>= 1.7.0, < 2.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 4.0)
+      netrc (~> 0.8)
+    ruby2_keywords (0.0.2)
+    serverengine (2.2.2)
+      sigdump (~> 0.2.2)
+    sigdump (0.2.4)
+    strptime (0.2.5)
+    systemd-journal (1.3.3)
+      ffi (~> 1.9)
+    to_regexp (0.2.1)
+    tzinfo (2.0.3)
+      concurrent-ruby (~> 1.0)
+    tzinfo-data (1.2020.4)
+      tzinfo (>= 1.0.0)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.7)
+    yajl-ruby (1.4.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  elasticsearch (~> 7.0)
+  elasticsearch-xpack (~> 7.0)
+  ffi
+  fluent-plugin-concat (~> 2.4.0)
+  fluent-plugin-dedot_filter (~> 1.0)
+  fluent-plugin-detect-exceptions (~> 0.0.12)
+  fluent-plugin-elasticsearch (~> 4.1.1)
+  fluent-plugin-grok-parser (~> 2.6.0)
+  fluent-plugin-json-in-json-2 (>= 1.0.2)
+  fluent-plugin-kubernetes_metadata_filter (~> 2.5.0)
+  fluent-plugin-multi-format-parser (~> 1.0.0)
+  fluent-plugin-prometheus (~> 1.6.1)
+  fluent-plugin-record-modifier (~> 2.0.0)
+  fluent-plugin-rewrite-tag-filter (~> 2.2.0)
+  fluent-plugin-systemd (~> 1.0.1)
+  fluentd (= 1.11.5)
+  oj (= 3.8.1)
+
+BUNDLED WITH
+   2.1.4
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/dockerfiles/dockerfile b/monitoring/logging/fluentd/kubernetes/dockerfiles/dockerfile
new file mode 100644
index 0000000..9d9e135
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/dockerfiles/dockerfile
@@ -0,0 +1,42 @@
+FROM fluent/fluentd:v1.11-debian
+
+USER root
+WORKDIR /home/fluent
+ENV PATH /fluentd/vendor/bundle/ruby/2.6.0/bin:$PATH
+ENV GEM_PATH /fluentd/vendor/bundle/ruby/2.6.0
+ENV GEM_HOME /fluentd/vendor/bundle/ruby/2.6.0
+
+# skip runtime bundler installation
+ENV FLUENTD_DISABLE_BUNDLER_INJECTION 1
+
+COPY Gemfile* /fluentd/
+RUN buildDeps="sudo make gcc g++ libc-dev libffi-dev" \
+  runtimeDeps="" \
+      && apt-get update \
+     && apt-get upgrade -y \
+     && apt-get install \
+     -y --no-install-recommends \
+     $buildDeps $runtimeDeps net-tools \
+    && gem install bundler --version 2.1.4 \
+    && bundle config silence_root_warning true \
+    && bundle install --gemfile=/fluentd/Gemfile --path=/fluentd/vendor/bundle \
+    && SUDO_FORCE_REMOVE=yes \
+    apt-get purge -y --auto-remove \
+                  -o APT::AutoRemove::RecommendsImportant=false \
+                  $buildDeps \
+ && rm -rf /var/lib/apt/lists/* \
+    && gem sources --clear-all \
+    && rm -rf /tmp/* /var/tmp/* /usr/lib/ruby/gems/*/cache/*.gem
+
+RUN touch /fluentd/etc/disable.conf
+
+# Copy plugins
+COPY plugins /fluentd/plugins/
+COPY entrypoint.sh /fluentd/entrypoint.sh
+
+# Environment variables
+ENV FLUENTD_OPT=""
+ENV FLUENTD_CONF="fluent.conf"
+
+# Overwrite ENTRYPOINT to run fluentd as root for /var/log / /var/lib
+ENTRYPOINT ["tini", "--", "/fluentd/entrypoint.sh"]
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/dockerfiles/entrypoint.sh b/monitoring/logging/fluentd/kubernetes/dockerfiles/entrypoint.sh
new file mode 100644
index 0000000..575c288
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/dockerfiles/entrypoint.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env sh
+
+exec fluentd -c /fluentd/etc/${FLUENTD_CONF} -p /fluentd/plugins
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/dockerfiles/plugins/parser_kubernetes.rb b/monitoring/logging/fluentd/kubernetes/dockerfiles/plugins/parser_kubernetes.rb
new file mode 100644
index 0000000..a1ec3dd
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/dockerfiles/plugins/parser_kubernetes.rb
@@ -0,0 +1,68 @@
+#
+# Fluentd
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+
+# The following Fluentd parser plugin, aims to simplify the parsing of multiline
+# logs found in Kubernetes nodes. Since many log files shared the same format and
+# in order to simplify the configuration, this plugin provides a 'kubernetes' format
+# parser (built on top of MultilineParser).
+#
+# When tailing files, this 'kubernetes' format should be applied to the following
+# log file sources:
+#
+#  - /var/log/kubelet.log
+#  - /var/log/kube-proxy.log
+#  - /var/log/kube-apiserver.log
+#  - /var/log/kube-controller-manager.log
+#  - /var/log/kube-scheduler.log
+#  - /var/log/rescheduler.log
+#  - /var/log/glbc.log
+#  - /var/log/cluster-autoscaler.log
+#
+# Usage:
+#
+# ---- fluentd.conf ----
+#
+# <source>
+#   @type tail
+#   path ./kubelet.log
+#   read_from_head yes
+#   tag kubelet
+#   <parse>
+#     @type kubernetes
+#   </parse>
+# </source>
+#
+# ----   EOF       ---
+
+require 'fluent/plugin/parser_regexp'
+
+module Fluent
+  module Plugin
+    class KubernetesParser < RegexpParser
+      Fluent::Plugin.register_parser("kubernetes", self)
+
+      CONF_FORMAT_FIRSTLINE = %q{/^\w\d{4}/}
+      CONF_FORMAT1 = %q{/^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/m}
+      CONF_TIME_FORMAT = "%m%d %H:%M:%S.%N"
+
+      def configure(conf)
+        conf['expression'] = CONF_FORMAT1
+        conf['time_format'] = CONF_TIME_FORMAT
+        super
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/dockerfiles/plugins/parser_multiline_kubernetes.rb b/monitoring/logging/fluentd/kubernetes/dockerfiles/plugins/parser_multiline_kubernetes.rb
new file mode 100644
index 0000000..d4c3591
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/dockerfiles/plugins/parser_multiline_kubernetes.rb
@@ -0,0 +1,69 @@
+#
+# Fluentd
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+
+# The following Fluentd parser plugin, aims to simplify the parsing of multiline
+# logs found in Kubernetes nodes. Since many log files shared the same format and
+# in order to simplify the configuration, this plugin provides a 'kubernetes' format
+# parser (built on top of MultilineParser).
+#
+# When tailing files, this 'kubernetes' format should be applied to the following
+# log file sources:
+#
+#  - /var/log/kubelet.log
+#  - /var/log/kube-proxy.log
+#  - /var/log/kube-apiserver.log
+#  - /var/log/kube-controller-manager.log
+#  - /var/log/kube-scheduler.log
+#  - /var/log/rescheduler.log
+#  - /var/log/glbc.log
+#  - /var/log/cluster-autoscaler.log
+#
+# Usage:
+#
+# ---- fluentd.conf ----
+#
+# <source>
+#   @type tail
+#   path ./kubelet.log
+#   read_from_head yes
+#   tag kubelet
+#   <parse>
+#     @type multiline_kubernetes
+#   </parse>
+# </source>
+#
+# ----   EOF       ---
+
+require 'fluent/plugin/parser_multiline'
+
+module Fluent
+  module Plugin
+    class MultilineKubernetesParser < MultilineParser
+      Fluent::Plugin.register_parser("multiline_kubernetes", self)
+
+      CONF_FORMAT_FIRSTLINE = %q{/^\w\d{4}/}
+      CONF_FORMAT1 = %q{/^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/}
+      CONF_TIME_FORMAT = "%m%d %H:%M:%S.%N"
+
+      def configure(conf)
+        conf['format_firstline'] = CONF_FORMAT_FIRSTLINE
+        conf['format1'] = CONF_FORMAT1
+        conf['time_format'] = CONF_TIME_FORMAT
+        super
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml b/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
index 18bbbb5..da49d27 100644
--- a/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
+++ b/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
@@ -9,8 +9,37 @@ data:
   fluent.conf: |-
     ################################################################
     # This source gets all logs from local docker host
-    @include pods-fluent.conf
+    @include pods-kind-fluent.conf
+    #@include pods-fluent.conf
+    #@include file-fluent.conf
     @include elastic-fluent.conf
+  pods-kind-fluent.conf: |-
+    <source>
+      @type tail
+      read_from_head true
+      tag kubernetes.*
+      path /var/log/containers/*.log
+      pos_file /var/log/fluentd-containers.log.pos
+      exclude_path ["/var/log/containers/fluent*"]
+      <parse>
+        @type regexp
+        #https://regex101.com/r/ZkOBTI/1
+        expression ^(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[^Z]*Z)\s(?<stream>[^\s]+)\s(?<character>[^\s])\s(?<message>.*)$
+        #time_format %Y-%m-%dT%H:%M:%S.%NZ
+      </parse>
+    </source>
+
+    <filter kubernetes.**>
+      @type kubernetes_metadata
+      @id filter_kube_metadata
+      kubernetes_url "#{ENV['FLUENT_FILTER_KUBERNETES_URL'] || 'https://' + ENV.fetch('KUBERNETES_SERVICE_HOST') + ':' + ENV.fetch('KUBERNETES_SERVICE_PORT') + '/api'}"
+      verify_ssl "#{ENV['KUBERNETES_VERIFY_SSL'] || true}"
+      ca_file "#{ENV['KUBERNETES_CA_FILE']}"
+      skip_labels "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_LABELS'] || 'false'}"
+      skip_container_metadata "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_CONTAINER_METADATA'] || 'false'}"
+      skip_master_url "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_MASTER_URL'] || 'false'}"
+      skip_namespace_metadata "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_NAMESPACE_METADATA'] || 'false'}"
+    </filter>
   pods-fluent.conf: |-
     <source>
       @type tail
@@ -20,7 +49,8 @@ data:
       pos_file /var/log/fluentd-containers.log.pos
       exclude_path ["/var/log/containers/fluent*"]
       <parse>
-        @type json
+        @type kubernetes
+        @type "#{ENV['FLUENT_CONTAINER_TAIL_PARSER_TYPE'] || 'json'}"
         time_format %Y-%m-%dT%H:%M:%S.%NZ
       </parse>
     </source>
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd.yaml b/monitoring/logging/fluentd/kubernetes/fluentd.yaml
index 2a99992..93ed971 100644
--- a/monitoring/logging/fluentd/kubernetes/fluentd.yaml
+++ b/monitoring/logging/fluentd/kubernetes/fluentd.yaml
@@ -42,6 +42,9 @@ spec:
           mountPath: /fluentd/etc
         - name: varlog
           mountPath: /var/log
+        - name: varlibdockercontainers
+          mountPath: /var/lib/docker/containers
+          readOnly: true
       terminationGracePeriodSeconds: 30
       volumes:
       - name: fluentd-config
@@ -49,4 +52,7 @@ spec:
           name: fluentd-config
       - name: varlog
         hostPath:
-          path: /var/log
\ No newline at end of file
+          path: /var/log
+      - name: varlibdockercontainers
+        hostPath:
+          path: /var/lib/docker/containers
\ No newline at end of file

From eaec3a66c3afb8b09d876cd09bd3ef7afb6d9b02 Mon Sep 17 00:00:00 2001
From: marcel-dempers <aimvec@gmail.com>
Date: Tue, 17 Nov 2020 12:08:09 +1100
Subject: [PATCH 4/8] wip

---
 .../logging/fluentd/kubernetes/README.md      | 11 ++++--
 .../fluentd/kubernetes/fluentd-configmap.yaml | 16 +++++++--
 .../fluentd/kubernetes/fluentd-rbac.yaml      | 34 -------------------
 .../logging/fluentd/kubernetes/fluentd.yaml   |  2 --
 4 files changed, 23 insertions(+), 40 deletions(-)
 delete mode 100644 monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml

diff --git a/monitoring/logging/fluentd/kubernetes/README.md b/monitoring/logging/fluentd/kubernetes/README.md
index c5b6868..dc5616b 100644
--- a/monitoring/logging/fluentd/kubernetes/README.md
+++ b/monitoring/logging/fluentd/kubernetes/README.md
@@ -92,10 +92,17 @@ kubectl apply -f .\monitoring\logging\fluentd\kubernetes\fluentd-configmap.yaml
 Let's deploy our `daemonset`:
 
 ```
-kubectl apply -f .\monitoring\logging\fluentd\kubernetes\fluentd-rbac.yaml 
 kubectl apply -f .\monitoring\logging\fluentd\kubernetes\fluentd.yaml
-
 kubectl -n fluentd get pods
+
+```
+
+Let's deploy our example app that writes logs to `stdout`
+
+```
+kubectl apply -f .\monitoring\logging\fluentd\kubernetes\counter.yaml
+kubectl get pods
+
 ```
 
 ## Demo ElasticSearch and Kibana
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml b/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
index da49d27..20beced 100644
--- a/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
+++ b/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
@@ -11,8 +11,8 @@ data:
     # This source gets all logs from local docker host
     @include pods-kind-fluent.conf
     #@include pods-fluent.conf
-    #@include file-fluent.conf
-    @include elastic-fluent.conf
+    @include file-fluent.conf
+    #@include elastic-fluent.conf
   pods-kind-fluent.conf: |-
     <source>
       @type tail
@@ -54,6 +54,18 @@ data:
         time_format %Y-%m-%dT%H:%M:%S.%NZ
       </parse>
     </source>
+
+    <filter kubernetes.**>
+      @type kubernetes_metadata
+      @id filter_kube_metadata
+      kubernetes_url "#{ENV['FLUENT_FILTER_KUBERNETES_URL'] || 'https://' + ENV.fetch('KUBERNETES_SERVICE_HOST') + ':' + ENV.fetch('KUBERNETES_SERVICE_PORT') + '/api'}"
+      verify_ssl "#{ENV['KUBERNETES_VERIFY_SSL'] || true}"
+      ca_file "#{ENV['KUBERNETES_CA_FILE']}"
+      skip_labels "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_LABELS'] || 'false'}"
+      skip_container_metadata "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_CONTAINER_METADATA'] || 'false'}"
+      skip_master_url "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_MASTER_URL'] || 'false'}"
+      skip_namespace_metadata "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_NAMESPACE_METADATA'] || 'false'}"
+    </filter>
   file-fluent.conf: |-
     <match **>
       @type file
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml b/monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml
deleted file mode 100644
index 2dff202..0000000
--- a/monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: fluentd
-  namespace: fluentd
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: fluentd
-  namespace: fluentd
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: fluentd
-roleRef:
-  kind: ClusterRole
-  name: fluentd
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-- kind: ServiceAccount
-  name: fluentd
-  namespace: fluentd
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd.yaml b/monitoring/logging/fluentd/kubernetes/fluentd.yaml
index 93ed971..cf9bdae 100644
--- a/monitoring/logging/fluentd/kubernetes/fluentd.yaml
+++ b/monitoring/logging/fluentd/kubernetes/fluentd.yaml
@@ -17,8 +17,6 @@ spec:
         k8s-app: fluentd-logging
         version: v1
     spec:
-      serviceAccount: fluentd
-      serviceAccountName: fluentd
       tolerations:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule

From d39ea77c128e425cae6c2fb61d1017e73413c19b Mon Sep 17 00:00:00 2001
From: marcel-dempers <aimvec@gmail.com>
Date: Thu, 26 Nov 2020 20:06:28 +1100
Subject: [PATCH 5/8] docs - fluentd k8s

---
 .gitignore                                    |  3 +-
 .../logging/fluentd/kubernetes/README.md      |  3 +-
 .../fluentd/kubernetes/fluentd-configmap.yaml |  4 +--
 .../fluentd/kubernetes/fluentd-rbac.yaml      | 34 +++++++++++++++++++
 .../logging/fluentd/kubernetes/fluentd.yaml   |  2 ++
 5 files changed, 42 insertions(+), 4 deletions(-)
 create mode 100644 monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml

diff --git a/.gitignore b/.gitignore
index 69b85cc..ef12c3e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,4 +8,5 @@ __pycache__/
 .terraform
 *.tfstate
 *.tfstate.*
-security/letsencrypt/introduction/certs/**
\ No newline at end of file
+security/letsencrypt/introduction/certs/**
+kubernetes/shipa/installs/shipa-helm-chart-1.1.1/
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/README.md b/monitoring/logging/fluentd/kubernetes/README.md
index dc5616b..34e0fdc 100644
--- a/monitoring/logging/fluentd/kubernetes/README.md
+++ b/monitoring/logging/fluentd/kubernetes/README.md
@@ -70,7 +70,7 @@ This helps us prevent having a large complex file.
 
 <br/>
 
-We have 3 files in our `fluentd-configmap.yaml` :
+We have 5 files in our `fluentd-configmap.yaml` :
 * fluent.conf: Our main config which includes all other configurations
 * pods-kind-fluent.conf: `tail` config that sources all pod logs on the `kind` cluster.
   Note: `kind` cluster writes its log in a different format
@@ -92,6 +92,7 @@ kubectl apply -f .\monitoring\logging\fluentd\kubernetes\fluentd-configmap.yaml
 Let's deploy our `daemonset`:
 
 ```
+kubectl apply -f .\monitoring\logging\fluentd\kubernetes\fluentd-rbac.yaml 
 kubectl apply -f .\monitoring\logging\fluentd\kubernetes\fluentd.yaml
 kubectl -n fluentd get pods
 
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml b/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
index 20beced..027aa7e 100644
--- a/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
+++ b/monitoring/logging/fluentd/kubernetes/fluentd-configmap.yaml
@@ -11,8 +11,8 @@ data:
     # This source gets all logs from local docker host
     @include pods-kind-fluent.conf
     #@include pods-fluent.conf
-    @include file-fluent.conf
-    #@include elastic-fluent.conf
+    #@include file-fluent.conf
+    @include elastic-fluent.conf
   pods-kind-fluent.conf: |-
     <source>
       @type tail
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml b/monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml
new file mode 100644
index 0000000..2dff202
--- /dev/null
+++ b/monitoring/logging/fluentd/kubernetes/fluentd-rbac.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fluentd
+  namespace: fluentd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fluentd
+  namespace: fluentd
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: fluentd
+roleRef:
+  kind: ClusterRole
+  name: fluentd
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: fluentd
+  namespace: fluentd
\ No newline at end of file
diff --git a/monitoring/logging/fluentd/kubernetes/fluentd.yaml b/monitoring/logging/fluentd/kubernetes/fluentd.yaml
index cf9bdae..93ed971 100644
--- a/monitoring/logging/fluentd/kubernetes/fluentd.yaml
+++ b/monitoring/logging/fluentd/kubernetes/fluentd.yaml
@@ -17,6 +17,8 @@ spec:
         k8s-app: fluentd-logging
         version: v1
     spec:
+      serviceAccount: fluentd
+      serviceAccountName: fluentd
       tolerations:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule

From eb531a57a4c4bd2f2da1eb41d2a47ee659e54435 Mon Sep 17 00:00:00 2001
From: marcel-dempers <aimvec@gmail.com>
Date: Fri, 13 Nov 2020 22:04:45 +1100
Subject: [PATCH 6/8] wip

---
 kubernetes/cert-manager/README.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 kubernetes/cert-manager/README.md

diff --git a/kubernetes/cert-manager/README.md b/kubernetes/cert-manager/README.md
new file mode 100644
index 0000000..20c805c
--- /dev/null
+++ b/kubernetes/cert-manager/README.md
@@ -0,0 +1,19 @@
+# Introduction to cert-manager for Kubernetes
+
+## We need a Kubernetes cluster
+
+Lets create a Kubernetes cluster to play with using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/)
+
+```
+kind create cluster --name certmanager --image kindest/node:v1.19.1
+```
+
+
+## Issuer 
+
+https://cert-manager.io/docs/concepts/issuer/
+
+
+## Certificate
+
+https://cert-manager.io/docs/concepts/certificate/

From fa92a6fd700ccd01c8230dc6719a080cf4dda136 Mon Sep 17 00:00:00 2001
From: marcel-dempers <aimvec@gmail.com>
Date: Wed, 18 Nov 2020 09:28:11 +1100
Subject: [PATCH 7/8] cert-wip

---
 kubernetes/cert-manager/README.md             |   160 +
 .../cert-issuer-nginx-ingress.yaml            |    14 +
 .../cert-manager/cert-manager-1.0.4.yaml      | 26311 ++++++++++++++++
 kubernetes/cert-manager/certificate.yaml      |    12 +
 kubernetes/cert-manager/ingress.yaml          |    22 +
 kubernetes/cert-manager/test.yaml             |    24 +
 6 files changed, 26543 insertions(+)
 create mode 100644 kubernetes/cert-manager/cert-issuer-nginx-ingress.yaml
 create mode 100644 kubernetes/cert-manager/cert-manager-1.0.4.yaml
 create mode 100644 kubernetes/cert-manager/certificate.yaml
 create mode 100644 kubernetes/cert-manager/ingress.yaml
 create mode 100644 kubernetes/cert-manager/test.yaml

diff --git a/kubernetes/cert-manager/README.md b/kubernetes/cert-manager/README.md
index 20c805c..86d5326 100644
--- a/kubernetes/cert-manager/README.md
+++ b/kubernetes/cert-manager/README.md
@@ -17,3 +17,163 @@ https://cert-manager.io/docs/concepts/issuer/
 ## Certificate
 
 https://cert-manager.io/docs/concepts/certificate/
+
+
+## CertificateRequests
+
+## Orders and Challenges
+
+
+## Installation 
+
+You can find the latest release for `cert-manager` on their [GitHub Releases page](https://github.com/jetstack/cert-manager/) <br/>
+
+For this demo, I will use K8s 1.19 and `cert-manager` [v1.0.4](https://github.com/jetstack/cert-manager/releases/tag/v1.0.4)
+
+```
+
+# Get a container to work in
+
+# mount our kubeconfig file and source code
+docker run -it --rm -v ${HOME}:/root/ -v ${PWD}:/work -w /work --net host alpine sh
+
+# install kubectl
+apk add --no-cache curl
+curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
+chmod +x ./kubectl
+mv ./kubectl /usr/local/bin/kubectl
+
+#test cluster access:
+/work # kubectl get nodes
+NAME                    STATUS   ROLES    AGE   VERSION
+certmanager-control-plane   Ready    master   3m6s   v1.19.1
+
+
+# get cert-manager 
+
+cd kubernetes/cert-manager/
+curl -LO https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.yaml
+
+mv cert-manager.yaml cert-manager-1.0.4.yaml
+
+# install cert-manager 
+
+kubectl create ns cert-manager
+kubectl apply --validate=false -f cert-manager-1.0.4.yaml
+```
+
+## Cert Manager Resources
+
+We can see our components deployed
+
+```
+kubectl -n cert-manager get all
+
+NAME                                           READY   STATUS    RESTARTS   AGE
+pod/cert-manager-86548b886-2b8x7               1/1     Running   0          77s
+pod/cert-manager-cainjector-6d59c8d4f7-hrs2v   1/1     Running   0          77s
+pod/cert-manager-webhook-578954cdd-tphpj       1/1     Running   0          77s
+
+NAME                           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
+service/cert-manager           ClusterIP   10.96.87.136   <none>        9402/TCP   77s
+service/cert-manager-webhook   ClusterIP   10.104.59.25   <none>        443/TCP    77s
+
+NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE        
+deployment.apps/cert-manager              1/1     1            1           77s
+deployment.apps/cert-manager-cainjector   1/1     1            1           77s
+deployment.apps/cert-manager-webhook      1/1     1            1           77s
+
+NAME                                                 DESIRED   CURRENT   READY   AGE
+replicaset.apps/cert-manager-86548b886               1         1         1       77s
+replicaset.apps/cert-manager-cainjector-6d59c8d4f7   1         1         1       77s
+replicaset.apps/cert-manager-webhook-578954cdd       1         1         1       77
+
+```
+
+## Test Certificate Issuing 
+
+Let's create some test certificates
+
+```
+ kubectl apply -f test.yaml
+
+  kubectl describe certificate -n cert-manager-test
+```
+
+## Configuration 
+
+
+https://cert-manager.io/docs/configuration/
+
+
+## DNS
+
+## HTTP
+
+## Ingress Controller
+
+Let's deploy an Ingress controller: <br/>
+
+```
+kubectl create ns ingress-nginx
+
+kubectl -n ingress-nginx apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.41.2/deploy/static/provider/cloud/deploy.yaml
+
+kubectl -n ingress-nginx get pods
+kubectl -n ingress-nginx get svc
+
+kubectl -n ingress-nginx --address 0.0.0.0 port-forward svc/ingress-nginx-controller 80
+kubectl -n ingress-nginx --address 0.0.0.0 port-forward svc/ingress-nginx-controller 443
+```
+
+We should be able to access NGINX in the browser and see a `404 Not Found` page: http://localhost/
+This indicates there are no routes to `/` and the ingress controller is running
+
+## Setup my DNS
+
+In my container, I can get the public IP address of my computer by running a simple command:
+
+```
+curl ifconfig.co
+```
+
+I can log into my DNS provider and point my DNS A record to my IP.<br/>
+Also setup my router to allow 80 and 443 to come to my PC <br/>
+
+If you are running in the cloud, your Ingress controller and Cloud provider will give you a
+public IP and you can point your DNS to that accordingly.
+
+## Create Let's Encrypt Issuer for our cluster
+
+We create a `ClusterIssuer` that allows us to issue certs in any namespace
+
+```
+kubectl apply -f cert-issuer-nginx-ingress.yaml
+
+# check the issuer
+kubectl describe clusterissuer letsencrypt-cluster-issuer
+
+```
+
+## Issue Certificate 
+
+```
+kubectl apply -f certificate.yaml
+
+# check the cert has been issued 
+
+kubectl describe certificate example-app
+
+# TLS created as a secret
+kubectl get secrets
+NAME                  TYPE                                  DATA   AGE
+example-app-tls       kubernetes.io/tls                     2      84m
+```
+
+## Deploy a pod that uses SSL
+
+```
+kubectl apply -f .\kubernetes\deployments\
+kubectl apply -f .\kubernetes\configmaps\
+kubectl apply -f .\kubernetes\services\
+```
\ No newline at end of file
diff --git a/kubernetes/cert-manager/cert-issuer-nginx-ingress.yaml b/kubernetes/cert-manager/cert-issuer-nginx-ingress.yaml
new file mode 100644
index 0000000..4f316c9
--- /dev/null
+++ b/kubernetes/cert-manager/cert-issuer-nginx-ingress.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-cluster-issuer
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: your-email@email.com
+    privateKeySecretRef:
+      name: letsencrypt-cluster-issuer-key
+    solvers:
+    - http01:
+       ingress:
+         class: nginx
\ No newline at end of file
diff --git a/kubernetes/cert-manager/cert-manager-1.0.4.yaml b/kubernetes/cert-manager/cert-manager-1.0.4.yaml
new file mode 100644
index 0000000..70d4c21
--- /dev/null
+++ b/kubernetes/cert-manager/cert-manager-1.0.4.yaml
@@ -0,0 +1,26311 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: certificaterequests.cert-manager.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: cert-manager-webhook
+          namespace: cert-manager
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cert-manager.io
+  names:
+    kind: CertificateRequest
+    listKind: CertificateRequestList
+    plural: certificaterequests
+    shortNames:
+    - cr
+    - crs
+    singular: certificaterequest
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: "A CertificateRequest is used to request a signed certificate
+          from one of the configured issuers. \n All fields within the CertificateRequest's
+          `spec` are immutable after creation. A CertificateRequest will either succeed
+          or fail, as denoted by its `status.state` field. \n A CertificateRequest
+          is a 'one-shot' resource, meaning it represents a single point in time request
+          for a certificate and cannot be re-used."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the CertificateRequest resource.
+            properties:
+              csr:
+                description: The PEM-encoded x509 certificate signing request to be
+                  submitted to the CA for signing.
+                format: byte
+                type: string
+              duration:
+                description: The requested 'duration' (i.e. lifetime) of the Certificate.
+                  This option may be ignored/overridden by some issuer types.
+                type: string
+              isCA:
+                description: IsCA will request to mark the certificate as valid for
+                  certificate signing when submitting to the issuer. This will automatically
+                  add the `cert sign` usage to the list of `usages`.
+                type: boolean
+              issuerRef:
+                description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
+                  the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                  with the given name in the same namespace as the CertificateRequest
+                  will be used.  If the 'kind' field is set to 'ClusterIssuer', a
+                  ClusterIssuer with the provided name will be used. The 'name' field
+                  in this stanza is required at all times. The group field refers
+                  to the API group of the issuer which defaults to 'cert-manager.io'
+                  if empty.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              usages:
+                description: Usages is the set of x509 usages that are requested for
+                  the certificate. Defaults to `digital signature` and `key encipherment`
+                  if not specified.
+                items:
+                  description: 'KeyUsage specifies valid usage contexts for keys.
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    Valid KeyUsage values are as follows: "signing", "digital signature",
+                    "content commitment", "key encipherment", "key agreement", "data
+                    encipherment", "cert sign", "crl sign", "encipher only", "decipher
+                    only", "any", "server auth", "client auth", "code signing", "email
+                    protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
+                    user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
+                    sgc"'
+                  enum:
+                  - signing
+                  - digital signature
+                  - content commitment
+                  - key encipherment
+                  - key agreement
+                  - data encipherment
+                  - cert sign
+                  - crl sign
+                  - encipher only
+                  - decipher only
+                  - any
+                  - server auth
+                  - client auth
+                  - code signing
+                  - email protection
+                  - s/mime
+                  - ipsec end system
+                  - ipsec tunnel
+                  - ipsec user
+                  - timestamping
+                  - ocsp signing
+                  - microsoft sgc
+                  - netscape sgc
+                  type: string
+                type: array
+            required:
+            - csr
+            - issuerRef
+            type: object
+          status:
+            description: Status of the CertificateRequest. This is set and managed
+              automatically.
+            properties:
+              ca:
+                description: The PEM encoded x509 certificate of the signer, also
+                  known as the CA (Certificate Authority). This is set on a best-effort
+                  basis by different issuers. If not set, the CA is assumed to be
+                  unknown/not available.
+                format: byte
+                type: string
+              certificate:
+                description: The PEM encoded x509 certificate resulting from the certificate
+                  signing request. If not set, the CertificateRequest has either not
+                  been completed or has failed. More information on failure can be
+                  found by checking the `conditions` field.
+                format: byte
+                type: string
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
+                items:
+                  description: CertificateRequestCondition contains condition information
+                    for a CertificateRequest.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready',
+                        'InvalidRequest').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureTime:
+                description: FailureTime stores the time that this CertificateRequest
+                  failed. This is used to influence garbage collection and back-off.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: "A CertificateRequest is used to request a signed certificate
+          from one of the configured issuers. \n All fields within the CertificateRequest's
+          `spec` are immutable after creation. A CertificateRequest will either succeed
+          or fail, as denoted by its `status.state` field. \n A CertificateRequest
+          is a 'one-shot' resource, meaning it represents a single point in time request
+          for a certificate and cannot be re-used."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the CertificateRequest resource.
+            properties:
+              csr:
+                description: The PEM-encoded x509 certificate signing request to be
+                  submitted to the CA for signing.
+                format: byte
+                type: string
+              duration:
+                description: The requested 'duration' (i.e. lifetime) of the Certificate.
+                  This option may be ignored/overridden by some issuer types.
+                type: string
+              isCA:
+                description: IsCA will request to mark the certificate as valid for
+                  certificate signing when submitting to the issuer. This will automatically
+                  add the `cert sign` usage to the list of `usages`.
+                type: boolean
+              issuerRef:
+                description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
+                  the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                  with the given name in the same namespace as the CertificateRequest
+                  will be used.  If the 'kind' field is set to 'ClusterIssuer', a
+                  ClusterIssuer with the provided name will be used. The 'name' field
+                  in this stanza is required at all times. The group field refers
+                  to the API group of the issuer which defaults to 'cert-manager.io'
+                  if empty.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              usages:
+                description: Usages is the set of x509 usages that are requested for
+                  the certificate. Defaults to `digital signature` and `key encipherment`
+                  if not specified.
+                items:
+                  description: 'KeyUsage specifies valid usage contexts for keys.
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    Valid KeyUsage values are as follows: "signing", "digital signature",
+                    "content commitment", "key encipherment", "key agreement", "data
+                    encipherment", "cert sign", "crl sign", "encipher only", "decipher
+                    only", "any", "server auth", "client auth", "code signing", "email
+                    protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
+                    user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
+                    sgc"'
+                  enum:
+                  - signing
+                  - digital signature
+                  - content commitment
+                  - key encipherment
+                  - key agreement
+                  - data encipherment
+                  - cert sign
+                  - crl sign
+                  - encipher only
+                  - decipher only
+                  - any
+                  - server auth
+                  - client auth
+                  - code signing
+                  - email protection
+                  - s/mime
+                  - ipsec end system
+                  - ipsec tunnel
+                  - ipsec user
+                  - timestamping
+                  - ocsp signing
+                  - microsoft sgc
+                  - netscape sgc
+                  type: string
+                type: array
+            required:
+            - csr
+            - issuerRef
+            type: object
+          status:
+            description: Status of the CertificateRequest. This is set and managed
+              automatically.
+            properties:
+              ca:
+                description: The PEM encoded x509 certificate of the signer, also
+                  known as the CA (Certificate Authority). This is set on a best-effort
+                  basis by different issuers. If not set, the CA is assumed to be
+                  unknown/not available.
+                format: byte
+                type: string
+              certificate:
+                description: The PEM encoded x509 certificate resulting from the certificate
+                  signing request. If not set, the CertificateRequest has either not
+                  been completed or has failed. More information on failure can be
+                  found by checking the `conditions` field.
+                format: byte
+                type: string
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
+                items:
+                  description: CertificateRequestCondition contains condition information
+                    for a CertificateRequest.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready',
+                        'InvalidRequest').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureTime:
+                description: FailureTime stores the time that this CertificateRequest
+                  failed. This is used to influence garbage collection and back-off.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: "A CertificateRequest is used to request a signed certificate
+          from one of the configured issuers. \n All fields within the CertificateRequest's
+          `spec` are immutable after creation. A CertificateRequest will either succeed
+          or fail, as denoted by its `status.state` field. \n A CertificateRequest
+          is a 'one-shot' resource, meaning it represents a single point in time request
+          for a certificate and cannot be re-used."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the CertificateRequest resource.
+            properties:
+              duration:
+                description: The requested 'duration' (i.e. lifetime) of the Certificate.
+                  This option may be ignored/overridden by some issuer types.
+                type: string
+              isCA:
+                description: IsCA will request to mark the certificate as valid for
+                  certificate signing when submitting to the issuer. This will automatically
+                  add the `cert sign` usage to the list of `usages`.
+                type: boolean
+              issuerRef:
+                description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
+                  the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                  with the given name in the same namespace as the CertificateRequest
+                  will be used.  If the 'kind' field is set to 'ClusterIssuer', a
+                  ClusterIssuer with the provided name will be used. The 'name' field
+                  in this stanza is required at all times. The group field refers
+                  to the API group of the issuer which defaults to 'cert-manager.io'
+                  if empty.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              request:
+                description: The PEM-encoded x509 certificate signing request to be
+                  submitted to the CA for signing.
+                format: byte
+                type: string
+              usages:
+                description: Usages is the set of x509 usages that are requested for
+                  the certificate. Defaults to `digital signature` and `key encipherment`
+                  if not specified.
+                items:
+                  description: 'KeyUsage specifies valid usage contexts for keys.
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    Valid KeyUsage values are as follows: "signing", "digital signature",
+                    "content commitment", "key encipherment", "key agreement", "data
+                    encipherment", "cert sign", "crl sign", "encipher only", "decipher
+                    only", "any", "server auth", "client auth", "code signing", "email
+                    protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
+                    user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
+                    sgc"'
+                  enum:
+                  - signing
+                  - digital signature
+                  - content commitment
+                  - key encipherment
+                  - key agreement
+                  - data encipherment
+                  - cert sign
+                  - crl sign
+                  - encipher only
+                  - decipher only
+                  - any
+                  - server auth
+                  - client auth
+                  - code signing
+                  - email protection
+                  - s/mime
+                  - ipsec end system
+                  - ipsec tunnel
+                  - ipsec user
+                  - timestamping
+                  - ocsp signing
+                  - microsoft sgc
+                  - netscape sgc
+                  type: string
+                type: array
+            required:
+            - issuerRef
+            - request
+            type: object
+          status:
+            description: Status of the CertificateRequest. This is set and managed
+              automatically.
+            properties:
+              ca:
+                description: The PEM encoded x509 certificate of the signer, also
+                  known as the CA (Certificate Authority). This is set on a best-effort
+                  basis by different issuers. If not set, the CA is assumed to be
+                  unknown/not available.
+                format: byte
+                type: string
+              certificate:
+                description: The PEM encoded x509 certificate resulting from the certificate
+                  signing request. If not set, the CertificateRequest has either not
+                  been completed or has failed. More information on failure can be
+                  found by checking the `conditions` field.
+                format: byte
+                type: string
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
+                items:
+                  description: CertificateRequestCondition contains condition information
+                    for a CertificateRequest.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready',
+                        'InvalidRequest').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureTime:
+                description: FailureTime stores the time that this CertificateRequest
+                  failed. This is used to influence garbage collection and back-off.
+                format: date-time
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: "A CertificateRequest is used to request a signed certificate
+          from one of the configured issuers. \n All fields within the CertificateRequest's
+          `spec` are immutable after creation. A CertificateRequest will either succeed
+          or fail, as denoted by its `status.state` field. \n A CertificateRequest
+          is a 'one-shot' resource, meaning it represents a single point in time request
+          for a certificate and cannot be re-used."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the CertificateRequest resource.
+            properties:
+              duration:
+                description: The requested 'duration' (i.e. lifetime) of the Certificate.
+                  This option may be ignored/overridden by some issuer types.
+                type: string
+              isCA:
+                description: IsCA will request to mark the certificate as valid for
+                  certificate signing when submitting to the issuer. This will automatically
+                  add the `cert sign` usage to the list of `usages`.
+                type: boolean
+              issuerRef:
+                description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
+                  the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                  with the given name in the same namespace as the CertificateRequest
+                  will be used.  If the 'kind' field is set to 'ClusterIssuer', a
+                  ClusterIssuer with the provided name will be used. The 'name' field
+                  in this stanza is required at all times. The group field refers
+                  to the API group of the issuer which defaults to 'cert-manager.io'
+                  if empty.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              request:
+                description: The PEM-encoded x509 certificate signing request to be
+                  submitted to the CA for signing.
+                format: byte
+                type: string
+              usages:
+                description: Usages is the set of x509 usages that are requested for
+                  the certificate. If usages are set they SHOULD be encoded inside
+                  the CSR spec Defaults to `digital signature` and `key encipherment`
+                  if not specified.
+                items:
+                  description: 'KeyUsage specifies valid usage contexts for keys.
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    Valid KeyUsage values are as follows: "signing", "digital signature",
+                    "content commitment", "key encipherment", "key agreement", "data
+                    encipherment", "cert sign", "crl sign", "encipher only", "decipher
+                    only", "any", "server auth", "client auth", "code signing", "email
+                    protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
+                    user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
+                    sgc"'
+                  enum:
+                  - signing
+                  - digital signature
+                  - content commitment
+                  - key encipherment
+                  - key agreement
+                  - data encipherment
+                  - cert sign
+                  - crl sign
+                  - encipher only
+                  - decipher only
+                  - any
+                  - server auth
+                  - client auth
+                  - code signing
+                  - email protection
+                  - s/mime
+                  - ipsec end system
+                  - ipsec tunnel
+                  - ipsec user
+                  - timestamping
+                  - ocsp signing
+                  - microsoft sgc
+                  - netscape sgc
+                  type: string
+                type: array
+            required:
+            - issuerRef
+            - request
+            type: object
+          status:
+            description: Status of the CertificateRequest. This is set and managed
+              automatically.
+            properties:
+              ca:
+                description: The PEM encoded x509 certificate of the signer, also
+                  known as the CA (Certificate Authority). This is set on a best-effort
+                  basis by different issuers. If not set, the CA is assumed to be
+                  unknown/not available.
+                format: byte
+                type: string
+              certificate:
+                description: The PEM encoded x509 certificate resulting from the certificate
+                  signing request. If not set, the CertificateRequest has either not
+                  been completed or has failed. More information on failure can be
+                  found by checking the `conditions` field.
+                format: byte
+                type: string
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
+                items:
+                  description: CertificateRequestCondition contains condition information
+                    for a CertificateRequest.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready',
+                        'InvalidRequest').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureTime:
+                description: FailureTime stores the time that this CertificateRequest
+                  failed. This is used to influence garbage collection and back-off.
+                format: date-time
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: certificates.cert-manager.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: cert-manager-webhook
+          namespace: cert-manager
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cert-manager.io
+  names:
+    kind: Certificate
+    listKind: CertificateList
+    plural: certificates
+    shortNames:
+    - cert
+    - certs
+    singular: certificate
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .spec.secretName
+      name: Secret
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: "A Certificate resource should be created to ensure an up to
+          date and signed x509 certificate is stored in the Kubernetes Secret resource
+          named in `spec.secretName`. \n The stored certificate will be renewed before
+          it expires (as configured by `spec.renewBefore`)."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the Certificate resource.
+            properties:
+              commonName:
+                description: 'CommonName is a common name to be used on the Certificate.
+                  The CommonName should have a length of 64 characters or fewer to
+                  avoid generating invalid CSRs. This value is ignored by TLS clients
+                  when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
+                type: string
+              dnsNames:
+                description: DNSNames is a list of DNS subjectAltNames to be set on
+                  the Certificate.
+                items:
+                  type: string
+                type: array
+              duration:
+                description: The requested 'duration' (i.e. lifetime) of the Certificate.
+                  This option may be ignored/overridden by some issuer types. If overridden
+                  and `renewBefore` is greater than the actual certificate duration,
+                  the certificate will be automatically renewed 2/3rds of the way
+                  through the certificate's duration.
+                type: string
+              emailSANs:
+                description: EmailSANs is a list of email subjectAltNames to be set
+                  on the Certificate.
+                items:
+                  type: string
+                type: array
+              ipAddresses:
+                description: IPAddresses is a list of IP address subjectAltNames to
+                  be set on the Certificate.
+                items:
+                  type: string
+                type: array
+              isCA:
+                description: IsCA will mark this Certificate as valid for certificate
+                  signing. This will automatically add the `cert sign` usage to the
+                  list of `usages`.
+                type: boolean
+              issuerRef:
+                description: IssuerRef is a reference to the issuer for this certificate.
+                  If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                  with the given name in the same namespace as the Certificate will
+                  be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+                  with the provided name will be used. The 'name' field in this stanza
+                  is required at all times.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              keyAlgorithm:
+                description: KeyAlgorithm is the private key algorithm of the corresponding
+                  private key for this certificate. If provided, allowed values are
+                  either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize`
+                  is not provided, key size of 256 will be used for "ecdsa" key algorithm
+                  and key size of 2048 will be used for "rsa" key algorithm.
+                enum:
+                - rsa
+                - ecdsa
+                type: string
+              keyEncoding:
+                description: KeyEncoding is the private key cryptography standards
+                  (PKCS) for this certificate's private key to be encoded in. If provided,
+                  allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
+                  respectively. If KeyEncoding is not specified, then PKCS#1 will
+                  be used by default.
+                enum:
+                - pkcs1
+                - pkcs8
+                type: string
+              keySize:
+                description: KeySize is the key bit size of the corresponding private
+                  key for this certificate. If `keyAlgorithm` is set to `RSA`, valid
+                  values are `2048`, `4096` or `8192`, and will default to `2048`
+                  if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values
+                  are `256`, `384` or `521`, and will default to `256` if not specified.
+                  No other values are allowed.
+                maximum: 8192
+                minimum: 0
+                type: integer
+              keystores:
+                description: Keystores configures additional keystore output formats
+                  stored in the `secretName` Secret resource.
+                properties:
+                  jks:
+                    description: JKS configures options for storing a JKS keystore
+                      in the `spec.secretName` Secret resource.
+                    properties:
+                      create:
+                        description: Create enables JKS keystore creation for the
+                          Certificate. If true, a file named `keystore.jks` will be
+                          created in the target Secret resource, encrypted using the
+                          password stored in `passwordSecretRef`. The keystore file
+                          will only be updated upon re-issuance.
+                        type: boolean
+                      passwordSecretRef:
+                        description: PasswordSecretRef is a reference to a key in
+                          a Secret resource containing the password used to encrypt
+                          the JKS keystore.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - create
+                    - passwordSecretRef
+                    type: object
+                  pkcs12:
+                    description: PKCS12 configures options for storing a PKCS12 keystore
+                      in the `spec.secretName` Secret resource.
+                    properties:
+                      create:
+                        description: Create enables PKCS12 keystore creation for the
+                          Certificate. If true, a file named `keystore.p12` will be
+                          created in the target Secret resource, encrypted using the
+                          password stored in `passwordSecretRef`. The keystore file
+                          will only be updated upon re-issuance.
+                        type: boolean
+                      passwordSecretRef:
+                        description: PasswordSecretRef is a reference to a key in
+                          a Secret resource containing the password used to encrypt
+                          the PKCS12 keystore.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - create
+                    - passwordSecretRef
+                    type: object
+                type: object
+              organization:
+                description: Organization is a list of organizations to be used on
+                  the Certificate.
+                items:
+                  type: string
+                type: array
+              privateKey:
+                description: Options to control private keys used for the Certificate.
+                properties:
+                  rotationPolicy:
+                    description: RotationPolicy controls how private keys should be
+                      regenerated when a re-issuance is being processed. If set to
+                      Never, a private key will only be generated if one does not
+                      already exist in the target `spec.secretName`. If one does exists
+                      but it does not have the correct algorithm or size, a warning
+                      will be raised to await user intervention. If set to Always,
+                      a private key matching the specified requirements will be generated
+                      whenever a re-issuance occurs. Default is 'Never' for backward
+                      compatibility.
+                    type: string
+                type: object
+              renewBefore:
+                description: The amount of time before the currently issued certificate's
+                  `notAfter` time that cert-manager will begin to attempt to renew
+                  the certificate. If this value is greater than the total duration
+                  of the certificate (i.e. notAfter - notBefore), it will be automatically
+                  renewed 2/3rds of the way through the certificate's duration.
+                type: string
+              secretName:
+                description: SecretName is the name of the secret resource that will
+                  be automatically created and managed by this Certificate resource.
+                  It will be populated with a private key and certificate, signed
+                  by the denoted issuer.
+                type: string
+              subject:
+                description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
+                properties:
+                  countries:
+                    description: Countries to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  localities:
+                    description: Cities to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  organizationalUnits:
+                    description: Organizational Units to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  postalCodes:
+                    description: Postal codes to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  provinces:
+                    description: State/Provinces to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  serialNumber:
+                    description: Serial number to be used on the Certificate.
+                    type: string
+                  streetAddresses:
+                    description: Street addresses to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              uriSANs:
+                description: URISANs is a list of URI subjectAltNames to be set on
+                  the Certificate.
+                items:
+                  type: string
+                type: array
+              usages:
+                description: Usages is the set of x509 usages that are requested for
+                  the certificate. Defaults to `digital signature` and `key encipherment`
+                  if not specified.
+                items:
+                  description: 'KeyUsage specifies valid usage contexts for keys.
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    Valid KeyUsage values are as follows: "signing", "digital signature",
+                    "content commitment", "key encipherment", "key agreement", "data
+                    encipherment", "cert sign", "crl sign", "encipher only", "decipher
+                    only", "any", "server auth", "client auth", "code signing", "email
+                    protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
+                    user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
+                    sgc"'
+                  enum:
+                  - signing
+                  - digital signature
+                  - content commitment
+                  - key encipherment
+                  - key agreement
+                  - data encipherment
+                  - cert sign
+                  - crl sign
+                  - encipher only
+                  - decipher only
+                  - any
+                  - server auth
+                  - client auth
+                  - code signing
+                  - email protection
+                  - s/mime
+                  - ipsec end system
+                  - ipsec tunnel
+                  - ipsec user
+                  - timestamping
+                  - ocsp signing
+                  - microsoft sgc
+                  - netscape sgc
+                  type: string
+                type: array
+            required:
+            - issuerRef
+            - secretName
+            type: object
+          status:
+            description: Status of the Certificate. This is set and managed automatically.
+            properties:
+              conditions:
+                description: List of status conditions to indicate the status of certificates.
+                  Known condition types are `Ready` and `Issuing`.
+                items:
+                  description: CertificateCondition contains condition information
+                    for an Certificate.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready',
+                        `Issuing`).
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastFailureTime:
+                description: LastFailureTime is the time as recorded by the Certificate
+                  controller of the most recent failure to complete a CertificateRequest
+                  for this Certificate resource. If set, cert-manager will not re-request
+                  another Certificate until 1 hour has elapsed from this time.
+                format: date-time
+                type: string
+              nextPrivateKeySecretName:
+                description: The name of the Secret resource containing the private
+                  key to be used for the next certificate iteration. The keymanager
+                  controller will automatically set this field if the `Issuing` condition
+                  is set to `True`. It will automatically unset this field when the
+                  Issuing condition is not set or False.
+                type: string
+              notAfter:
+                description: The expiration time of the certificate stored in the
+                  secret named by this resource in `spec.secretName`.
+                format: date-time
+                type: string
+              notBefore:
+                description: The time after which the certificate stored in the secret
+                  named by this resource in spec.secretName is valid.
+                format: date-time
+                type: string
+              renewalTime:
+                description: RenewalTime is the time at which the certificate will
+                  be next renewed. If not set, no upcoming renewal is scheduled.
+                format: date-time
+                type: string
+              revision:
+                description: "The current 'revision' of the certificate as issued.
+                  \n When a CertificateRequest resource is created, it will have the
+                  `cert-manager.io/certificate-revision` set to one greater than the
+                  current value of this field. \n Upon issuance, this field will be
+                  set to the value of the annotation on the CertificateRequest resource
+                  used to issue the certificate. \n Persisting the value on the CertificateRequest
+                  resource allows the certificates controller to know whether a request
+                  is part of an old issuance or if it is part of the ongoing revision's
+                  issuance by checking if the revision value in the annotation is
+                  greater than this field."
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .spec.secretName
+      name: Secret
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: "A Certificate resource should be created to ensure an up to
+          date and signed x509 certificate is stored in the Kubernetes Secret resource
+          named in `spec.secretName`. \n The stored certificate will be renewed before
+          it expires (as configured by `spec.renewBefore`)."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the Certificate resource.
+            properties:
+              commonName:
+                description: 'CommonName is a common name to be used on the Certificate.
+                  The CommonName should have a length of 64 characters or fewer to
+                  avoid generating invalid CSRs. This value is ignored by TLS clients
+                  when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
+                type: string
+              dnsNames:
+                description: DNSNames is a list of DNS subjectAltNames to be set on
+                  the Certificate.
+                items:
+                  type: string
+                type: array
+              duration:
+                description: The requested 'duration' (i.e. lifetime) of the Certificate.
+                  This option may be ignored/overridden by some issuer types. If overridden
+                  and `renewBefore` is greater than the actual certificate duration,
+                  the certificate will be automatically renewed 2/3rds of the way
+                  through the certificate's duration.
+                type: string
+              emailSANs:
+                description: EmailSANs is a list of email subjectAltNames to be set
+                  on the Certificate.
+                items:
+                  type: string
+                type: array
+              ipAddresses:
+                description: IPAddresses is a list of IP address subjectAltNames to
+                  be set on the Certificate.
+                items:
+                  type: string
+                type: array
+              isCA:
+                description: IsCA will mark this Certificate as valid for certificate
+                  signing. This will automatically add the `cert sign` usage to the
+                  list of `usages`.
+                type: boolean
+              issuerRef:
+                description: IssuerRef is a reference to the issuer for this certificate.
+                  If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                  with the given name in the same namespace as the Certificate will
+                  be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+                  with the provided name will be used. The 'name' field in this stanza
+                  is required at all times.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              keyAlgorithm:
+                description: KeyAlgorithm is the private key algorithm of the corresponding
+                  private key for this certificate. If provided, allowed values are
+                  either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize`
+                  is not provided, key size of 256 will be used for "ecdsa" key algorithm
+                  and key size of 2048 will be used for "rsa" key algorithm.
+                enum:
+                - rsa
+                - ecdsa
+                type: string
+              keyEncoding:
+                description: KeyEncoding is the private key cryptography standards
+                  (PKCS) for this certificate's private key to be encoded in. If provided,
+                  allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
+                  respectively. If KeyEncoding is not specified, then PKCS#1 will
+                  be used by default.
+                enum:
+                - pkcs1
+                - pkcs8
+                type: string
+              keySize:
+                description: KeySize is the key bit size of the corresponding private
+                  key for this certificate. If `keyAlgorithm` is set to `RSA`, valid
+                  values are `2048`, `4096` or `8192`, and will default to `2048`
+                  if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values
+                  are `256`, `384` or `521`, and will default to `256` if not specified.
+                  No other values are allowed.
+                maximum: 8192
+                minimum: 0
+                type: integer
+              keystores:
+                description: Keystores configures additional keystore output formats
+                  stored in the `secretName` Secret resource.
+                properties:
+                  jks:
+                    description: JKS configures options for storing a JKS keystore
+                      in the `spec.secretName` Secret resource.
+                    properties:
+                      create:
+                        description: Create enables JKS keystore creation for the
+                          Certificate. If true, a file named `keystore.jks` will be
+                          created in the target Secret resource, encrypted using the
+                          password stored in `passwordSecretRef`. The keystore file
+                          will only be updated upon re-issuance.
+                        type: boolean
+                      passwordSecretRef:
+                        description: PasswordSecretRef is a reference to a key in
+                          a Secret resource containing the password used to encrypt
+                          the JKS keystore.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - create
+                    - passwordSecretRef
+                    type: object
+                  pkcs12:
+                    description: PKCS12 configures options for storing a PKCS12 keystore
+                      in the `spec.secretName` Secret resource.
+                    properties:
+                      create:
+                        description: Create enables PKCS12 keystore creation for the
+                          Certificate. If true, a file named `keystore.p12` will be
+                          created in the target Secret resource, encrypted using the
+                          password stored in `passwordSecretRef`. The keystore file
+                          will only be updated upon re-issuance.
+                        type: boolean
+                      passwordSecretRef:
+                        description: PasswordSecretRef is a reference to a key in
+                          a Secret resource containing the password used to encrypt
+                          the PKCS12 keystore.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - create
+                    - passwordSecretRef
+                    type: object
+                type: object
+              privateKey:
+                description: Options to control private keys used for the Certificate.
+                properties:
+                  rotationPolicy:
+                    description: RotationPolicy controls how private keys should be
+                      regenerated when a re-issuance is being processed. If set to
+                      Never, a private key will only be generated if one does not
+                      already exist in the target `spec.secretName`. If one does exists
+                      but it does not have the correct algorithm or size, a warning
+                      will be raised to await user intervention. If set to Always,
+                      a private key matching the specified requirements will be generated
+                      whenever a re-issuance occurs. Default is 'Never' for backward
+                      compatibility.
+                    type: string
+                type: object
+              renewBefore:
+                description: The amount of time before the currently issued certificate's
+                  `notAfter` time that cert-manager will begin to attempt to renew
+                  the certificate. If this value is greater than the total duration
+                  of the certificate (i.e. notAfter - notBefore), it will be automatically
+                  renewed 2/3rds of the way through the certificate's duration.
+                type: string
+              secretName:
+                description: SecretName is the name of the secret resource that will
+                  be automatically created and managed by this Certificate resource.
+                  It will be populated with a private key and certificate, signed
+                  by the denoted issuer.
+                type: string
+              subject:
+                description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
+                properties:
+                  countries:
+                    description: Countries to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  localities:
+                    description: Cities to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  organizationalUnits:
+                    description: Organizational Units to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  organizations:
+                    description: Organizations to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  postalCodes:
+                    description: Postal codes to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  provinces:
+                    description: State/Provinces to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  serialNumber:
+                    description: Serial number to be used on the Certificate.
+                    type: string
+                  streetAddresses:
+                    description: Street addresses to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              uriSANs:
+                description: URISANs is a list of URI subjectAltNames to be set on
+                  the Certificate.
+                items:
+                  type: string
+                type: array
+              usages:
+                description: Usages is the set of x509 usages that are requested for
+                  the certificate. Defaults to `digital signature` and `key encipherment`
+                  if not specified.
+                items:
+                  description: 'KeyUsage specifies valid usage contexts for keys.
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    Valid KeyUsage values are as follows: "signing", "digital signature",
+                    "content commitment", "key encipherment", "key agreement", "data
+                    encipherment", "cert sign", "crl sign", "encipher only", "decipher
+                    only", "any", "server auth", "client auth", "code signing", "email
+                    protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
+                    user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
+                    sgc"'
+                  enum:
+                  - signing
+                  - digital signature
+                  - content commitment
+                  - key encipherment
+                  - key agreement
+                  - data encipherment
+                  - cert sign
+                  - crl sign
+                  - encipher only
+                  - decipher only
+                  - any
+                  - server auth
+                  - client auth
+                  - code signing
+                  - email protection
+                  - s/mime
+                  - ipsec end system
+                  - ipsec tunnel
+                  - ipsec user
+                  - timestamping
+                  - ocsp signing
+                  - microsoft sgc
+                  - netscape sgc
+                  type: string
+                type: array
+            required:
+            - issuerRef
+            - secretName
+            type: object
+          status:
+            description: Status of the Certificate. This is set and managed automatically.
+            properties:
+              conditions:
+                description: List of status conditions to indicate the status of certificates.
+                  Known condition types are `Ready` and `Issuing`.
+                items:
+                  description: CertificateCondition contains condition information
+                    for an Certificate.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready',
+                        `Issuing`).
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastFailureTime:
+                description: LastFailureTime is the time as recorded by the Certificate
+                  controller of the most recent failure to complete a CertificateRequest
+                  for this Certificate resource. If set, cert-manager will not re-request
+                  another Certificate until 1 hour has elapsed from this time.
+                format: date-time
+                type: string
+              nextPrivateKeySecretName:
+                description: The name of the Secret resource containing the private
+                  key to be used for the next certificate iteration. The keymanager
+                  controller will automatically set this field if the `Issuing` condition
+                  is set to `True`. It will automatically unset this field when the
+                  Issuing condition is not set or False.
+                type: string
+              notAfter:
+                description: The expiration time of the certificate stored in the
+                  secret named by this resource in `spec.secretName`.
+                format: date-time
+                type: string
+              notBefore:
+                description: The time after which the certificate stored in the secret
+                  named by this resource in spec.secretName is valid.
+                format: date-time
+                type: string
+              renewalTime:
+                description: RenewalTime is the time at which the certificate will
+                  be next renewed. If not set, no upcoming renewal is scheduled.
+                format: date-time
+                type: string
+              revision:
+                description: "The current 'revision' of the certificate as issued.
+                  \n When a CertificateRequest resource is created, it will have the
+                  `cert-manager.io/certificate-revision` set to one greater than the
+                  current value of this field. \n Upon issuance, this field will be
+                  set to the value of the annotation on the CertificateRequest resource
+                  used to issue the certificate. \n Persisting the value on the CertificateRequest
+                  resource allows the certificates controller to know whether a request
+                  is part of an old issuance or if it is part of the ongoing revision's
+                  issuance by checking if the revision value in the annotation is
+                  greater than this field."
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .spec.secretName
+      name: Secret
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: "A Certificate resource should be created to ensure an up to
+          date and signed x509 certificate is stored in the Kubernetes Secret resource
+          named in `spec.secretName`. \n The stored certificate will be renewed before
+          it expires (as configured by `spec.renewBefore`)."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the Certificate resource.
+            properties:
+              commonName:
+                description: 'CommonName is a common name to be used on the Certificate.
+                  The CommonName should have a length of 64 characters or fewer to
+                  avoid generating invalid CSRs. This value is ignored by TLS clients
+                  when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
+                type: string
+              dnsNames:
+                description: DNSNames is a list of DNS subjectAltNames to be set on
+                  the Certificate.
+                items:
+                  type: string
+                type: array
+              duration:
+                description: The requested 'duration' (i.e. lifetime) of the Certificate.
+                  This option may be ignored/overridden by some issuer types. If overridden
+                  and `renewBefore` is greater than the actual certificate duration,
+                  the certificate will be automatically renewed 2/3rds of the way
+                  through the certificate's duration.
+                type: string
+              emailSANs:
+                description: EmailSANs is a list of email subjectAltNames to be set
+                  on the Certificate.
+                items:
+                  type: string
+                type: array
+              ipAddresses:
+                description: IPAddresses is a list of IP address subjectAltNames to
+                  be set on the Certificate.
+                items:
+                  type: string
+                type: array
+              isCA:
+                description: IsCA will mark this Certificate as valid for certificate
+                  signing. This will automatically add the `cert sign` usage to the
+                  list of `usages`.
+                type: boolean
+              issuerRef:
+                description: IssuerRef is a reference to the issuer for this certificate.
+                  If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                  with the given name in the same namespace as the Certificate will
+                  be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+                  with the provided name will be used. The 'name' field in this stanza
+                  is required at all times.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              keystores:
+                description: Keystores configures additional keystore output formats
+                  stored in the `secretName` Secret resource.
+                properties:
+                  jks:
+                    description: JKS configures options for storing a JKS keystore
+                      in the `spec.secretName` Secret resource.
+                    properties:
+                      create:
+                        description: Create enables JKS keystore creation for the
+                          Certificate. If true, a file named `keystore.jks` will be
+                          created in the target Secret resource, encrypted using the
+                          password stored in `passwordSecretRef`. The keystore file
+                          will only be updated upon re-issuance.
+                        type: boolean
+                      passwordSecretRef:
+                        description: PasswordSecretRef is a reference to a key in
+                          a Secret resource containing the password used to encrypt
+                          the JKS keystore.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - create
+                    - passwordSecretRef
+                    type: object
+                  pkcs12:
+                    description: PKCS12 configures options for storing a PKCS12 keystore
+                      in the `spec.secretName` Secret resource.
+                    properties:
+                      create:
+                        description: Create enables PKCS12 keystore creation for the
+                          Certificate. If true, a file named `keystore.p12` will be
+                          created in the target Secret resource, encrypted using the
+                          password stored in `passwordSecretRef`. The keystore file
+                          will only be updated upon re-issuance.
+                        type: boolean
+                      passwordSecretRef:
+                        description: PasswordSecretRef is a reference to a key in
+                          a Secret resource containing the password used to encrypt
+                          the PKCS12 keystore.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - create
+                    - passwordSecretRef
+                    type: object
+                type: object
+              privateKey:
+                description: Options to control private keys used for the Certificate.
+                properties:
+                  algorithm:
+                    description: Algorithm is the private key algorithm of the corresponding
+                      private key for this certificate. If provided, allowed values
+                      are either "rsa" or "ecdsa" If `algorithm` is specified and
+                      `size` is not provided, key size of 256 will be used for "ecdsa"
+                      key algorithm and key size of 2048 will be used for "rsa" key
+                      algorithm.
+                    enum:
+                    - RSA
+                    - ECDSA
+                    type: string
+                  encoding:
+                    description: The private key cryptography standards (PKCS) encoding
+                      for this certificate's private key to be encoded in. If provided,
+                      allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and
+                      PKCS#8, respectively. Defaults to PKCS#1 if not specified.
+                    enum:
+                    - PKCS1
+                    - PKCS8
+                    type: string
+                  rotationPolicy:
+                    description: RotationPolicy controls how private keys should be
+                      regenerated when a re-issuance is being processed. If set to
+                      Never, a private key will only be generated if one does not
+                      already exist in the target `spec.secretName`. If one does exists
+                      but it does not have the correct algorithm or size, a warning
+                      will be raised to await user intervention. If set to Always,
+                      a private key matching the specified requirements will be generated
+                      whenever a re-issuance occurs. Default is 'Never' for backward
+                      compatibility.
+                    type: string
+                  size:
+                    description: Size is the key bit size of the corresponding private
+                      key for this certificate. If `algorithm` is set to `RSA`, valid
+                      values are `2048`, `4096` or `8192`, and will default to `2048`
+                      if not specified. If `algorithm` is set to `ECDSA`, valid values
+                      are `256`, `384` or `521`, and will default to `256` if not
+                      specified. No other values are allowed.
+                    maximum: 8192
+                    minimum: 0
+                    type: integer
+                type: object
+              renewBefore:
+                description: The amount of time before the currently issued certificate's
+                  `notAfter` time that cert-manager will begin to attempt to renew
+                  the certificate. If this value is greater than the total duration
+                  of the certificate (i.e. notAfter - notBefore), it will be automatically
+                  renewed 2/3rds of the way through the certificate's duration.
+                type: string
+              secretName:
+                description: SecretName is the name of the secret resource that will
+                  be automatically created and managed by this Certificate resource.
+                  It will be populated with a private key and certificate, signed
+                  by the denoted issuer.
+                type: string
+              subject:
+                description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
+                properties:
+                  countries:
+                    description: Countries to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  localities:
+                    description: Cities to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  organizationalUnits:
+                    description: Organizational Units to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  organizations:
+                    description: Organizations to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  postalCodes:
+                    description: Postal codes to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  provinces:
+                    description: State/Provinces to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  serialNumber:
+                    description: Serial number to be used on the Certificate.
+                    type: string
+                  streetAddresses:
+                    description: Street addresses to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              uriSANs:
+                description: URISANs is a list of URI subjectAltNames to be set on
+                  the Certificate.
+                items:
+                  type: string
+                type: array
+              usages:
+                description: Usages is the set of x509 usages that are requested for
+                  the certificate. Defaults to `digital signature` and `key encipherment`
+                  if not specified.
+                items:
+                  description: 'KeyUsage specifies valid usage contexts for keys.
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    Valid KeyUsage values are as follows: "signing", "digital signature",
+                    "content commitment", "key encipherment", "key agreement", "data
+                    encipherment", "cert sign", "crl sign", "encipher only", "decipher
+                    only", "any", "server auth", "client auth", "code signing", "email
+                    protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
+                    user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
+                    sgc"'
+                  enum:
+                  - signing
+                  - digital signature
+                  - content commitment
+                  - key encipherment
+                  - key agreement
+                  - data encipherment
+                  - cert sign
+                  - crl sign
+                  - encipher only
+                  - decipher only
+                  - any
+                  - server auth
+                  - client auth
+                  - code signing
+                  - email protection
+                  - s/mime
+                  - ipsec end system
+                  - ipsec tunnel
+                  - ipsec user
+                  - timestamping
+                  - ocsp signing
+                  - microsoft sgc
+                  - netscape sgc
+                  type: string
+                type: array
+            required:
+            - issuerRef
+            - secretName
+            type: object
+          status:
+            description: Status of the Certificate. This is set and managed automatically.
+            properties:
+              conditions:
+                description: List of status conditions to indicate the status of certificates.
+                  Known condition types are `Ready` and `Issuing`.
+                items:
+                  description: CertificateCondition contains condition information
+                    for an Certificate.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready',
+                        `Issuing`).
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastFailureTime:
+                description: LastFailureTime is the time as recorded by the Certificate
+                  controller of the most recent failure to complete a CertificateRequest
+                  for this Certificate resource. If set, cert-manager will not re-request
+                  another Certificate until 1 hour has elapsed from this time.
+                format: date-time
+                type: string
+              nextPrivateKeySecretName:
+                description: The name of the Secret resource containing the private
+                  key to be used for the next certificate iteration. The keymanager
+                  controller will automatically set this field if the `Issuing` condition
+                  is set to `True`. It will automatically unset this field when the
+                  Issuing condition is not set or False.
+                type: string
+              notAfter:
+                description: The expiration time of the certificate stored in the
+                  secret named by this resource in `spec.secretName`.
+                format: date-time
+                type: string
+              notBefore:
+                description: The time after which the certificate stored in the secret
+                  named by this resource in spec.secretName is valid.
+                format: date-time
+                type: string
+              renewalTime:
+                description: RenewalTime is the time at which the certificate will
+                  be next renewed. If not set, no upcoming renewal is scheduled.
+                format: date-time
+                type: string
+              revision:
+                description: "The current 'revision' of the certificate as issued.
+                  \n When a CertificateRequest resource is created, it will have the
+                  `cert-manager.io/certificate-revision` set to one greater than the
+                  current value of this field. \n Upon issuance, this field will be
+                  set to the value of the annotation on the CertificateRequest resource
+                  used to issue the certificate. \n Persisting the value on the CertificateRequest
+                  resource allows the certificates controller to know whether a request
+                  is part of an old issuance or if it is part of the ongoing revision's
+                  issuance by checking if the revision value in the annotation is
+                  greater than this field."
+                type: integer
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .spec.secretName
+      name: Secret
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: "A Certificate resource should be created to ensure an up to
+          date and signed x509 certificate is stored in the Kubernetes Secret resource
+          named in `spec.secretName`. \n The stored certificate will be renewed before
+          it expires (as configured by `spec.renewBefore`)."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the Certificate resource.
+            properties:
+              commonName:
+                description: 'CommonName is a common name to be used on the Certificate.
+                  The CommonName should have a length of 64 characters or fewer to
+                  avoid generating invalid CSRs. This value is ignored by TLS clients
+                  when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
+                type: string
+              dnsNames:
+                description: DNSNames is a list of DNS subjectAltNames to be set on
+                  the Certificate.
+                items:
+                  type: string
+                type: array
+              duration:
+                description: The requested 'duration' (i.e. lifetime) of the Certificate.
+                  This option may be ignored/overridden by some issuer types. If overridden
+                  and `renewBefore` is greater than the actual certificate duration,
+                  the certificate will be automatically renewed 2/3rds of the way
+                  through the certificate's duration.
+                type: string
+              emailAddresses:
+                description: EmailAddresses is a list of email subjectAltNames to
+                  be set on the Certificate.
+                items:
+                  type: string
+                type: array
+              ipAddresses:
+                description: IPAddresses is a list of IP address subjectAltNames to
+                  be set on the Certificate.
+                items:
+                  type: string
+                type: array
+              isCA:
+                description: IsCA will mark this Certificate as valid for certificate
+                  signing. This will automatically add the `cert sign` usage to the
+                  list of `usages`.
+                type: boolean
+              issuerRef:
+                description: IssuerRef is a reference to the issuer for this certificate.
+                  If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                  with the given name in the same namespace as the Certificate will
+                  be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+                  with the provided name will be used. The 'name' field in this stanza
+                  is required at all times.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              keystores:
+                description: Keystores configures additional keystore output formats
+                  stored in the `secretName` Secret resource.
+                properties:
+                  jks:
+                    description: JKS configures options for storing a JKS keystore
+                      in the `spec.secretName` Secret resource.
+                    properties:
+                      create:
+                        description: Create enables JKS keystore creation for the
+                          Certificate. If true, a file named `keystore.jks` will be
+                          created in the target Secret resource, encrypted using the
+                          password stored in `passwordSecretRef`. The keystore file
+                          will only be updated upon re-issuance.
+                        type: boolean
+                      passwordSecretRef:
+                        description: PasswordSecretRef is a reference to a key in
+                          a Secret resource containing the password used to encrypt
+                          the JKS keystore.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - create
+                    - passwordSecretRef
+                    type: object
+                  pkcs12:
+                    description: PKCS12 configures options for storing a PKCS12 keystore
+                      in the `spec.secretName` Secret resource.
+                    properties:
+                      create:
+                        description: Create enables PKCS12 keystore creation for the
+                          Certificate. If true, a file named `keystore.p12` will be
+                          created in the target Secret resource, encrypted using the
+                          password stored in `passwordSecretRef`. The keystore file
+                          will only be updated upon re-issuance.
+                        type: boolean
+                      passwordSecretRef:
+                        description: PasswordSecretRef is a reference to a key in
+                          a Secret resource containing the password used to encrypt
+                          the PKCS12 keystore.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - create
+                    - passwordSecretRef
+                    type: object
+                type: object
+              privateKey:
+                description: Options to control private keys used for the Certificate.
+                properties:
+                  algorithm:
+                    description: Algorithm is the private key algorithm of the corresponding
+                      private key for this certificate. If provided, allowed values
+                      are either "rsa" or "ecdsa" If `algorithm` is specified and
+                      `size` is not provided, key size of 256 will be used for "ecdsa"
+                      key algorithm and key size of 2048 will be used for "rsa" key
+                      algorithm.
+                    enum:
+                    - RSA
+                    - ECDSA
+                    type: string
+                  encoding:
+                    description: The private key cryptography standards (PKCS) encoding
+                      for this certificate's private key to be encoded in. If provided,
+                      allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and
+                      PKCS#8, respectively. Defaults to PKCS#1 if not specified.
+                    enum:
+                    - PKCS1
+                    - PKCS8
+                    type: string
+                  rotationPolicy:
+                    description: RotationPolicy controls how private keys should be
+                      regenerated when a re-issuance is being processed. If set to
+                      Never, a private key will only be generated if one does not
+                      already exist in the target `spec.secretName`. If one does exists
+                      but it does not have the correct algorithm or size, a warning
+                      will be raised to await user intervention. If set to Always,
+                      a private key matching the specified requirements will be generated
+                      whenever a re-issuance occurs. Default is 'Never' for backward
+                      compatibility.
+                    type: string
+                  size:
+                    description: Size is the key bit size of the corresponding private
+                      key for this certificate. If `algorithm` is set to `RSA`, valid
+                      values are `2048`, `4096` or `8192`, and will default to `2048`
+                      if not specified. If `algorithm` is set to `ECDSA`, valid values
+                      are `256`, `384` or `521`, and will default to `256` if not
+                      specified. No other values are allowed.
+                    maximum: 8192
+                    minimum: 0
+                    type: integer
+                type: object
+              renewBefore:
+                description: The amount of time before the currently issued certificate's
+                  `notAfter` time that cert-manager will begin to attempt to renew
+                  the certificate. If this value is greater than the total duration
+                  of the certificate (i.e. notAfter - notBefore), it will be automatically
+                  renewed 2/3rds of the way through the certificate's duration.
+                type: string
+              secretName:
+                description: SecretName is the name of the secret resource that will
+                  be automatically created and managed by this Certificate resource.
+                  It will be populated with a private key and certificate, signed
+                  by the denoted issuer.
+                type: string
+              subject:
+                description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
+                properties:
+                  countries:
+                    description: Countries to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  localities:
+                    description: Cities to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  organizationalUnits:
+                    description: Organizational Units to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  organizations:
+                    description: Organizations to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  postalCodes:
+                    description: Postal codes to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  provinces:
+                    description: State/Provinces to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                  serialNumber:
+                    description: Serial number to be used on the Certificate.
+                    type: string
+                  streetAddresses:
+                    description: Street addresses to be used on the Certificate.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              uris:
+                description: URIs is a list of URI subjectAltNames to be set on the
+                  Certificate.
+                items:
+                  type: string
+                type: array
+              usages:
+                description: Usages is the set of x509 usages that are requested for
+                  the certificate. Defaults to `digital signature` and `key encipherment`
+                  if not specified.
+                items:
+                  description: 'KeyUsage specifies valid usage contexts for keys.
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    Valid KeyUsage values are as follows: "signing", "digital signature",
+                    "content commitment", "key encipherment", "key agreement", "data
+                    encipherment", "cert sign", "crl sign", "encipher only", "decipher
+                    only", "any", "server auth", "client auth", "code signing", "email
+                    protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
+                    user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
+                    sgc"'
+                  enum:
+                  - signing
+                  - digital signature
+                  - content commitment
+                  - key encipherment
+                  - key agreement
+                  - data encipherment
+                  - cert sign
+                  - crl sign
+                  - encipher only
+                  - decipher only
+                  - any
+                  - server auth
+                  - client auth
+                  - code signing
+                  - email protection
+                  - s/mime
+                  - ipsec end system
+                  - ipsec tunnel
+                  - ipsec user
+                  - timestamping
+                  - ocsp signing
+                  - microsoft sgc
+                  - netscape sgc
+                  type: string
+                type: array
+            required:
+            - issuerRef
+            - secretName
+            type: object
+          status:
+            description: Status of the Certificate. This is set and managed automatically.
+            properties:
+              conditions:
+                description: List of status conditions to indicate the status of certificates.
+                  Known condition types are `Ready` and `Issuing`.
+                items:
+                  description: CertificateCondition contains condition information
+                    for an Certificate.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready',
+                        `Issuing`).
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastFailureTime:
+                description: LastFailureTime is the time as recorded by the Certificate
+                  controller of the most recent failure to complete a CertificateRequest
+                  for this Certificate resource. If set, cert-manager will not re-request
+                  another Certificate until 1 hour has elapsed from this time.
+                format: date-time
+                type: string
+              nextPrivateKeySecretName:
+                description: The name of the Secret resource containing the private
+                  key to be used for the next certificate iteration. The keymanager
+                  controller will automatically set this field if the `Issuing` condition
+                  is set to `True`. It will automatically unset this field when the
+                  Issuing condition is not set or False.
+                type: string
+              notAfter:
+                description: The expiration time of the certificate stored in the
+                  secret named by this resource in `spec.secretName`.
+                format: date-time
+                type: string
+              notBefore:
+                description: The time after which the certificate stored in the secret
+                  named by this resource in spec.secretName is valid.
+                format: date-time
+                type: string
+              renewalTime:
+                description: RenewalTime is the time at which the certificate will
+                  be next renewed. If not set, no upcoming renewal is scheduled.
+                format: date-time
+                type: string
+              revision:
+                description: "The current 'revision' of the certificate as issued.
+                  \n When a CertificateRequest resource is created, it will have the
+                  `cert-manager.io/certificate-revision` set to one greater than the
+                  current value of this field. \n Upon issuance, this field will be
+                  set to the value of the annotation on the CertificateRequest resource
+                  used to issue the certificate. \n Persisting the value on the CertificateRequest
+                  resource allows the certificates controller to know whether a request
+                  is part of an old issuance or if it is part of the ongoing revision's
+                  issuance by checking if the revision value in the annotation is
+                  greater than this field."
+                type: integer
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: challenges.acme.cert-manager.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: cert-manager-webhook
+          namespace: cert-manager
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: acme.cert-manager.io
+  names:
+    kind: Challenge
+    listKind: ChallengeList
+    plural: challenges
+    singular: challenge
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.dnsName
+      name: Domain
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: Challenge is a type to represent a Challenge request with an
+          ACME server
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              authzURL:
+                description: AuthzURL is the URL to the ACME Authorization resource
+                  that this challenge is a part of.
+                type: string
+              dnsName:
+                description: DNSName is the identifier that this challenge is for,
+                  e.g. example.com. If the requested DNSName is a 'wildcard', this
+                  field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
+                  it must be `example.com`.
+                type: string
+              issuerRef:
+                description: IssuerRef references a properly configured ACME-type
+                  Issuer which should be used to create this Challenge. If the Issuer
+                  does not exist, processing will be retried. If the Issuer is not
+                  an 'ACME' Issuer, an error will be returned and the Challenge will
+                  be marked as failed.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              key:
+                description: 'Key is the ACME challenge key for this challenge For
+                  HTTP01 challenges, this is the value that must be responded with
+                  to complete the HTTP01 challenge in the format: `<private key JWK
+                  thumbprint>.<key from acme server for challenge>`. For DNS01 challenges,
+                  this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
+                  from acme server for challenge>` text that must be set as the TXT
+                  record content.'
+                type: string
+              solver:
+                description: Solver contains the domain solving configuration that
+                  should be used to solve this challenge resource.
+                properties:
+                  dns01:
+                    description: Configures cert-manager to attempt to complete authorizations
+                      by performing the DNS01 challenge flow.
+                    properties:
+                      acmedns:
+                        description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                          API to manage DNS01 challenge records.
+                        properties:
+                          accountSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          host:
+                            type: string
+                        required:
+                        - accountSecretRef
+                        - host
+                        type: object
+                      akamai:
+                        description: Use the Akamai DNS zone management API to manage
+                          DNS01 challenge records.
+                        properties:
+                          accessTokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          clientSecretSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          clientTokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          serviceConsumerDomain:
+                            type: string
+                        required:
+                        - accessTokenSecretRef
+                        - clientSecretSecretRef
+                        - clientTokenSecretRef
+                        - serviceConsumerDomain
+                        type: object
+                      azuredns:
+                        description: Use the Microsoft Azure DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          clientID:
+                            description: if both this and ClientSecret are left unset
+                              MSI will be used
+                            type: string
+                          clientSecretSecretRef:
+                            description: if both this and ClientID are left unset
+                              MSI will be used
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          environment:
+                            enum:
+                            - AzurePublicCloud
+                            - AzureChinaCloud
+                            - AzureGermanCloud
+                            - AzureUSGovernmentCloud
+                            type: string
+                          hostedZoneName:
+                            type: string
+                          resourceGroupName:
+                            type: string
+                          subscriptionID:
+                            type: string
+                          tenantID:
+                            description: when specifying ClientID and ClientSecret
+                              then this field is also needed
+                            type: string
+                        required:
+                        - resourceGroupName
+                        - subscriptionID
+                        type: object
+                      clouddns:
+                        description: Use the Google Cloud DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          hostedZoneName:
+                            description: HostedZoneName is an optional field that
+                              tells cert-manager in which Cloud DNS zone the challenge
+                              record has to be created. If left empty cert-manager
+                              will automatically choose a zone.
+                            type: string
+                          project:
+                            type: string
+                          serviceAccountSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - project
+                        type: object
+                      cloudflare:
+                        description: Use the Cloudflare API to manage DNS01 challenge
+                          records.
+                        properties:
+                          apiKeySecretRef:
+                            description: 'API key to use to authenticate with Cloudflare.
+                              Note: using an API token to authenticate is now the
+                              recommended method as it allows greater control of permissions.'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          apiTokenSecretRef:
+                            description: API token used to authenticate with Cloudflare.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          email:
+                            description: Email of the account, only required when
+                              using API key based authentication.
+                            type: string
+                        type: object
+                      cnameStrategy:
+                        description: CNAMEStrategy configures how the DNS01 provider
+                          should handle CNAME records when found in DNS zones.
+                        enum:
+                        - None
+                        - Follow
+                        type: string
+                      digitalocean:
+                        description: Use the DigitalOcean DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          tokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - tokenSecretRef
+                        type: object
+                      rfc2136:
+                        description: Use RFC2136 ("Dynamic Updates in the Domain Name
+                          System") (https://datatracker.ietf.org/doc/rfc2136/) to
+                          manage DNS01 challenge records.
+                        properties:
+                          nameserver:
+                            description: The IP address or hostname of an authoritative
+                              DNS server supporting RFC2136 in the form host:port.
+                              If the host is an IPv6 address it must be enclosed in
+                              square brackets (e.g [2001:db8::1]) ; port is optional.
+                              This field is required.
+                            type: string
+                          tsigAlgorithm:
+                            description: 'The TSIG Algorithm configured in the DNS
+                              supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                              and ``tsigKeyName`` are defined. Supported values are
+                              (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
+                              ``HMACSHA256`` or ``HMACSHA512``.'
+                            type: string
+                          tsigKeyName:
+                            description: The TSIG Key name configured in the DNS.
+                              If ``tsigSecretSecretRef`` is defined, this field is
+                              required.
+                            type: string
+                          tsigSecretSecretRef:
+                            description: The name of the secret containing the TSIG
+                              value. If ``tsigKeyName`` is defined, this field is
+                              required.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - nameserver
+                        type: object
+                      route53:
+                        description: Use the AWS Route53 API to manage DNS01 challenge
+                          records.
+                        properties:
+                          accessKeyID:
+                            description: 'The AccessKeyID is used for authentication.
+                              If not set we fall-back to using env vars, shared credentials
+                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            type: string
+                          hostedZoneID:
+                            description: If set, the provider will manage only this
+                              zone in Route53 and will not do an lookup using the
+                              route53:ListHostedZonesByName api call.
+                            type: string
+                          region:
+                            description: Always set the region when using AccessKeyID
+                              and SecretAccessKey
+                            type: string
+                          role:
+                            description: Role is a Role ARN which the Route53 provider
+                              will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+                              or the inferred credentials from environment variables,
+                              shared credentials file or AWS Instance metadata
+                            type: string
+                          secretAccessKeySecretRef:
+                            description: The SecretAccessKey is used for authentication.
+                              If not set we fall-back to using env vars, shared credentials
+                              file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - region
+                        type: object
+                      webhook:
+                        description: Configure an external webhook based DNS01 challenge
+                          solver to manage DNS01 challenge records.
+                        properties:
+                          config:
+                            description: Additional configuration that should be passed
+                              to the webhook apiserver when challenges are processed.
+                              This can contain arbitrary JSON data. Secret values
+                              should not be specified in this stanza. If secret values
+                              are needed (e.g. credentials for a DNS service), you
+                              should use a SecretKeySelector to reference a Secret
+                              resource. For details on the schema of this field, consult
+                              the webhook provider implementation's documentation.
+                            x-kubernetes-preserve-unknown-fields: true
+                          groupName:
+                            description: The API group name that should be used when
+                              POSTing ChallengePayload resources to the webhook apiserver.
+                              This should be the same as the GroupName specified in
+                              the webhook provider implementation.
+                            type: string
+                          solverName:
+                            description: The name of the solver to use, as defined
+                              in the webhook provider implementation. This will typically
+                              be the name of the provider, e.g. 'cloudflare'.
+                            type: string
+                        required:
+                        - groupName
+                        - solverName
+                        type: object
+                    type: object
+                  http01:
+                    description: Configures cert-manager to attempt to complete authorizations
+                      by performing the HTTP01 challenge flow. It is not possible
+                      to obtain certificates for wildcard domain names (e.g. `*.example.com`)
+                      using the HTTP01 challenge mechanism.
+                    properties:
+                      ingress:
+                        description: The ingress based HTTP01 challenge solver will
+                          solve challenges by creating or modifying Ingress resources
+                          in order to route requests for '/.well-known/acme-challenge/XYZ'
+                          to 'challenge solver' pods that are provisioned by cert-manager
+                          for each Challenge to be completed.
+                        properties:
+                          class:
+                            description: The ingress class to use when creating Ingress
+                              resources to solve ACME challenges that use this challenge
+                              solver. Only one of 'class' or 'name' may be specified.
+                            type: string
+                          ingressTemplate:
+                            description: Optional ingress template used to configure
+                              the ACME challenge solver ingress used for HTTP01 challenges
+                            properties:
+                              metadata:
+                                description: ObjectMeta overrides for the ingress
+                                  used to solve HTTP01 challenges. Only the 'labels'
+                                  and 'annotations' fields may be set. If labels or
+                                  annotations overlap with in-built values, the values
+                                  here will override the in-built values.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: Annotations that should be added
+                                      to the created ACME HTTP01 solver ingress.
+                                    type: object
+                                  labels:
+                                    additionalProperties:
+                                      type: string
+                                    description: Labels that should be added to the
+                                      created ACME HTTP01 solver ingress.
+                                    type: object
+                                type: object
+                            type: object
+                          name:
+                            description: The name of the ingress resource that should
+                              have ACME challenge solving routes inserted into it
+                              in order to solve HTTP01 challenges. This is typically
+                              used in conjunction with ingress controllers like ingress-gce,
+                              which maintains a 1:1 mapping between external IPs and
+                              ingress resources.
+                            type: string
+                          podTemplate:
+                            description: Optional pod template used to configure the
+                              ACME challenge solver pods used for HTTP01 challenges
+                            properties:
+                              metadata:
+                                description: ObjectMeta overrides for the pod used
+                                  to solve HTTP01 challenges. Only the 'labels' and
+                                  'annotations' fields may be set. If labels or annotations
+                                  overlap with in-built values, the values here will
+                                  override the in-built values.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: Annotations that should be added
+                                      to the create ACME HTTP01 solver pods.
+                                    type: object
+                                  labels:
+                                    additionalProperties:
+                                      type: string
+                                    description: Labels that should be added to the
+                                      created ACME HTTP01 solver pods.
+                                    type: object
+                                type: object
+                              spec:
+                                description: PodSpec defines overrides for the HTTP01
+                                  challenge solver pod. Only the 'priorityClassName',
+                                  'nodeSelector', 'affinity', 'serviceAccountName'
+                                  and 'tolerations' fields are supported currently.
+                                  All other fields will be ignored.
+                                properties:
+                                  affinity:
+                                    description: If specified, the pod's scheduling
+                                      constraints
+                                    properties:
+                                      nodeAffinity:
+                                        description: Describes node affinity scheduling
+                                          rules for the pod.
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the affinity expressions specified by
+                                              this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node matches the corresponding
+                                              matchExpressions; the node(s) with the
+                                              highest sum are the most preferred.
+                                            items:
+                                              description: An empty preferred scheduling
+                                                term matches all objects with implicit
+                                                weight 0 (i.e. it's a no-op). A null
+                                                preferred scheduling term matches
+                                                no objects (i.e. is also a no-op).
+                                              properties:
+                                                preference:
+                                                  description: A node selector term,
+                                                    associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        labels.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchFields:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        fields.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                  type: object
+                                                weight:
+                                                  description: Weight associated with
+                                                    matching the corresponding nodeSelectorTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - preference
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to an update),
+                                              the system may or may not try to eventually
+                                              evict the pod from its node.
+                                            properties:
+                                              nodeSelectorTerms:
+                                                description: Required. A list of node
+                                                  selector terms. The terms are ORed.
+                                                items:
+                                                  description: A null or empty node
+                                                    selector term matches no objects.
+                                                    The requirements of them are ANDed.
+                                                    The TopologySelectorTerm type
+                                                    implements a subset of the NodeSelectorTerm.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        labels.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchFields:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        fields.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                  type: object
+                                                type: array
+                                            required:
+                                            - nodeSelectorTerms
+                                            type: object
+                                        type: object
+                                      podAffinity:
+                                        description: Describes pod affinity scheduling
+                                          rules (e.g. co-locate this pod in the same
+                                          node, zone, etc. as some other pod(s)).
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the affinity expressions specified by
+                                              this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node has pods which matches the
+                                              corresponding podAffinityTerm; the node(s)
+                                              with the highest sum are the most preferred.
+                                            items:
+                                              description: The weights of all of the
+                                                matched WeightedPodAffinityTerm fields
+                                                are added per-node to find the most
+                                                preferred node(s)
+                                              properties:
+                                                podAffinityTerm:
+                                                  description: Required. A pod affinity
+                                                    term, associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                items:
+                                                                  type: string
+                                                                type: array
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            type: object
+                                                          type: array
+                                                        matchLabels:
+                                                          additionalProperties:
+                                                            type: string
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                      type: object
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                                  required:
+                                                  - topologyKey
+                                                  type: object
+                                                weight:
+                                                  description: weight associated with
+                                                    matching the corresponding podAffinityTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - podAffinityTerm
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to a pod label
+                                              update), the system may or may not try
+                                              to eventually evict the pod from its
+                                              node. When there are multiple elements,
+                                              the lists of nodes corresponding to
+                                              each podAffinityTerm are intersected,
+                                              i.e. all terms must be satisfied.
+                                            items:
+                                              description: Defines a set of pods (namely
+                                                those matching the labelSelector relative
+                                                to the given namespace(s)) that this
+                                                pod should be co-located (affinity)
+                                                or not co-located (anti-affinity)
+                                                with, where co-located is defined
+                                                as running on a node whose value of
+                                                the label with key <topologyKey> matches
+                                                that of any node on which a pod of
+                                                the set of pods is running
+                                              properties:
+                                                labelSelector:
+                                                  description: A label query over
+                                                    a set of resources, in this case
+                                                    pods.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: matchExpressions
+                                                        is a list of label selector
+                                                        requirements. The requirements
+                                                        are ANDed.
+                                                      items:
+                                                        description: A label selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: key is the
+                                                              label key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: operator
+                                                              represents a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists and
+                                                              DoesNotExist.
+                                                            type: string
+                                                          values:
+                                                            description: values is
+                                                              an array of string values.
+                                                              If the operator is In
+                                                              or NotIn, the values
+                                                              array must be non-empty.
+                                                              If the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. This array is
+                                                              replaced during a strategic
+                                                              merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchLabels:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: matchLabels is
+                                                        a map of {key,value} pairs.
+                                                        A single {key,value} in the
+                                                        matchLabels map is equivalent
+                                                        to an element of matchExpressions,
+                                                        whose key field is "key",
+                                                        the operator is "In", and
+                                                        the values array contains
+                                                        only "value". The requirements
+                                                        are ANDed.
+                                                      type: object
+                                                  type: object
+                                                namespaces:
+                                                  description: namespaces specifies
+                                                    which namespaces the labelSelector
+                                                    applies to (matches against);
+                                                    null or empty list means "this
+                                                    pod's namespace"
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                topologyKey:
+                                                  description: This pod should be
+                                                    co-located (affinity) or not co-located
+                                                    (anti-affinity) with the pods
+                                                    matching the labelSelector in
+                                                    the specified namespaces, where
+                                                    co-located is defined as running
+                                                    on a node whose value of the label
+                                                    with key topologyKey matches that
+                                                    of any node on which any of the
+                                                    selected pods is running. Empty
+                                                    topologyKey is not allowed.
+                                                  type: string
+                                              required:
+                                              - topologyKey
+                                              type: object
+                                            type: array
+                                        type: object
+                                      podAntiAffinity:
+                                        description: Describes pod anti-affinity scheduling
+                                          rules (e.g. avoid putting this pod in the
+                                          same node, zone, etc. as some other pod(s)).
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the anti-affinity expressions specified
+                                              by this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling anti-affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node has pods which matches the
+                                              corresponding podAffinityTerm; the node(s)
+                                              with the highest sum are the most preferred.
+                                            items:
+                                              description: The weights of all of the
+                                                matched WeightedPodAffinityTerm fields
+                                                are added per-node to find the most
+                                                preferred node(s)
+                                              properties:
+                                                podAffinityTerm:
+                                                  description: Required. A pod affinity
+                                                    term, associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                items:
+                                                                  type: string
+                                                                type: array
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            type: object
+                                                          type: array
+                                                        matchLabels:
+                                                          additionalProperties:
+                                                            type: string
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                      type: object
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                                  required:
+                                                  - topologyKey
+                                                  type: object
+                                                weight:
+                                                  description: weight associated with
+                                                    matching the corresponding podAffinityTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - podAffinityTerm
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the anti-affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the anti-affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to a pod label
+                                              update), the system may or may not try
+                                              to eventually evict the pod from its
+                                              node. When there are multiple elements,
+                                              the lists of nodes corresponding to
+                                              each podAffinityTerm are intersected,
+                                              i.e. all terms must be satisfied.
+                                            items:
+                                              description: Defines a set of pods (namely
+                                                those matching the labelSelector relative
+                                                to the given namespace(s)) that this
+                                                pod should be co-located (affinity)
+                                                or not co-located (anti-affinity)
+                                                with, where co-located is defined
+                                                as running on a node whose value of
+                                                the label with key <topologyKey> matches
+                                                that of any node on which a pod of
+                                                the set of pods is running
+                                              properties:
+                                                labelSelector:
+                                                  description: A label query over
+                                                    a set of resources, in this case
+                                                    pods.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: matchExpressions
+                                                        is a list of label selector
+                                                        requirements. The requirements
+                                                        are ANDed.
+                                                      items:
+                                                        description: A label selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: key is the
+                                                              label key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: operator
+                                                              represents a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists and
+                                                              DoesNotExist.
+                                                            type: string
+                                                          values:
+                                                            description: values is
+                                                              an array of string values.
+                                                              If the operator is In
+                                                              or NotIn, the values
+                                                              array must be non-empty.
+                                                              If the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. This array is
+                                                              replaced during a strategic
+                                                              merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchLabels:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: matchLabels is
+                                                        a map of {key,value} pairs.
+                                                        A single {key,value} in the
+                                                        matchLabels map is equivalent
+                                                        to an element of matchExpressions,
+                                                        whose key field is "key",
+                                                        the operator is "In", and
+                                                        the values array contains
+                                                        only "value". The requirements
+                                                        are ANDed.
+                                                      type: object
+                                                  type: object
+                                                namespaces:
+                                                  description: namespaces specifies
+                                                    which namespaces the labelSelector
+                                                    applies to (matches against);
+                                                    null or empty list means "this
+                                                    pod's namespace"
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                topologyKey:
+                                                  description: This pod should be
+                                                    co-located (affinity) or not co-located
+                                                    (anti-affinity) with the pods
+                                                    matching the labelSelector in
+                                                    the specified namespaces, where
+                                                    co-located is defined as running
+                                                    on a node whose value of the label
+                                                    with key topologyKey matches that
+                                                    of any node on which any of the
+                                                    selected pods is running. Empty
+                                                    topologyKey is not allowed.
+                                                  type: string
+                                              required:
+                                              - topologyKey
+                                              type: object
+                                            type: array
+                                        type: object
+                                    type: object
+                                  nodeSelector:
+                                    additionalProperties:
+                                      type: string
+                                    description: 'NodeSelector is a selector which
+                                      must be true for the pod to fit on a node. Selector
+                                      which must match a node''s labels for the pod
+                                      to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                    type: object
+                                  priorityClassName:
+                                    description: If specified, the pod's priorityClassName.
+                                    type: string
+                                  serviceAccountName:
+                                    description: If specified, the pod's service account
+                                    type: string
+                                  tolerations:
+                                    description: If specified, the pod's tolerations.
+                                    items:
+                                      description: The pod this Toleration is attached
+                                        to tolerates any taint that matches the triple
+                                        <key,value,effect> using the matching operator
+                                        <operator>.
+                                      properties:
+                                        effect:
+                                          description: Effect indicates the taint
+                                            effect to match. Empty means match all
+                                            taint effects. When specified, allowed
+                                            values are NoSchedule, PreferNoSchedule
+                                            and NoExecute.
+                                          type: string
+                                        key:
+                                          description: Key is the taint key that the
+                                            toleration applies to. Empty means match
+                                            all taint keys. If the key is empty, operator
+                                            must be Exists; this combination means
+                                            to match all values and all keys.
+                                          type: string
+                                        operator:
+                                          description: Operator represents a key's
+                                            relationship to the value. Valid operators
+                                            are Exists and Equal. Defaults to Equal.
+                                            Exists is equivalent to wildcard for value,
+                                            so that a pod can tolerate all taints
+                                            of a particular category.
+                                          type: string
+                                        tolerationSeconds:
+                                          description: TolerationSeconds represents
+                                            the period of time the toleration (which
+                                            must be of effect NoExecute, otherwise
+                                            this field is ignored) tolerates the taint.
+                                            By default, it is not set, which means
+                                            tolerate the taint forever (do not evict).
+                                            Zero and negative values will be treated
+                                            as 0 (evict immediately) by the system.
+                                          format: int64
+                                          type: integer
+                                        value:
+                                          description: Value is the taint value the
+                                            toleration matches to. If the operator
+                                            is Exists, the value should be empty,
+                                            otherwise just a regular string.
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                            type: object
+                          serviceType:
+                            description: Optional service type for Kubernetes solver
+                              service
+                            type: string
+                        type: object
+                    type: object
+                  selector:
+                    description: Selector selects a set of DNSNames on the Certificate
+                      resource that should be solved using this challenge solver.
+                      If not specified, the solver will be treated as the 'default'
+                      solver with the lowest priority, i.e. if any other solver has
+                      a more specific match, it will be used instead.
+                    properties:
+                      dnsNames:
+                        description: List of DNSNames that this solver will be used
+                          to solve. If specified and a match is found, a dnsNames
+                          selector will take precedence over a dnsZones selector.
+                          If multiple solvers match with the same dnsNames value,
+                          the solver with the most matching labels in matchLabels
+                          will be selected. If neither has more matches, the solver
+                          defined earlier in the list will be selected.
+                        items:
+                          type: string
+                        type: array
+                      dnsZones:
+                        description: List of DNSZones that this solver will be used
+                          to solve. The most specific DNS zone match specified here
+                          will take precedence over other DNS zone matches, so a solver
+                          specifying sys.example.com will be selected over one specifying
+                          example.com for the domain www.sys.example.com. If multiple
+                          solvers match with the same dnsZones value, the solver with
+                          the most matching labels in matchLabels will be selected.
+                          If neither has more matches, the solver defined earlier
+                          in the list will be selected.
+                        items:
+                          type: string
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: A label selector that is used to refine the set
+                          of certificate's that this challenge solver will apply to.
+                        type: object
+                    type: object
+                type: object
+              token:
+                description: Token is the ACME challenge token for this challenge.
+                  This is the raw value returned from the ACME server.
+                type: string
+              type:
+                description: Type is the type of ACME challenge this resource represents.
+                  One of "http-01" or "dns-01".
+                enum:
+                - http-01
+                - dns-01
+                type: string
+              url:
+                description: URL is the URL of the ACME Challenge resource for this
+                  challenge. This can be used to lookup details about the status of
+                  this challenge.
+                type: string
+              wildcard:
+                description: Wildcard will be true if this challenge is for a wildcard
+                  identifier, for example '*.example.com'.
+                type: boolean
+            required:
+            - authzURL
+            - dnsName
+            - issuerRef
+            - key
+            - solver
+            - token
+            - type
+            - url
+            type: object
+          status:
+            properties:
+              presented:
+                description: Presented will be set to true if the challenge values
+                  for this challenge are currently 'presented'. This *does not* imply
+                  the self check is passing. Only that the values have been 'submitted'
+                  for the appropriate challenge mechanism (i.e. the DNS01 TXT record
+                  has been presented, or the HTTP01 configuration has been configured).
+                type: boolean
+              processing:
+                description: Processing is used to denote whether this challenge should
+                  be processed or not. This field will only be set to true by the
+                  'scheduling' component. It will only be set to false by the 'challenges'
+                  controller, after the challenge has reached a final state or timed
+                  out. If this field is set to false, the challenge controller will
+                  not take any more action.
+                type: boolean
+              reason:
+                description: Reason contains human readable information on why the
+                  Challenge is in the current state.
+                type: string
+              state:
+                description: State contains the current 'state' of the challenge.
+                  If not set, the state of the challenge is unknown.
+                enum:
+                - valid
+                - ready
+                - pending
+                - processing
+                - invalid
+                - expired
+                - errored
+                type: string
+            type: object
+        required:
+        - metadata
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.dnsName
+      name: Domain
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: Challenge is a type to represent a Challenge request with an
+          ACME server
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              authzURL:
+                description: AuthzURL is the URL to the ACME Authorization resource
+                  that this challenge is a part of.
+                type: string
+              dnsName:
+                description: DNSName is the identifier that this challenge is for,
+                  e.g. example.com. If the requested DNSName is a 'wildcard', this
+                  field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
+                  it must be `example.com`.
+                type: string
+              issuerRef:
+                description: IssuerRef references a properly configured ACME-type
+                  Issuer which should be used to create this Challenge. If the Issuer
+                  does not exist, processing will be retried. If the Issuer is not
+                  an 'ACME' Issuer, an error will be returned and the Challenge will
+                  be marked as failed.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              key:
+                description: 'Key is the ACME challenge key for this challenge For
+                  HTTP01 challenges, this is the value that must be responded with
+                  to complete the HTTP01 challenge in the format: `<private key JWK
+                  thumbprint>.<key from acme server for challenge>`. For DNS01 challenges,
+                  this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
+                  from acme server for challenge>` text that must be set as the TXT
+                  record content.'
+                type: string
+              solver:
+                description: Solver contains the domain solving configuration that
+                  should be used to solve this challenge resource.
+                properties:
+                  dns01:
+                    description: Configures cert-manager to attempt to complete authorizations
+                      by performing the DNS01 challenge flow.
+                    properties:
+                      acmedns:
+                        description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                          API to manage DNS01 challenge records.
+                        properties:
+                          accountSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          host:
+                            type: string
+                        required:
+                        - accountSecretRef
+                        - host
+                        type: object
+                      akamai:
+                        description: Use the Akamai DNS zone management API to manage
+                          DNS01 challenge records.
+                        properties:
+                          accessTokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          clientSecretSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          clientTokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          serviceConsumerDomain:
+                            type: string
+                        required:
+                        - accessTokenSecretRef
+                        - clientSecretSecretRef
+                        - clientTokenSecretRef
+                        - serviceConsumerDomain
+                        type: object
+                      azuredns:
+                        description: Use the Microsoft Azure DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          clientID:
+                            description: if both this and ClientSecret are left unset
+                              MSI will be used
+                            type: string
+                          clientSecretSecretRef:
+                            description: if both this and ClientID are left unset
+                              MSI will be used
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          environment:
+                            enum:
+                            - AzurePublicCloud
+                            - AzureChinaCloud
+                            - AzureGermanCloud
+                            - AzureUSGovernmentCloud
+                            type: string
+                          hostedZoneName:
+                            type: string
+                          resourceGroupName:
+                            type: string
+                          subscriptionID:
+                            type: string
+                          tenantID:
+                            description: when specifying ClientID and ClientSecret
+                              then this field is also needed
+                            type: string
+                        required:
+                        - resourceGroupName
+                        - subscriptionID
+                        type: object
+                      clouddns:
+                        description: Use the Google Cloud DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          hostedZoneName:
+                            description: HostedZoneName is an optional field that
+                              tells cert-manager in which Cloud DNS zone the challenge
+                              record has to be created. If left empty cert-manager
+                              will automatically choose a zone.
+                            type: string
+                          project:
+                            type: string
+                          serviceAccountSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - project
+                        type: object
+                      cloudflare:
+                        description: Use the Cloudflare API to manage DNS01 challenge
+                          records.
+                        properties:
+                          apiKeySecretRef:
+                            description: 'API key to use to authenticate with Cloudflare.
+                              Note: using an API token to authenticate is now the
+                              recommended method as it allows greater control of permissions.'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          apiTokenSecretRef:
+                            description: API token used to authenticate with Cloudflare.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          email:
+                            description: Email of the account, only required when
+                              using API key based authentication.
+                            type: string
+                        type: object
+                      cnameStrategy:
+                        description: CNAMEStrategy configures how the DNS01 provider
+                          should handle CNAME records when found in DNS zones.
+                        enum:
+                        - None
+                        - Follow
+                        type: string
+                      digitalocean:
+                        description: Use the DigitalOcean DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          tokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - tokenSecretRef
+                        type: object
+                      rfc2136:
+                        description: Use RFC2136 ("Dynamic Updates in the Domain Name
+                          System") (https://datatracker.ietf.org/doc/rfc2136/) to
+                          manage DNS01 challenge records.
+                        properties:
+                          nameserver:
+                            description: The IP address or hostname of an authoritative
+                              DNS server supporting RFC2136 in the form host:port.
+                              If the host is an IPv6 address it must be enclosed in
+                              square brackets (e.g [2001:db8::1]) ; port is optional.
+                              This field is required.
+                            type: string
+                          tsigAlgorithm:
+                            description: 'The TSIG Algorithm configured in the DNS
+                              supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                              and ``tsigKeyName`` are defined. Supported values are
+                              (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
+                              ``HMACSHA256`` or ``HMACSHA512``.'
+                            type: string
+                          tsigKeyName:
+                            description: The TSIG Key name configured in the DNS.
+                              If ``tsigSecretSecretRef`` is defined, this field is
+                              required.
+                            type: string
+                          tsigSecretSecretRef:
+                            description: The name of the secret containing the TSIG
+                              value. If ``tsigKeyName`` is defined, this field is
+                              required.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - nameserver
+                        type: object
+                      route53:
+                        description: Use the AWS Route53 API to manage DNS01 challenge
+                          records.
+                        properties:
+                          accessKeyID:
+                            description: 'The AccessKeyID is used for authentication.
+                              If not set we fall-back to using env vars, shared credentials
+                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            type: string
+                          hostedZoneID:
+                            description: If set, the provider will manage only this
+                              zone in Route53 and will not do an lookup using the
+                              route53:ListHostedZonesByName api call.
+                            type: string
+                          region:
+                            description: Always set the region when using AccessKeyID
+                              and SecretAccessKey
+                            type: string
+                          role:
+                            description: Role is a Role ARN which the Route53 provider
+                              will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+                              or the inferred credentials from environment variables,
+                              shared credentials file or AWS Instance metadata
+                            type: string
+                          secretAccessKeySecretRef:
+                            description: The SecretAccessKey is used for authentication.
+                              If not set we fall-back to using env vars, shared credentials
+                              file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - region
+                        type: object
+                      webhook:
+                        description: Configure an external webhook based DNS01 challenge
+                          solver to manage DNS01 challenge records.
+                        properties:
+                          config:
+                            description: Additional configuration that should be passed
+                              to the webhook apiserver when challenges are processed.
+                              This can contain arbitrary JSON data. Secret values
+                              should not be specified in this stanza. If secret values
+                              are needed (e.g. credentials for a DNS service), you
+                              should use a SecretKeySelector to reference a Secret
+                              resource. For details on the schema of this field, consult
+                              the webhook provider implementation's documentation.
+                            x-kubernetes-preserve-unknown-fields: true
+                          groupName:
+                            description: The API group name that should be used when
+                              POSTing ChallengePayload resources to the webhook apiserver.
+                              This should be the same as the GroupName specified in
+                              the webhook provider implementation.
+                            type: string
+                          solverName:
+                            description: The name of the solver to use, as defined
+                              in the webhook provider implementation. This will typically
+                              be the name of the provider, e.g. 'cloudflare'.
+                            type: string
+                        required:
+                        - groupName
+                        - solverName
+                        type: object
+                    type: object
+                  http01:
+                    description: Configures cert-manager to attempt to complete authorizations
+                      by performing the HTTP01 challenge flow. It is not possible
+                      to obtain certificates for wildcard domain names (e.g. `*.example.com`)
+                      using the HTTP01 challenge mechanism.
+                    properties:
+                      ingress:
+                        description: The ingress based HTTP01 challenge solver will
+                          solve challenges by creating or modifying Ingress resources
+                          in order to route requests for '/.well-known/acme-challenge/XYZ'
+                          to 'challenge solver' pods that are provisioned by cert-manager
+                          for each Challenge to be completed.
+                        properties:
+                          class:
+                            description: The ingress class to use when creating Ingress
+                              resources to solve ACME challenges that use this challenge
+                              solver. Only one of 'class' or 'name' may be specified.
+                            type: string
+                          ingressTemplate:
+                            description: Optional ingress template used to configure
+                              the ACME challenge solver ingress used for HTTP01 challenges
+                            properties:
+                              metadata:
+                                description: ObjectMeta overrides for the ingress
+                                  used to solve HTTP01 challenges. Only the 'labels'
+                                  and 'annotations' fields may be set. If labels or
+                                  annotations overlap with in-built values, the values
+                                  here will override the in-built values.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: Annotations that should be added
+                                      to the created ACME HTTP01 solver ingress.
+                                    type: object
+                                  labels:
+                                    additionalProperties:
+                                      type: string
+                                    description: Labels that should be added to the
+                                      created ACME HTTP01 solver ingress.
+                                    type: object
+                                type: object
+                            type: object
+                          name:
+                            description: The name of the ingress resource that should
+                              have ACME challenge solving routes inserted into it
+                              in order to solve HTTP01 challenges. This is typically
+                              used in conjunction with ingress controllers like ingress-gce,
+                              which maintains a 1:1 mapping between external IPs and
+                              ingress resources.
+                            type: string
+                          podTemplate:
+                            description: Optional pod template used to configure the
+                              ACME challenge solver pods used for HTTP01 challenges
+                            properties:
+                              metadata:
+                                description: ObjectMeta overrides for the pod used
+                                  to solve HTTP01 challenges. Only the 'labels' and
+                                  'annotations' fields may be set. If labels or annotations
+                                  overlap with in-built values, the values here will
+                                  override the in-built values.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: Annotations that should be added
+                                      to the create ACME HTTP01 solver pods.
+                                    type: object
+                                  labels:
+                                    additionalProperties:
+                                      type: string
+                                    description: Labels that should be added to the
+                                      created ACME HTTP01 solver pods.
+                                    type: object
+                                type: object
+                              spec:
+                                description: PodSpec defines overrides for the HTTP01
+                                  challenge solver pod. Only the 'priorityClassName',
+                                  'nodeSelector', 'affinity', 'serviceAccountName'
+                                  and 'tolerations' fields are supported currently.
+                                  All other fields will be ignored.
+                                properties:
+                                  affinity:
+                                    description: If specified, the pod's scheduling
+                                      constraints
+                                    properties:
+                                      nodeAffinity:
+                                        description: Describes node affinity scheduling
+                                          rules for the pod.
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the affinity expressions specified by
+                                              this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node matches the corresponding
+                                              matchExpressions; the node(s) with the
+                                              highest sum are the most preferred.
+                                            items:
+                                              description: An empty preferred scheduling
+                                                term matches all objects with implicit
+                                                weight 0 (i.e. it's a no-op). A null
+                                                preferred scheduling term matches
+                                                no objects (i.e. is also a no-op).
+                                              properties:
+                                                preference:
+                                                  description: A node selector term,
+                                                    associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        labels.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchFields:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        fields.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                  type: object
+                                                weight:
+                                                  description: Weight associated with
+                                                    matching the corresponding nodeSelectorTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - preference
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to an update),
+                                              the system may or may not try to eventually
+                                              evict the pod from its node.
+                                            properties:
+                                              nodeSelectorTerms:
+                                                description: Required. A list of node
+                                                  selector terms. The terms are ORed.
+                                                items:
+                                                  description: A null or empty node
+                                                    selector term matches no objects.
+                                                    The requirements of them are ANDed.
+                                                    The TopologySelectorTerm type
+                                                    implements a subset of the NodeSelectorTerm.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        labels.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchFields:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        fields.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                  type: object
+                                                type: array
+                                            required:
+                                            - nodeSelectorTerms
+                                            type: object
+                                        type: object
+                                      podAffinity:
+                                        description: Describes pod affinity scheduling
+                                          rules (e.g. co-locate this pod in the same
+                                          node, zone, etc. as some other pod(s)).
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the affinity expressions specified by
+                                              this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node has pods which matches the
+                                              corresponding podAffinityTerm; the node(s)
+                                              with the highest sum are the most preferred.
+                                            items:
+                                              description: The weights of all of the
+                                                matched WeightedPodAffinityTerm fields
+                                                are added per-node to find the most
+                                                preferred node(s)
+                                              properties:
+                                                podAffinityTerm:
+                                                  description: Required. A pod affinity
+                                                    term, associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                items:
+                                                                  type: string
+                                                                type: array
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            type: object
+                                                          type: array
+                                                        matchLabels:
+                                                          additionalProperties:
+                                                            type: string
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                      type: object
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                                  required:
+                                                  - topologyKey
+                                                  type: object
+                                                weight:
+                                                  description: weight associated with
+                                                    matching the corresponding podAffinityTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - podAffinityTerm
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to a pod label
+                                              update), the system may or may not try
+                                              to eventually evict the pod from its
+                                              node. When there are multiple elements,
+                                              the lists of nodes corresponding to
+                                              each podAffinityTerm are intersected,
+                                              i.e. all terms must be satisfied.
+                                            items:
+                                              description: Defines a set of pods (namely
+                                                those matching the labelSelector relative
+                                                to the given namespace(s)) that this
+                                                pod should be co-located (affinity)
+                                                or not co-located (anti-affinity)
+                                                with, where co-located is defined
+                                                as running on a node whose value of
+                                                the label with key <topologyKey> matches
+                                                that of any node on which a pod of
+                                                the set of pods is running
+                                              properties:
+                                                labelSelector:
+                                                  description: A label query over
+                                                    a set of resources, in this case
+                                                    pods.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: matchExpressions
+                                                        is a list of label selector
+                                                        requirements. The requirements
+                                                        are ANDed.
+                                                      items:
+                                                        description: A label selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: key is the
+                                                              label key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: operator
+                                                              represents a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists and
+                                                              DoesNotExist.
+                                                            type: string
+                                                          values:
+                                                            description: values is
+                                                              an array of string values.
+                                                              If the operator is In
+                                                              or NotIn, the values
+                                                              array must be non-empty.
+                                                              If the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. This array is
+                                                              replaced during a strategic
+                                                              merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchLabels:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: matchLabels is
+                                                        a map of {key,value} pairs.
+                                                        A single {key,value} in the
+                                                        matchLabels map is equivalent
+                                                        to an element of matchExpressions,
+                                                        whose key field is "key",
+                                                        the operator is "In", and
+                                                        the values array contains
+                                                        only "value". The requirements
+                                                        are ANDed.
+                                                      type: object
+                                                  type: object
+                                                namespaces:
+                                                  description: namespaces specifies
+                                                    which namespaces the labelSelector
+                                                    applies to (matches against);
+                                                    null or empty list means "this
+                                                    pod's namespace"
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                topologyKey:
+                                                  description: This pod should be
+                                                    co-located (affinity) or not co-located
+                                                    (anti-affinity) with the pods
+                                                    matching the labelSelector in
+                                                    the specified namespaces, where
+                                                    co-located is defined as running
+                                                    on a node whose value of the label
+                                                    with key topologyKey matches that
+                                                    of any node on which any of the
+                                                    selected pods is running. Empty
+                                                    topologyKey is not allowed.
+                                                  type: string
+                                              required:
+                                              - topologyKey
+                                              type: object
+                                            type: array
+                                        type: object
+                                      podAntiAffinity:
+                                        description: Describes pod anti-affinity scheduling
+                                          rules (e.g. avoid putting this pod in the
+                                          same node, zone, etc. as some other pod(s)).
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the anti-affinity expressions specified
+                                              by this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling anti-affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node has pods which matches the
+                                              corresponding podAffinityTerm; the node(s)
+                                              with the highest sum are the most preferred.
+                                            items:
+                                              description: The weights of all of the
+                                                matched WeightedPodAffinityTerm fields
+                                                are added per-node to find the most
+                                                preferred node(s)
+                                              properties:
+                                                podAffinityTerm:
+                                                  description: Required. A pod affinity
+                                                    term, associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                items:
+                                                                  type: string
+                                                                type: array
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            type: object
+                                                          type: array
+                                                        matchLabels:
+                                                          additionalProperties:
+                                                            type: string
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                      type: object
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                                  required:
+                                                  - topologyKey
+                                                  type: object
+                                                weight:
+                                                  description: weight associated with
+                                                    matching the corresponding podAffinityTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - podAffinityTerm
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the anti-affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the anti-affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to a pod label
+                                              update), the system may or may not try
+                                              to eventually evict the pod from its
+                                              node. When there are multiple elements,
+                                              the lists of nodes corresponding to
+                                              each podAffinityTerm are intersected,
+                                              i.e. all terms must be satisfied.
+                                            items:
+                                              description: Defines a set of pods (namely
+                                                those matching the labelSelector relative
+                                                to the given namespace(s)) that this
+                                                pod should be co-located (affinity)
+                                                or not co-located (anti-affinity)
+                                                with, where co-located is defined
+                                                as running on a node whose value of
+                                                the label with key <topologyKey> matches
+                                                that of any node on which a pod of
+                                                the set of pods is running
+                                              properties:
+                                                labelSelector:
+                                                  description: A label query over
+                                                    a set of resources, in this case
+                                                    pods.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: matchExpressions
+                                                        is a list of label selector
+                                                        requirements. The requirements
+                                                        are ANDed.
+                                                      items:
+                                                        description: A label selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: key is the
+                                                              label key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: operator
+                                                              represents a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists and
+                                                              DoesNotExist.
+                                                            type: string
+                                                          values:
+                                                            description: values is
+                                                              an array of string values.
+                                                              If the operator is In
+                                                              or NotIn, the values
+                                                              array must be non-empty.
+                                                              If the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. This array is
+                                                              replaced during a strategic
+                                                              merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchLabels:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: matchLabels is
+                                                        a map of {key,value} pairs.
+                                                        A single {key,value} in the
+                                                        matchLabels map is equivalent
+                                                        to an element of matchExpressions,
+                                                        whose key field is "key",
+                                                        the operator is "In", and
+                                                        the values array contains
+                                                        only "value". The requirements
+                                                        are ANDed.
+                                                      type: object
+                                                  type: object
+                                                namespaces:
+                                                  description: namespaces specifies
+                                                    which namespaces the labelSelector
+                                                    applies to (matches against);
+                                                    null or empty list means "this
+                                                    pod's namespace"
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                topologyKey:
+                                                  description: This pod should be
+                                                    co-located (affinity) or not co-located
+                                                    (anti-affinity) with the pods
+                                                    matching the labelSelector in
+                                                    the specified namespaces, where
+                                                    co-located is defined as running
+                                                    on a node whose value of the label
+                                                    with key topologyKey matches that
+                                                    of any node on which any of the
+                                                    selected pods is running. Empty
+                                                    topologyKey is not allowed.
+                                                  type: string
+                                              required:
+                                              - topologyKey
+                                              type: object
+                                            type: array
+                                        type: object
+                                    type: object
+                                  nodeSelector:
+                                    additionalProperties:
+                                      type: string
+                                    description: 'NodeSelector is a selector which
+                                      must be true for the pod to fit on a node. Selector
+                                      which must match a node''s labels for the pod
+                                      to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                    type: object
+                                  priorityClassName:
+                                    description: If specified, the pod's priorityClassName.
+                                    type: string
+                                  serviceAccountName:
+                                    description: If specified, the pod's service account
+                                    type: string
+                                  tolerations:
+                                    description: If specified, the pod's tolerations.
+                                    items:
+                                      description: The pod this Toleration is attached
+                                        to tolerates any taint that matches the triple
+                                        <key,value,effect> using the matching operator
+                                        <operator>.
+                                      properties:
+                                        effect:
+                                          description: Effect indicates the taint
+                                            effect to match. Empty means match all
+                                            taint effects. When specified, allowed
+                                            values are NoSchedule, PreferNoSchedule
+                                            and NoExecute.
+                                          type: string
+                                        key:
+                                          description: Key is the taint key that the
+                                            toleration applies to. Empty means match
+                                            all taint keys. If the key is empty, operator
+                                            must be Exists; this combination means
+                                            to match all values and all keys.
+                                          type: string
+                                        operator:
+                                          description: Operator represents a key's
+                                            relationship to the value. Valid operators
+                                            are Exists and Equal. Defaults to Equal.
+                                            Exists is equivalent to wildcard for value,
+                                            so that a pod can tolerate all taints
+                                            of a particular category.
+                                          type: string
+                                        tolerationSeconds:
+                                          description: TolerationSeconds represents
+                                            the period of time the toleration (which
+                                            must be of effect NoExecute, otherwise
+                                            this field is ignored) tolerates the taint.
+                                            By default, it is not set, which means
+                                            tolerate the taint forever (do not evict).
+                                            Zero and negative values will be treated
+                                            as 0 (evict immediately) by the system.
+                                          format: int64
+                                          type: integer
+                                        value:
+                                          description: Value is the taint value the
+                                            toleration matches to. If the operator
+                                            is Exists, the value should be empty,
+                                            otherwise just a regular string.
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                            type: object
+                          serviceType:
+                            description: Optional service type for Kubernetes solver
+                              service
+                            type: string
+                        type: object
+                    type: object
+                  selector:
+                    description: Selector selects a set of DNSNames on the Certificate
+                      resource that should be solved using this challenge solver.
+                      If not specified, the solver will be treated as the 'default'
+                      solver with the lowest priority, i.e. if any other solver has
+                      a more specific match, it will be used instead.
+                    properties:
+                      dnsNames:
+                        description: List of DNSNames that this solver will be used
+                          to solve. If specified and a match is found, a dnsNames
+                          selector will take precedence over a dnsZones selector.
+                          If multiple solvers match with the same dnsNames value,
+                          the solver with the most matching labels in matchLabels
+                          will be selected. If neither has more matches, the solver
+                          defined earlier in the list will be selected.
+                        items:
+                          type: string
+                        type: array
+                      dnsZones:
+                        description: List of DNSZones that this solver will be used
+                          to solve. The most specific DNS zone match specified here
+                          will take precedence over other DNS zone matches, so a solver
+                          specifying sys.example.com will be selected over one specifying
+                          example.com for the domain www.sys.example.com. If multiple
+                          solvers match with the same dnsZones value, the solver with
+                          the most matching labels in matchLabels will be selected.
+                          If neither has more matches, the solver defined earlier
+                          in the list will be selected.
+                        items:
+                          type: string
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: A label selector that is used to refine the set
+                          of certificate's that this challenge solver will apply to.
+                        type: object
+                    type: object
+                type: object
+              token:
+                description: Token is the ACME challenge token for this challenge.
+                  This is the raw value returned from the ACME server.
+                type: string
+              type:
+                description: Type is the type of ACME challenge this resource represents.
+                  One of "http-01" or "dns-01".
+                enum:
+                - http-01
+                - dns-01
+                type: string
+              url:
+                description: URL is the URL of the ACME Challenge resource for this
+                  challenge. This can be used to lookup details about the status of
+                  this challenge.
+                type: string
+              wildcard:
+                description: Wildcard will be true if this challenge is for a wildcard
+                  identifier, for example '*.example.com'.
+                type: boolean
+            required:
+            - authzURL
+            - dnsName
+            - issuerRef
+            - key
+            - solver
+            - token
+            - type
+            - url
+            type: object
+          status:
+            properties:
+              presented:
+                description: Presented will be set to true if the challenge values
+                  for this challenge are currently 'presented'. This *does not* imply
+                  the self check is passing. Only that the values have been 'submitted'
+                  for the appropriate challenge mechanism (i.e. the DNS01 TXT record
+                  has been presented, or the HTTP01 configuration has been configured).
+                type: boolean
+              processing:
+                description: Processing is used to denote whether this challenge should
+                  be processed or not. This field will only be set to true by the
+                  'scheduling' component. It will only be set to false by the 'challenges'
+                  controller, after the challenge has reached a final state or timed
+                  out. If this field is set to false, the challenge controller will
+                  not take any more action.
+                type: boolean
+              reason:
+                description: Reason contains human readable information on why the
+                  Challenge is in the current state.
+                type: string
+              state:
+                description: State contains the current 'state' of the challenge.
+                  If not set, the state of the challenge is unknown.
+                enum:
+                - valid
+                - ready
+                - pending
+                - processing
+                - invalid
+                - expired
+                - errored
+                type: string
+            type: object
+        required:
+        - metadata
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.dnsName
+      name: Domain
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Challenge is a type to represent a Challenge request with an
+          ACME server
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              authorizationURL:
+                description: The URL to the ACME Authorization resource that this
+                  challenge is a part of.
+                type: string
+              dnsName:
+                description: dnsName is the identifier that this challenge is for,
+                  e.g. example.com. If the requested DNSName is a 'wildcard', this
+                  field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
+                  it must be `example.com`.
+                type: string
+              issuerRef:
+                description: References a properly configured ACME-type Issuer which
+                  should be used to create this Challenge. If the Issuer does not
+                  exist, processing will be retried. If the Issuer is not an 'ACME'
+                  Issuer, an error will be returned and the Challenge will be marked
+                  as failed.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              key:
+                description: 'The ACME challenge key for this challenge For HTTP01
+                  challenges, this is the value that must be responded with to complete
+                  the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
+                  from acme server for challenge>`. For DNS01 challenges, this is
+                  the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
+                  from acme server for challenge>` text that must be set as the TXT
+                  record content.'
+                type: string
+              solver:
+                description: Contains the domain solving configuration that should
+                  be used to solve this challenge resource.
+                properties:
+                  dns01:
+                    description: Configures cert-manager to attempt to complete authorizations
+                      by performing the DNS01 challenge flow.
+                    properties:
+                      acmeDNS:
+                        description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                          API to manage DNS01 challenge records.
+                        properties:
+                          accountSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          host:
+                            type: string
+                        required:
+                        - accountSecretRef
+                        - host
+                        type: object
+                      akamai:
+                        description: Use the Akamai DNS zone management API to manage
+                          DNS01 challenge records.
+                        properties:
+                          accessTokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          clientSecretSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          clientTokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          serviceConsumerDomain:
+                            type: string
+                        required:
+                        - accessTokenSecretRef
+                        - clientSecretSecretRef
+                        - clientTokenSecretRef
+                        - serviceConsumerDomain
+                        type: object
+                      azureDNS:
+                        description: Use the Microsoft Azure DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          clientID:
+                            description: if both this and ClientSecret are left unset
+                              MSI will be used
+                            type: string
+                          clientSecretSecretRef:
+                            description: if both this and ClientID are left unset
+                              MSI will be used
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          environment:
+                            enum:
+                            - AzurePublicCloud
+                            - AzureChinaCloud
+                            - AzureGermanCloud
+                            - AzureUSGovernmentCloud
+                            type: string
+                          hostedZoneName:
+                            type: string
+                          resourceGroupName:
+                            type: string
+                          subscriptionID:
+                            type: string
+                          tenantID:
+                            description: when specifying ClientID and ClientSecret
+                              then this field is also needed
+                            type: string
+                        required:
+                        - resourceGroupName
+                        - subscriptionID
+                        type: object
+                      cloudDNS:
+                        description: Use the Google Cloud DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          hostedZoneName:
+                            description: HostedZoneName is an optional field that
+                              tells cert-manager in which Cloud DNS zone the challenge
+                              record has to be created. If left empty cert-manager
+                              will automatically choose a zone.
+                            type: string
+                          project:
+                            type: string
+                          serviceAccountSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - project
+                        type: object
+                      cloudflare:
+                        description: Use the Cloudflare API to manage DNS01 challenge
+                          records.
+                        properties:
+                          apiKeySecretRef:
+                            description: 'API key to use to authenticate with Cloudflare.
+                              Note: using an API token to authenticate is now the
+                              recommended method as it allows greater control of permissions.'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          apiTokenSecretRef:
+                            description: API token used to authenticate with Cloudflare.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          email:
+                            description: Email of the account, only required when
+                              using API key based authentication.
+                            type: string
+                        type: object
+                      cnameStrategy:
+                        description: CNAMEStrategy configures how the DNS01 provider
+                          should handle CNAME records when found in DNS zones.
+                        enum:
+                        - None
+                        - Follow
+                        type: string
+                      digitalocean:
+                        description: Use the DigitalOcean DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          tokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - tokenSecretRef
+                        type: object
+                      rfc2136:
+                        description: Use RFC2136 ("Dynamic Updates in the Domain Name
+                          System") (https://datatracker.ietf.org/doc/rfc2136/) to
+                          manage DNS01 challenge records.
+                        properties:
+                          nameserver:
+                            description: The IP address or hostname of an authoritative
+                              DNS server supporting RFC2136 in the form host:port.
+                              If the host is an IPv6 address it must be enclosed in
+                              square brackets (e.g [2001:db8::1]) ; port is optional.
+                              This field is required.
+                            type: string
+                          tsigAlgorithm:
+                            description: 'The TSIG Algorithm configured in the DNS
+                              supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                              and ``tsigKeyName`` are defined. Supported values are
+                              (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
+                              ``HMACSHA256`` or ``HMACSHA512``.'
+                            type: string
+                          tsigKeyName:
+                            description: The TSIG Key name configured in the DNS.
+                              If ``tsigSecretSecretRef`` is defined, this field is
+                              required.
+                            type: string
+                          tsigSecretSecretRef:
+                            description: The name of the secret containing the TSIG
+                              value. If ``tsigKeyName`` is defined, this field is
+                              required.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - nameserver
+                        type: object
+                      route53:
+                        description: Use the AWS Route53 API to manage DNS01 challenge
+                          records.
+                        properties:
+                          accessKeyID:
+                            description: 'The AccessKeyID is used for authentication.
+                              If not set we fall-back to using env vars, shared credentials
+                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            type: string
+                          hostedZoneID:
+                            description: If set, the provider will manage only this
+                              zone in Route53 and will not do an lookup using the
+                              route53:ListHostedZonesByName api call.
+                            type: string
+                          region:
+                            description: Always set the region when using AccessKeyID
+                              and SecretAccessKey
+                            type: string
+                          role:
+                            description: Role is a Role ARN which the Route53 provider
+                              will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+                              or the inferred credentials from environment variables,
+                              shared credentials file or AWS Instance metadata
+                            type: string
+                          secretAccessKeySecretRef:
+                            description: The SecretAccessKey is used for authentication.
+                              If not set we fall-back to using env vars, shared credentials
+                              file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - region
+                        type: object
+                      webhook:
+                        description: Configure an external webhook based DNS01 challenge
+                          solver to manage DNS01 challenge records.
+                        properties:
+                          config:
+                            description: Additional configuration that should be passed
+                              to the webhook apiserver when challenges are processed.
+                              This can contain arbitrary JSON data. Secret values
+                              should not be specified in this stanza. If secret values
+                              are needed (e.g. credentials for a DNS service), you
+                              should use a SecretKeySelector to reference a Secret
+                              resource. For details on the schema of this field, consult
+                              the webhook provider implementation's documentation.
+                            x-kubernetes-preserve-unknown-fields: true
+                          groupName:
+                            description: The API group name that should be used when
+                              POSTing ChallengePayload resources to the webhook apiserver.
+                              This should be the same as the GroupName specified in
+                              the webhook provider implementation.
+                            type: string
+                          solverName:
+                            description: The name of the solver to use, as defined
+                              in the webhook provider implementation. This will typically
+                              be the name of the provider, e.g. 'cloudflare'.
+                            type: string
+                        required:
+                        - groupName
+                        - solverName
+                        type: object
+                    type: object
+                  http01:
+                    description: Configures cert-manager to attempt to complete authorizations
+                      by performing the HTTP01 challenge flow. It is not possible
+                      to obtain certificates for wildcard domain names (e.g. `*.example.com`)
+                      using the HTTP01 challenge mechanism.
+                    properties:
+                      ingress:
+                        description: The ingress based HTTP01 challenge solver will
+                          solve challenges by creating or modifying Ingress resources
+                          in order to route requests for '/.well-known/acme-challenge/XYZ'
+                          to 'challenge solver' pods that are provisioned by cert-manager
+                          for each Challenge to be completed.
+                        properties:
+                          class:
+                            description: The ingress class to use when creating Ingress
+                              resources to solve ACME challenges that use this challenge
+                              solver. Only one of 'class' or 'name' may be specified.
+                            type: string
+                          ingressTemplate:
+                            description: Optional ingress template used to configure
+                              the ACME challenge solver ingress used for HTTP01 challenges
+                            properties:
+                              metadata:
+                                description: ObjectMeta overrides for the ingress
+                                  used to solve HTTP01 challenges. Only the 'labels'
+                                  and 'annotations' fields may be set. If labels or
+                                  annotations overlap with in-built values, the values
+                                  here will override the in-built values.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: Annotations that should be added
+                                      to the created ACME HTTP01 solver ingress.
+                                    type: object
+                                  labels:
+                                    additionalProperties:
+                                      type: string
+                                    description: Labels that should be added to the
+                                      created ACME HTTP01 solver ingress.
+                                    type: object
+                                type: object
+                            type: object
+                          name:
+                            description: The name of the ingress resource that should
+                              have ACME challenge solving routes inserted into it
+                              in order to solve HTTP01 challenges. This is typically
+                              used in conjunction with ingress controllers like ingress-gce,
+                              which maintains a 1:1 mapping between external IPs and
+                              ingress resources.
+                            type: string
+                          podTemplate:
+                            description: Optional pod template used to configure the
+                              ACME challenge solver pods used for HTTP01 challenges
+                            properties:
+                              metadata:
+                                description: ObjectMeta overrides for the pod used
+                                  to solve HTTP01 challenges. Only the 'labels' and
+                                  'annotations' fields may be set. If labels or annotations
+                                  overlap with in-built values, the values here will
+                                  override the in-built values.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: Annotations that should be added
+                                      to the create ACME HTTP01 solver pods.
+                                    type: object
+                                  labels:
+                                    additionalProperties:
+                                      type: string
+                                    description: Labels that should be added to the
+                                      created ACME HTTP01 solver pods.
+                                    type: object
+                                type: object
+                              spec:
+                                description: PodSpec defines overrides for the HTTP01
+                                  challenge solver pod. Only the 'priorityClassName',
+                                  'nodeSelector', 'affinity', 'serviceAccountName'
+                                  and 'tolerations' fields are supported currently.
+                                  All other fields will be ignored.
+                                properties:
+                                  affinity:
+                                    description: If specified, the pod's scheduling
+                                      constraints
+                                    properties:
+                                      nodeAffinity:
+                                        description: Describes node affinity scheduling
+                                          rules for the pod.
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the affinity expressions specified by
+                                              this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node matches the corresponding
+                                              matchExpressions; the node(s) with the
+                                              highest sum are the most preferred.
+                                            items:
+                                              description: An empty preferred scheduling
+                                                term matches all objects with implicit
+                                                weight 0 (i.e. it's a no-op). A null
+                                                preferred scheduling term matches
+                                                no objects (i.e. is also a no-op).
+                                              properties:
+                                                preference:
+                                                  description: A node selector term,
+                                                    associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        labels.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchFields:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        fields.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                  type: object
+                                                weight:
+                                                  description: Weight associated with
+                                                    matching the corresponding nodeSelectorTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - preference
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to an update),
+                                              the system may or may not try to eventually
+                                              evict the pod from its node.
+                                            properties:
+                                              nodeSelectorTerms:
+                                                description: Required. A list of node
+                                                  selector terms. The terms are ORed.
+                                                items:
+                                                  description: A null or empty node
+                                                    selector term matches no objects.
+                                                    The requirements of them are ANDed.
+                                                    The TopologySelectorTerm type
+                                                    implements a subset of the NodeSelectorTerm.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        labels.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchFields:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        fields.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                  type: object
+                                                type: array
+                                            required:
+                                            - nodeSelectorTerms
+                                            type: object
+                                        type: object
+                                      podAffinity:
+                                        description: Describes pod affinity scheduling
+                                          rules (e.g. co-locate this pod in the same
+                                          node, zone, etc. as some other pod(s)).
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the affinity expressions specified by
+                                              this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node has pods which matches the
+                                              corresponding podAffinityTerm; the node(s)
+                                              with the highest sum are the most preferred.
+                                            items:
+                                              description: The weights of all of the
+                                                matched WeightedPodAffinityTerm fields
+                                                are added per-node to find the most
+                                                preferred node(s)
+                                              properties:
+                                                podAffinityTerm:
+                                                  description: Required. A pod affinity
+                                                    term, associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                items:
+                                                                  type: string
+                                                                type: array
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            type: object
+                                                          type: array
+                                                        matchLabels:
+                                                          additionalProperties:
+                                                            type: string
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                      type: object
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                                  required:
+                                                  - topologyKey
+                                                  type: object
+                                                weight:
+                                                  description: weight associated with
+                                                    matching the corresponding podAffinityTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - podAffinityTerm
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to a pod label
+                                              update), the system may or may not try
+                                              to eventually evict the pod from its
+                                              node. When there are multiple elements,
+                                              the lists of nodes corresponding to
+                                              each podAffinityTerm are intersected,
+                                              i.e. all terms must be satisfied.
+                                            items:
+                                              description: Defines a set of pods (namely
+                                                those matching the labelSelector relative
+                                                to the given namespace(s)) that this
+                                                pod should be co-located (affinity)
+                                                or not co-located (anti-affinity)
+                                                with, where co-located is defined
+                                                as running on a node whose value of
+                                                the label with key <topologyKey> matches
+                                                that of any node on which a pod of
+                                                the set of pods is running
+                                              properties:
+                                                labelSelector:
+                                                  description: A label query over
+                                                    a set of resources, in this case
+                                                    pods.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: matchExpressions
+                                                        is a list of label selector
+                                                        requirements. The requirements
+                                                        are ANDed.
+                                                      items:
+                                                        description: A label selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: key is the
+                                                              label key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: operator
+                                                              represents a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists and
+                                                              DoesNotExist.
+                                                            type: string
+                                                          values:
+                                                            description: values is
+                                                              an array of string values.
+                                                              If the operator is In
+                                                              or NotIn, the values
+                                                              array must be non-empty.
+                                                              If the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. This array is
+                                                              replaced during a strategic
+                                                              merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchLabels:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: matchLabels is
+                                                        a map of {key,value} pairs.
+                                                        A single {key,value} in the
+                                                        matchLabels map is equivalent
+                                                        to an element of matchExpressions,
+                                                        whose key field is "key",
+                                                        the operator is "In", and
+                                                        the values array contains
+                                                        only "value". The requirements
+                                                        are ANDed.
+                                                      type: object
+                                                  type: object
+                                                namespaces:
+                                                  description: namespaces specifies
+                                                    which namespaces the labelSelector
+                                                    applies to (matches against);
+                                                    null or empty list means "this
+                                                    pod's namespace"
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                topologyKey:
+                                                  description: This pod should be
+                                                    co-located (affinity) or not co-located
+                                                    (anti-affinity) with the pods
+                                                    matching the labelSelector in
+                                                    the specified namespaces, where
+                                                    co-located is defined as running
+                                                    on a node whose value of the label
+                                                    with key topologyKey matches that
+                                                    of any node on which any of the
+                                                    selected pods is running. Empty
+                                                    topologyKey is not allowed.
+                                                  type: string
+                                              required:
+                                              - topologyKey
+                                              type: object
+                                            type: array
+                                        type: object
+                                      podAntiAffinity:
+                                        description: Describes pod anti-affinity scheduling
+                                          rules (e.g. avoid putting this pod in the
+                                          same node, zone, etc. as some other pod(s)).
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the anti-affinity expressions specified
+                                              by this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling anti-affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node has pods which matches the
+                                              corresponding podAffinityTerm; the node(s)
+                                              with the highest sum are the most preferred.
+                                            items:
+                                              description: The weights of all of the
+                                                matched WeightedPodAffinityTerm fields
+                                                are added per-node to find the most
+                                                preferred node(s)
+                                              properties:
+                                                podAffinityTerm:
+                                                  description: Required. A pod affinity
+                                                    term, associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                items:
+                                                                  type: string
+                                                                type: array
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            type: object
+                                                          type: array
+                                                        matchLabels:
+                                                          additionalProperties:
+                                                            type: string
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                      type: object
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                                  required:
+                                                  - topologyKey
+                                                  type: object
+                                                weight:
+                                                  description: weight associated with
+                                                    matching the corresponding podAffinityTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - podAffinityTerm
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the anti-affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the anti-affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to a pod label
+                                              update), the system may or may not try
+                                              to eventually evict the pod from its
+                                              node. When there are multiple elements,
+                                              the lists of nodes corresponding to
+                                              each podAffinityTerm are intersected,
+                                              i.e. all terms must be satisfied.
+                                            items:
+                                              description: Defines a set of pods (namely
+                                                those matching the labelSelector relative
+                                                to the given namespace(s)) that this
+                                                pod should be co-located (affinity)
+                                                or not co-located (anti-affinity)
+                                                with, where co-located is defined
+                                                as running on a node whose value of
+                                                the label with key <topologyKey> matches
+                                                that of any node on which a pod of
+                                                the set of pods is running
+                                              properties:
+                                                labelSelector:
+                                                  description: A label query over
+                                                    a set of resources, in this case
+                                                    pods.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: matchExpressions
+                                                        is a list of label selector
+                                                        requirements. The requirements
+                                                        are ANDed.
+                                                      items:
+                                                        description: A label selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: key is the
+                                                              label key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: operator
+                                                              represents a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists and
+                                                              DoesNotExist.
+                                                            type: string
+                                                          values:
+                                                            description: values is
+                                                              an array of string values.
+                                                              If the operator is In
+                                                              or NotIn, the values
+                                                              array must be non-empty.
+                                                              If the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. This array is
+                                                              replaced during a strategic
+                                                              merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchLabels:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: matchLabels is
+                                                        a map of {key,value} pairs.
+                                                        A single {key,value} in the
+                                                        matchLabels map is equivalent
+                                                        to an element of matchExpressions,
+                                                        whose key field is "key",
+                                                        the operator is "In", and
+                                                        the values array contains
+                                                        only "value". The requirements
+                                                        are ANDed.
+                                                      type: object
+                                                  type: object
+                                                namespaces:
+                                                  description: namespaces specifies
+                                                    which namespaces the labelSelector
+                                                    applies to (matches against);
+                                                    null or empty list means "this
+                                                    pod's namespace"
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                topologyKey:
+                                                  description: This pod should be
+                                                    co-located (affinity) or not co-located
+                                                    (anti-affinity) with the pods
+                                                    matching the labelSelector in
+                                                    the specified namespaces, where
+                                                    co-located is defined as running
+                                                    on a node whose value of the label
+                                                    with key topologyKey matches that
+                                                    of any node on which any of the
+                                                    selected pods is running. Empty
+                                                    topologyKey is not allowed.
+                                                  type: string
+                                              required:
+                                              - topologyKey
+                                              type: object
+                                            type: array
+                                        type: object
+                                    type: object
+                                  nodeSelector:
+                                    additionalProperties:
+                                      type: string
+                                    description: 'NodeSelector is a selector which
+                                      must be true for the pod to fit on a node. Selector
+                                      which must match a node''s labels for the pod
+                                      to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                    type: object
+                                  priorityClassName:
+                                    description: If specified, the pod's priorityClassName.
+                                    type: string
+                                  serviceAccountName:
+                                    description: If specified, the pod's service account
+                                    type: string
+                                  tolerations:
+                                    description: If specified, the pod's tolerations.
+                                    items:
+                                      description: The pod this Toleration is attached
+                                        to tolerates any taint that matches the triple
+                                        <key,value,effect> using the matching operator
+                                        <operator>.
+                                      properties:
+                                        effect:
+                                          description: Effect indicates the taint
+                                            effect to match. Empty means match all
+                                            taint effects. When specified, allowed
+                                            values are NoSchedule, PreferNoSchedule
+                                            and NoExecute.
+                                          type: string
+                                        key:
+                                          description: Key is the taint key that the
+                                            toleration applies to. Empty means match
+                                            all taint keys. If the key is empty, operator
+                                            must be Exists; this combination means
+                                            to match all values and all keys.
+                                          type: string
+                                        operator:
+                                          description: Operator represents a key's
+                                            relationship to the value. Valid operators
+                                            are Exists and Equal. Defaults to Equal.
+                                            Exists is equivalent to wildcard for value,
+                                            so that a pod can tolerate all taints
+                                            of a particular category.
+                                          type: string
+                                        tolerationSeconds:
+                                          description: TolerationSeconds represents
+                                            the period of time the toleration (which
+                                            must be of effect NoExecute, otherwise
+                                            this field is ignored) tolerates the taint.
+                                            By default, it is not set, which means
+                                            tolerate the taint forever (do not evict).
+                                            Zero and negative values will be treated
+                                            as 0 (evict immediately) by the system.
+                                          format: int64
+                                          type: integer
+                                        value:
+                                          description: Value is the taint value the
+                                            toleration matches to. If the operator
+                                            is Exists, the value should be empty,
+                                            otherwise just a regular string.
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                            type: object
+                          serviceType:
+                            description: Optional service type for Kubernetes solver
+                              service
+                            type: string
+                        type: object
+                    type: object
+                  selector:
+                    description: Selector selects a set of DNSNames on the Certificate
+                      resource that should be solved using this challenge solver.
+                      If not specified, the solver will be treated as the 'default'
+                      solver with the lowest priority, i.e. if any other solver has
+                      a more specific match, it will be used instead.
+                    properties:
+                      dnsNames:
+                        description: List of DNSNames that this solver will be used
+                          to solve. If specified and a match is found, a dnsNames
+                          selector will take precedence over a dnsZones selector.
+                          If multiple solvers match with the same dnsNames value,
+                          the solver with the most matching labels in matchLabels
+                          will be selected. If neither has more matches, the solver
+                          defined earlier in the list will be selected.
+                        items:
+                          type: string
+                        type: array
+                      dnsZones:
+                        description: List of DNSZones that this solver will be used
+                          to solve. The most specific DNS zone match specified here
+                          will take precedence over other DNS zone matches, so a solver
+                          specifying sys.example.com will be selected over one specifying
+                          example.com for the domain www.sys.example.com. If multiple
+                          solvers match with the same dnsZones value, the solver with
+                          the most matching labels in matchLabels will be selected.
+                          If neither has more matches, the solver defined earlier
+                          in the list will be selected.
+                        items:
+                          type: string
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: A label selector that is used to refine the set
+                          of certificate's that this challenge solver will apply to.
+                        type: object
+                    type: object
+                type: object
+              token:
+                description: The ACME challenge token for this challenge. This is
+                  the raw value returned from the ACME server.
+                type: string
+              type:
+                description: The type of ACME challenge this resource represents.
+                  One of "HTTP-01" or "DNS-01".
+                enum:
+                - HTTP-01
+                - DNS-01
+                type: string
+              url:
+                description: The URL of the ACME Challenge resource for this challenge.
+                  This can be used to lookup details about the status of this challenge.
+                type: string
+              wildcard:
+                description: wildcard will be true if this challenge is for a wildcard
+                  identifier, for example '*.example.com'.
+                type: boolean
+            required:
+            - authorizationURL
+            - dnsName
+            - issuerRef
+            - key
+            - solver
+            - token
+            - type
+            - url
+            type: object
+          status:
+            properties:
+              presented:
+                description: presented will be set to true if the challenge values
+                  for this challenge are currently 'presented'. This *does not* imply
+                  the self check is passing. Only that the values have been 'submitted'
+                  for the appropriate challenge mechanism (i.e. the DNS01 TXT record
+                  has been presented, or the HTTP01 configuration has been configured).
+                type: boolean
+              processing:
+                description: Used to denote whether this challenge should be processed
+                  or not. This field will only be set to true by the 'scheduling'
+                  component. It will only be set to false by the 'challenges' controller,
+                  after the challenge has reached a final state or timed out. If this
+                  field is set to false, the challenge controller will not take any
+                  more action.
+                type: boolean
+              reason:
+                description: Contains human readable information on why the Challenge
+                  is in the current state.
+                type: string
+              state:
+                description: Contains the current 'state' of the challenge. If not
+                  set, the state of the challenge is unknown.
+                enum:
+                - valid
+                - ready
+                - pending
+                - processing
+                - invalid
+                - expired
+                - errored
+                type: string
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.dnsName
+      name: Domain
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: Challenge is a type to represent a Challenge request with an
+          ACME server
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              authorizationURL:
+                description: The URL to the ACME Authorization resource that this
+                  challenge is a part of.
+                type: string
+              dnsName:
+                description: dnsName is the identifier that this challenge is for,
+                  e.g. example.com. If the requested DNSName is a 'wildcard', this
+                  field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
+                  it must be `example.com`.
+                type: string
+              issuerRef:
+                description: References a properly configured ACME-type Issuer which
+                  should be used to create this Challenge. If the Issuer does not
+                  exist, processing will be retried. If the Issuer is not an 'ACME'
+                  Issuer, an error will be returned and the Challenge will be marked
+                  as failed.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              key:
+                description: 'The ACME challenge key for this challenge For HTTP01
+                  challenges, this is the value that must be responded with to complete
+                  the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
+                  from acme server for challenge>`. For DNS01 challenges, this is
+                  the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
+                  from acme server for challenge>` text that must be set as the TXT
+                  record content.'
+                type: string
+              solver:
+                description: Contains the domain solving configuration that should
+                  be used to solve this challenge resource.
+                properties:
+                  dns01:
+                    description: Configures cert-manager to attempt to complete authorizations
+                      by performing the DNS01 challenge flow.
+                    properties:
+                      acmeDNS:
+                        description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                          API to manage DNS01 challenge records.
+                        properties:
+                          accountSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          host:
+                            type: string
+                        required:
+                        - accountSecretRef
+                        - host
+                        type: object
+                      akamai:
+                        description: Use the Akamai DNS zone management API to manage
+                          DNS01 challenge records.
+                        properties:
+                          accessTokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          clientSecretSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          clientTokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          serviceConsumerDomain:
+                            type: string
+                        required:
+                        - accessTokenSecretRef
+                        - clientSecretSecretRef
+                        - clientTokenSecretRef
+                        - serviceConsumerDomain
+                        type: object
+                      azureDNS:
+                        description: Use the Microsoft Azure DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          clientID:
+                            description: if both this and ClientSecret are left unset
+                              MSI will be used
+                            type: string
+                          clientSecretSecretRef:
+                            description: if both this and ClientID are left unset
+                              MSI will be used
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          environment:
+                            enum:
+                            - AzurePublicCloud
+                            - AzureChinaCloud
+                            - AzureGermanCloud
+                            - AzureUSGovernmentCloud
+                            type: string
+                          hostedZoneName:
+                            type: string
+                          resourceGroupName:
+                            type: string
+                          subscriptionID:
+                            type: string
+                          tenantID:
+                            description: when specifying ClientID and ClientSecret
+                              then this field is also needed
+                            type: string
+                        required:
+                        - resourceGroupName
+                        - subscriptionID
+                        type: object
+                      cloudDNS:
+                        description: Use the Google Cloud DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          hostedZoneName:
+                            description: HostedZoneName is an optional field that
+                              tells cert-manager in which Cloud DNS zone the challenge
+                              record has to be created. If left empty cert-manager
+                              will automatically choose a zone.
+                            type: string
+                          project:
+                            type: string
+                          serviceAccountSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - project
+                        type: object
+                      cloudflare:
+                        description: Use the Cloudflare API to manage DNS01 challenge
+                          records.
+                        properties:
+                          apiKeySecretRef:
+                            description: 'API key to use to authenticate with Cloudflare.
+                              Note: using an API token to authenticate is now the
+                              recommended method as it allows greater control of permissions.'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          apiTokenSecretRef:
+                            description: API token used to authenticate with Cloudflare.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          email:
+                            description: Email of the account, only required when
+                              using API key based authentication.
+                            type: string
+                        type: object
+                      cnameStrategy:
+                        description: CNAMEStrategy configures how the DNS01 provider
+                          should handle CNAME records when found in DNS zones.
+                        enum:
+                        - None
+                        - Follow
+                        type: string
+                      digitalocean:
+                        description: Use the DigitalOcean DNS API to manage DNS01
+                          challenge records.
+                        properties:
+                          tokenSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource. In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - tokenSecretRef
+                        type: object
+                      rfc2136:
+                        description: Use RFC2136 ("Dynamic Updates in the Domain Name
+                          System") (https://datatracker.ietf.org/doc/rfc2136/) to
+                          manage DNS01 challenge records.
+                        properties:
+                          nameserver:
+                            description: The IP address or hostname of an authoritative
+                              DNS server supporting RFC2136 in the form host:port.
+                              If the host is an IPv6 address it must be enclosed in
+                              square brackets (e.g [2001:db8::1]) ; port is optional.
+                              This field is required.
+                            type: string
+                          tsigAlgorithm:
+                            description: 'The TSIG Algorithm configured in the DNS
+                              supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                              and ``tsigKeyName`` are defined. Supported values are
+                              (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
+                              ``HMACSHA256`` or ``HMACSHA512``.'
+                            type: string
+                          tsigKeyName:
+                            description: The TSIG Key name configured in the DNS.
+                              If ``tsigSecretSecretRef`` is defined, this field is
+                              required.
+                            type: string
+                          tsigSecretSecretRef:
+                            description: The name of the secret containing the TSIG
+                              value. If ``tsigKeyName`` is defined, this field is
+                              required.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - nameserver
+                        type: object
+                      route53:
+                        description: Use the AWS Route53 API to manage DNS01 challenge
+                          records.
+                        properties:
+                          accessKeyID:
+                            description: 'The AccessKeyID is used for authentication.
+                              If not set we fall-back to using env vars, shared credentials
+                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            type: string
+                          hostedZoneID:
+                            description: If set, the provider will manage only this
+                              zone in Route53 and will not do an lookup using the
+                              route53:ListHostedZonesByName api call.
+                            type: string
+                          region:
+                            description: Always set the region when using AccessKeyID
+                              and SecretAccessKey
+                            type: string
+                          role:
+                            description: Role is a Role ARN which the Route53 provider
+                              will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+                              or the inferred credentials from environment variables,
+                              shared credentials file or AWS Instance metadata
+                            type: string
+                          secretAccessKeySecretRef:
+                            description: The SecretAccessKey is used for authentication.
+                              If not set we fall-back to using env vars, shared credentials
+                              file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - region
+                        type: object
+                      webhook:
+                        description: Configure an external webhook based DNS01 challenge
+                          solver to manage DNS01 challenge records.
+                        properties:
+                          config:
+                            description: Additional configuration that should be passed
+                              to the webhook apiserver when challenges are processed.
+                              This can contain arbitrary JSON data. Secret values
+                              should not be specified in this stanza. If secret values
+                              are needed (e.g. credentials for a DNS service), you
+                              should use a SecretKeySelector to reference a Secret
+                              resource. For details on the schema of this field, consult
+                              the webhook provider implementation's documentation.
+                            x-kubernetes-preserve-unknown-fields: true
+                          groupName:
+                            description: The API group name that should be used when
+                              POSTing ChallengePayload resources to the webhook apiserver.
+                              This should be the same as the GroupName specified in
+                              the webhook provider implementation.
+                            type: string
+                          solverName:
+                            description: The name of the solver to use, as defined
+                              in the webhook provider implementation. This will typically
+                              be the name of the provider, e.g. 'cloudflare'.
+                            type: string
+                        required:
+                        - groupName
+                        - solverName
+                        type: object
+                    type: object
+                  http01:
+                    description: Configures cert-manager to attempt to complete authorizations
+                      by performing the HTTP01 challenge flow. It is not possible
+                      to obtain certificates for wildcard domain names (e.g. `*.example.com`)
+                      using the HTTP01 challenge mechanism.
+                    properties:
+                      ingress:
+                        description: The ingress based HTTP01 challenge solver will
+                          solve challenges by creating or modifying Ingress resources
+                          in order to route requests for '/.well-known/acme-challenge/XYZ'
+                          to 'challenge solver' pods that are provisioned by cert-manager
+                          for each Challenge to be completed.
+                        properties:
+                          class:
+                            description: The ingress class to use when creating Ingress
+                              resources to solve ACME challenges that use this challenge
+                              solver. Only one of 'class' or 'name' may be specified.
+                            type: string
+                          ingressTemplate:
+                            description: Optional ingress template used to configure
+                              the ACME challenge solver ingress used for HTTP01 challenges
+                            properties:
+                              metadata:
+                                description: ObjectMeta overrides for the ingress
+                                  used to solve HTTP01 challenges. Only the 'labels'
+                                  and 'annotations' fields may be set. If labels or
+                                  annotations overlap with in-built values, the values
+                                  here will override the in-built values.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: Annotations that should be added
+                                      to the created ACME HTTP01 solver ingress.
+                                    type: object
+                                  labels:
+                                    additionalProperties:
+                                      type: string
+                                    description: Labels that should be added to the
+                                      created ACME HTTP01 solver ingress.
+                                    type: object
+                                type: object
+                            type: object
+                          name:
+                            description: The name of the ingress resource that should
+                              have ACME challenge solving routes inserted into it
+                              in order to solve HTTP01 challenges. This is typically
+                              used in conjunction with ingress controllers like ingress-gce,
+                              which maintains a 1:1 mapping between external IPs and
+                              ingress resources.
+                            type: string
+                          podTemplate:
+                            description: Optional pod template used to configure the
+                              ACME challenge solver pods used for HTTP01 challenges
+                            properties:
+                              metadata:
+                                description: ObjectMeta overrides for the pod used
+                                  to solve HTTP01 challenges. Only the 'labels' and
+                                  'annotations' fields may be set. If labels or annotations
+                                  overlap with in-built values, the values here will
+                                  override the in-built values.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: Annotations that should be added
+                                      to the create ACME HTTP01 solver pods.
+                                    type: object
+                                  labels:
+                                    additionalProperties:
+                                      type: string
+                                    description: Labels that should be added to the
+                                      created ACME HTTP01 solver pods.
+                                    type: object
+                                type: object
+                              spec:
+                                description: PodSpec defines overrides for the HTTP01
+                                  challenge solver pod. Only the 'priorityClassName',
+                                  'nodeSelector', 'affinity', 'serviceAccountName'
+                                  and 'tolerations' fields are supported currently.
+                                  All other fields will be ignored.
+                                properties:
+                                  affinity:
+                                    description: If specified, the pod's scheduling
+                                      constraints
+                                    properties:
+                                      nodeAffinity:
+                                        description: Describes node affinity scheduling
+                                          rules for the pod.
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the affinity expressions specified by
+                                              this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node matches the corresponding
+                                              matchExpressions; the node(s) with the
+                                              highest sum are the most preferred.
+                                            items:
+                                              description: An empty preferred scheduling
+                                                term matches all objects with implicit
+                                                weight 0 (i.e. it's a no-op). A null
+                                                preferred scheduling term matches
+                                                no objects (i.e. is also a no-op).
+                                              properties:
+                                                preference:
+                                                  description: A node selector term,
+                                                    associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        labels.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchFields:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        fields.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                  type: object
+                                                weight:
+                                                  description: Weight associated with
+                                                    matching the corresponding nodeSelectorTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - preference
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to an update),
+                                              the system may or may not try to eventually
+                                              evict the pod from its node.
+                                            properties:
+                                              nodeSelectorTerms:
+                                                description: Required. A list of node
+                                                  selector terms. The terms are ORed.
+                                                items:
+                                                  description: A null or empty node
+                                                    selector term matches no objects.
+                                                    The requirements of them are ANDed.
+                                                    The TopologySelectorTerm type
+                                                    implements a subset of the NodeSelectorTerm.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        labels.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchFields:
+                                                      description: A list of node
+                                                        selector requirements by node's
+                                                        fields.
+                                                      items:
+                                                        description: A node selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: The label
+                                                              key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: Represents
+                                                              a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists, DoesNotExist.
+                                                              Gt, and Lt.
+                                                            type: string
+                                                          values:
+                                                            description: An array
+                                                              of string values. If
+                                                              the operator is In or
+                                                              NotIn, the values array
+                                                              must be non-empty. If
+                                                              the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. If the operator
+                                                              is Gt or Lt, the values
+                                                              array must have a single
+                                                              element, which will
+                                                              be interpreted as an
+                                                              integer. This array
+                                                              is replaced during a
+                                                              strategic merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                  type: object
+                                                type: array
+                                            required:
+                                            - nodeSelectorTerms
+                                            type: object
+                                        type: object
+                                      podAffinity:
+                                        description: Describes pod affinity scheduling
+                                          rules (e.g. co-locate this pod in the same
+                                          node, zone, etc. as some other pod(s)).
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the affinity expressions specified by
+                                              this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node has pods which matches the
+                                              corresponding podAffinityTerm; the node(s)
+                                              with the highest sum are the most preferred.
+                                            items:
+                                              description: The weights of all of the
+                                                matched WeightedPodAffinityTerm fields
+                                                are added per-node to find the most
+                                                preferred node(s)
+                                              properties:
+                                                podAffinityTerm:
+                                                  description: Required. A pod affinity
+                                                    term, associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                items:
+                                                                  type: string
+                                                                type: array
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            type: object
+                                                          type: array
+                                                        matchLabels:
+                                                          additionalProperties:
+                                                            type: string
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                      type: object
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                                  required:
+                                                  - topologyKey
+                                                  type: object
+                                                weight:
+                                                  description: weight associated with
+                                                    matching the corresponding podAffinityTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - podAffinityTerm
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to a pod label
+                                              update), the system may or may not try
+                                              to eventually evict the pod from its
+                                              node. When there are multiple elements,
+                                              the lists of nodes corresponding to
+                                              each podAffinityTerm are intersected,
+                                              i.e. all terms must be satisfied.
+                                            items:
+                                              description: Defines a set of pods (namely
+                                                those matching the labelSelector relative
+                                                to the given namespace(s)) that this
+                                                pod should be co-located (affinity)
+                                                or not co-located (anti-affinity)
+                                                with, where co-located is defined
+                                                as running on a node whose value of
+                                                the label with key <topologyKey> matches
+                                                that of any node on which a pod of
+                                                the set of pods is running
+                                              properties:
+                                                labelSelector:
+                                                  description: A label query over
+                                                    a set of resources, in this case
+                                                    pods.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: matchExpressions
+                                                        is a list of label selector
+                                                        requirements. The requirements
+                                                        are ANDed.
+                                                      items:
+                                                        description: A label selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: key is the
+                                                              label key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: operator
+                                                              represents a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists and
+                                                              DoesNotExist.
+                                                            type: string
+                                                          values:
+                                                            description: values is
+                                                              an array of string values.
+                                                              If the operator is In
+                                                              or NotIn, the values
+                                                              array must be non-empty.
+                                                              If the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. This array is
+                                                              replaced during a strategic
+                                                              merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchLabels:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: matchLabels is
+                                                        a map of {key,value} pairs.
+                                                        A single {key,value} in the
+                                                        matchLabels map is equivalent
+                                                        to an element of matchExpressions,
+                                                        whose key field is "key",
+                                                        the operator is "In", and
+                                                        the values array contains
+                                                        only "value". The requirements
+                                                        are ANDed.
+                                                      type: object
+                                                  type: object
+                                                namespaces:
+                                                  description: namespaces specifies
+                                                    which namespaces the labelSelector
+                                                    applies to (matches against);
+                                                    null or empty list means "this
+                                                    pod's namespace"
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                topologyKey:
+                                                  description: This pod should be
+                                                    co-located (affinity) or not co-located
+                                                    (anti-affinity) with the pods
+                                                    matching the labelSelector in
+                                                    the specified namespaces, where
+                                                    co-located is defined as running
+                                                    on a node whose value of the label
+                                                    with key topologyKey matches that
+                                                    of any node on which any of the
+                                                    selected pods is running. Empty
+                                                    topologyKey is not allowed.
+                                                  type: string
+                                              required:
+                                              - topologyKey
+                                              type: object
+                                            type: array
+                                        type: object
+                                      podAntiAffinity:
+                                        description: Describes pod anti-affinity scheduling
+                                          rules (e.g. avoid putting this pod in the
+                                          same node, zone, etc. as some other pod(s)).
+                                        properties:
+                                          preferredDuringSchedulingIgnoredDuringExecution:
+                                            description: The scheduler will prefer
+                                              to schedule pods to nodes that satisfy
+                                              the anti-affinity expressions specified
+                                              by this field, but it may choose a node
+                                              that violates one or more of the expressions.
+                                              The node that is most preferred is the
+                                              one with the greatest sum of weights,
+                                              i.e. for each node that meets all of
+                                              the scheduling requirements (resource
+                                              request, requiredDuringScheduling anti-affinity
+                                              expressions, etc.), compute a sum by
+                                              iterating through the elements of this
+                                              field and adding "weight" to the sum
+                                              if the node has pods which matches the
+                                              corresponding podAffinityTerm; the node(s)
+                                              with the highest sum are the most preferred.
+                                            items:
+                                              description: The weights of all of the
+                                                matched WeightedPodAffinityTerm fields
+                                                are added per-node to find the most
+                                                preferred node(s)
+                                              properties:
+                                                podAffinityTerm:
+                                                  description: Required. A pod affinity
+                                                    term, associated with the corresponding
+                                                    weight.
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                items:
+                                                                  type: string
+                                                                type: array
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            type: object
+                                                          type: array
+                                                        matchLabels:
+                                                          additionalProperties:
+                                                            type: string
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                      type: object
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                                  required:
+                                                  - topologyKey
+                                                  type: object
+                                                weight:
+                                                  description: weight associated with
+                                                    matching the corresponding podAffinityTerm,
+                                                    in the range 1-100.
+                                                  format: int32
+                                                  type: integer
+                                              required:
+                                              - podAffinityTerm
+                                              - weight
+                                              type: object
+                                            type: array
+                                          requiredDuringSchedulingIgnoredDuringExecution:
+                                            description: If the anti-affinity requirements
+                                              specified by this field are not met
+                                              at scheduling time, the pod will not
+                                              be scheduled onto the node. If the anti-affinity
+                                              requirements specified by this field
+                                              cease to be met at some point during
+                                              pod execution (e.g. due to a pod label
+                                              update), the system may or may not try
+                                              to eventually evict the pod from its
+                                              node. When there are multiple elements,
+                                              the lists of nodes corresponding to
+                                              each podAffinityTerm are intersected,
+                                              i.e. all terms must be satisfied.
+                                            items:
+                                              description: Defines a set of pods (namely
+                                                those matching the labelSelector relative
+                                                to the given namespace(s)) that this
+                                                pod should be co-located (affinity)
+                                                or not co-located (anti-affinity)
+                                                with, where co-located is defined
+                                                as running on a node whose value of
+                                                the label with key <topologyKey> matches
+                                                that of any node on which a pod of
+                                                the set of pods is running
+                                              properties:
+                                                labelSelector:
+                                                  description: A label query over
+                                                    a set of resources, in this case
+                                                    pods.
+                                                  properties:
+                                                    matchExpressions:
+                                                      description: matchExpressions
+                                                        is a list of label selector
+                                                        requirements. The requirements
+                                                        are ANDed.
+                                                      items:
+                                                        description: A label selector
+                                                          requirement is a selector
+                                                          that contains values, a
+                                                          key, and an operator that
+                                                          relates the key and values.
+                                                        properties:
+                                                          key:
+                                                            description: key is the
+                                                              label key that the selector
+                                                              applies to.
+                                                            type: string
+                                                          operator:
+                                                            description: operator
+                                                              represents a key's relationship
+                                                              to a set of values.
+                                                              Valid operators are
+                                                              In, NotIn, Exists and
+                                                              DoesNotExist.
+                                                            type: string
+                                                          values:
+                                                            description: values is
+                                                              an array of string values.
+                                                              If the operator is In
+                                                              or NotIn, the values
+                                                              array must be non-empty.
+                                                              If the operator is Exists
+                                                              or DoesNotExist, the
+                                                              values array must be
+                                                              empty. This array is
+                                                              replaced during a strategic
+                                                              merge patch.
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                        required:
+                                                        - key
+                                                        - operator
+                                                        type: object
+                                                      type: array
+                                                    matchLabels:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: matchLabels is
+                                                        a map of {key,value} pairs.
+                                                        A single {key,value} in the
+                                                        matchLabels map is equivalent
+                                                        to an element of matchExpressions,
+                                                        whose key field is "key",
+                                                        the operator is "In", and
+                                                        the values array contains
+                                                        only "value". The requirements
+                                                        are ANDed.
+                                                      type: object
+                                                  type: object
+                                                namespaces:
+                                                  description: namespaces specifies
+                                                    which namespaces the labelSelector
+                                                    applies to (matches against);
+                                                    null or empty list means "this
+                                                    pod's namespace"
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                topologyKey:
+                                                  description: This pod should be
+                                                    co-located (affinity) or not co-located
+                                                    (anti-affinity) with the pods
+                                                    matching the labelSelector in
+                                                    the specified namespaces, where
+                                                    co-located is defined as running
+                                                    on a node whose value of the label
+                                                    with key topologyKey matches that
+                                                    of any node on which any of the
+                                                    selected pods is running. Empty
+                                                    topologyKey is not allowed.
+                                                  type: string
+                                              required:
+                                              - topologyKey
+                                              type: object
+                                            type: array
+                                        type: object
+                                    type: object
+                                  nodeSelector:
+                                    additionalProperties:
+                                      type: string
+                                    description: 'NodeSelector is a selector which
+                                      must be true for the pod to fit on a node. Selector
+                                      which must match a node''s labels for the pod
+                                      to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                    type: object
+                                  priorityClassName:
+                                    description: If specified, the pod's priorityClassName.
+                                    type: string
+                                  serviceAccountName:
+                                    description: If specified, the pod's service account
+                                    type: string
+                                  tolerations:
+                                    description: If specified, the pod's tolerations.
+                                    items:
+                                      description: The pod this Toleration is attached
+                                        to tolerates any taint that matches the triple
+                                        <key,value,effect> using the matching operator
+                                        <operator>.
+                                      properties:
+                                        effect:
+                                          description: Effect indicates the taint
+                                            effect to match. Empty means match all
+                                            taint effects. When specified, allowed
+                                            values are NoSchedule, PreferNoSchedule
+                                            and NoExecute.
+                                          type: string
+                                        key:
+                                          description: Key is the taint key that the
+                                            toleration applies to. Empty means match
+                                            all taint keys. If the key is empty, operator
+                                            must be Exists; this combination means
+                                            to match all values and all keys.
+                                          type: string
+                                        operator:
+                                          description: Operator represents a key's
+                                            relationship to the value. Valid operators
+                                            are Exists and Equal. Defaults to Equal.
+                                            Exists is equivalent to wildcard for value,
+                                            so that a pod can tolerate all taints
+                                            of a particular category.
+                                          type: string
+                                        tolerationSeconds:
+                                          description: TolerationSeconds represents
+                                            the period of time the toleration (which
+                                            must be of effect NoExecute, otherwise
+                                            this field is ignored) tolerates the taint.
+                                            By default, it is not set, which means
+                                            tolerate the taint forever (do not evict).
+                                            Zero and negative values will be treated
+                                            as 0 (evict immediately) by the system.
+                                          format: int64
+                                          type: integer
+                                        value:
+                                          description: Value is the taint value the
+                                            toleration matches to. If the operator
+                                            is Exists, the value should be empty,
+                                            otherwise just a regular string.
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                            type: object
+                          serviceType:
+                            description: Optional service type for Kubernetes solver
+                              service
+                            type: string
+                        type: object
+                    type: object
+                  selector:
+                    description: Selector selects a set of DNSNames on the Certificate
+                      resource that should be solved using this challenge solver.
+                      If not specified, the solver will be treated as the 'default'
+                      solver with the lowest priority, i.e. if any other solver has
+                      a more specific match, it will be used instead.
+                    properties:
+                      dnsNames:
+                        description: List of DNSNames that this solver will be used
+                          to solve. If specified and a match is found, a dnsNames
+                          selector will take precedence over a dnsZones selector.
+                          If multiple solvers match with the same dnsNames value,
+                          the solver with the most matching labels in matchLabels
+                          will be selected. If neither has more matches, the solver
+                          defined earlier in the list will be selected.
+                        items:
+                          type: string
+                        type: array
+                      dnsZones:
+                        description: List of DNSZones that this solver will be used
+                          to solve. The most specific DNS zone match specified here
+                          will take precedence over other DNS zone matches, so a solver
+                          specifying sys.example.com will be selected over one specifying
+                          example.com for the domain www.sys.example.com. If multiple
+                          solvers match with the same dnsZones value, the solver with
+                          the most matching labels in matchLabels will be selected.
+                          If neither has more matches, the solver defined earlier
+                          in the list will be selected.
+                        items:
+                          type: string
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: A label selector that is used to refine the set
+                          of certificate's that this challenge solver will apply to.
+                        type: object
+                    type: object
+                type: object
+              token:
+                description: The ACME challenge token for this challenge. This is
+                  the raw value returned from the ACME server.
+                type: string
+              type:
+                description: The type of ACME challenge this resource represents.
+                  One of "HTTP-01" or "DNS-01".
+                enum:
+                - HTTP-01
+                - DNS-01
+                type: string
+              url:
+                description: The URL of the ACME Challenge resource for this challenge.
+                  This can be used to lookup details about the status of this challenge.
+                type: string
+              wildcard:
+                description: wildcard will be true if this challenge is for a wildcard
+                  identifier, for example '*.example.com'.
+                type: boolean
+            required:
+            - authorizationURL
+            - dnsName
+            - issuerRef
+            - key
+            - solver
+            - token
+            - type
+            - url
+            type: object
+          status:
+            properties:
+              presented:
+                description: presented will be set to true if the challenge values
+                  for this challenge are currently 'presented'. This *does not* imply
+                  the self check is passing. Only that the values have been 'submitted'
+                  for the appropriate challenge mechanism (i.e. the DNS01 TXT record
+                  has been presented, or the HTTP01 configuration has been configured).
+                type: boolean
+              processing:
+                description: Used to denote whether this challenge should be processed
+                  or not. This field will only be set to true by the 'scheduling'
+                  component. It will only be set to false by the 'challenges' controller,
+                  after the challenge has reached a final state or timed out. If this
+                  field is set to false, the challenge controller will not take any
+                  more action.
+                type: boolean
+              reason:
+                description: Contains human readable information on why the Challenge
+                  is in the current state.
+                type: string
+              state:
+                description: Contains the current 'state' of the challenge. If not
+                  set, the state of the challenge is unknown.
+                enum:
+                - valid
+                - ready
+                - pending
+                - processing
+                - invalid
+                - expired
+                - errored
+                type: string
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: clusterissuers.cert-manager.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: cert-manager-webhook
+          namespace: cert-manager
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cert-manager.io
+  names:
+    kind: ClusterIssuer
+    listKind: ClusterIssuerList
+    plural: clusterissuers
+    singular: clusterissuer
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: A ClusterIssuer represents a certificate issuing authority which
+          can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
+          however it is cluster-scoped and therefore can be referenced by resources
+          that exist in *any* namespace, not just the same namespace as the referent.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the ClusterIssuer resource.
+            properties:
+              acme:
+                description: ACME configures this issuer to communicate with a RFC8555
+                  (ACME) server to obtain signed x509 certificates.
+                properties:
+                  disableAccountKeyGeneration:
+                    description: Enables or disables generating a new ACME account
+                      key. If true, the Issuer resource will *not* request a new account
+                      but will expect the account key to be supplied via an existing
+                      secret. If false, the cert-manager system will generate a new
+                      ACME account key for the Issuer. Defaults to false.
+                    type: boolean
+                  email:
+                    description: Email is the email address to be associated with
+                      the ACME account. This field is optional, but it is strongly
+                      recommended to be set. It will be used to contact you in case
+                      of issues with your account or certificates, including expiry
+                      notification emails. This field may be updated after the account
+                      is initially registered.
+                    type: string
+                  externalAccountBinding:
+                    description: ExternalAccountBinding is a reference to a CA external
+                      account of the ACME server. If set, upon registration cert-manager
+                      will attempt to associate the given external account credentials
+                      with the registered ACME account.
+                    properties:
+                      keyAlgorithm:
+                        description: keyAlgorithm is the MAC key algorithm that the
+                          key is used for. Valid values are "HS256", "HS384" and "HS512".
+                        enum:
+                        - HS256
+                        - HS384
+                        - HS512
+                        type: string
+                      keyID:
+                        description: keyID is the ID of the CA key that the External
+                          Account is bound to.
+                        type: string
+                      keySecretRef:
+                        description: keySecretRef is a Secret Key Selector referencing
+                          a data item in a Kubernetes Secret which holds the symmetric
+                          MAC key of the External Account Binding. The `key` is the
+                          index string that is paired with the key data in the Secret
+                          and should not be confused with the key data itself, or
+                          indeed with the External Account Binding keyID above. The
+                          secret key stored in the Secret **must** be un-padded, base64
+                          URL encoded data.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - keyAlgorithm
+                    - keyID
+                    - keySecretRef
+                    type: object
+                  preferredChain:
+                    description: 'PreferredChain is the chain to use if the ACME server
+                      outputs multiple. PreferredChain is no guarantee that this one
+                      gets delivered by the ACME endpoint. For example, for Let''s
+                      Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+                      "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+                      picks the first certificate bundle in the ACME alternative chains
+                      that has a certificate with this value as its issuer''s CN'
+                    maxLength: 64
+                    type: string
+                  privateKeySecretRef:
+                    description: PrivateKey is the name of a Kubernetes Secret resource
+                      that will be used to store the automatically generated ACME
+                      account private key. Optionally, a `key` may be specified to
+                      select a specific entry within the named Secret resource. If
+                      `key` is not specified, a default of `tls.key` will be used.
+                    properties:
+                      key:
+                        description: The key of the entry in the Secret resource's
+                          `data` field to be used. Some instances of this field may
+                          be defaulted, in others it may be required.
+                        type: string
+                      name:
+                        description: 'Name of the resource being referred to. More
+                          info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  server:
+                    description: 'Server is the URL used to access the ACME server''s
+                      ''directory'' endpoint. For example, for Let''s Encrypt''s staging
+                      endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
+                      Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
+                    type: string
+                  skipTLSVerify:
+                    description: Enables or disables validation of the ACME server
+                      TLS certificate. If true, requests to the ACME server will not
+                      have their TLS certificate validated (i.e. insecure connections
+                      will be allowed). Only enable this option in development environments.
+                      The cert-manager system installed roots will be used to verify
+                      connections to the ACME server if this is false. Defaults to
+                      false.
+                    type: boolean
+                  solvers:
+                    description: 'Solvers is a list of challenge solvers that will
+                      be used to solve ACME challenges for the matching domains. Solver
+                      configurations must be provided in order to obtain certificates
+                      from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
+                    items:
+                      description: Configures an issuer to solve challenges using
+                        the specified options. Only one of HTTP01 or DNS01 may be
+                        provided.
+                      properties:
+                        dns01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the DNS01 challenge flow.
+                          properties:
+                            acmedns:
+                              description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                                API to manage DNS01 challenge records.
+                              properties:
+                                accountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                host:
+                                  type: string
+                              required:
+                              - accountSecretRef
+                              - host
+                              type: object
+                            akamai:
+                              description: Use the Akamai DNS zone management API
+                                to manage DNS01 challenge records.
+                              properties:
+                                accessTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientSecretSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                serviceConsumerDomain:
+                                  type: string
+                              required:
+                              - accessTokenSecretRef
+                              - clientSecretSecretRef
+                              - clientTokenSecretRef
+                              - serviceConsumerDomain
+                              type: object
+                            azuredns:
+                              description: Use the Microsoft Azure DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                clientID:
+                                  description: if both this and ClientSecret are left
+                                    unset MSI will be used
+                                  type: string
+                                clientSecretSecretRef:
+                                  description: if both this and ClientID are left
+                                    unset MSI will be used
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                environment:
+                                  enum:
+                                  - AzurePublicCloud
+                                  - AzureChinaCloud
+                                  - AzureGermanCloud
+                                  - AzureUSGovernmentCloud
+                                  type: string
+                                hostedZoneName:
+                                  type: string
+                                resourceGroupName:
+                                  type: string
+                                subscriptionID:
+                                  type: string
+                                tenantID:
+                                  description: when specifying ClientID and ClientSecret
+                                    then this field is also needed
+                                  type: string
+                              required:
+                              - resourceGroupName
+                              - subscriptionID
+                              type: object
+                            clouddns:
+                              description: Use the Google Cloud DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                hostedZoneName:
+                                  description: HostedZoneName is an optional field
+                                    that tells cert-manager in which Cloud DNS zone
+                                    the challenge record has to be created. If left
+                                    empty cert-manager will automatically choose a
+                                    zone.
+                                  type: string
+                                project:
+                                  type: string
+                                serviceAccountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - project
+                              type: object
+                            cloudflare:
+                              description: Use the Cloudflare API to manage DNS01
+                                challenge records.
+                              properties:
+                                apiKeySecretRef:
+                                  description: 'API key to use to authenticate with
+                                    Cloudflare. Note: using an API token to authenticate
+                                    is now the recommended method as it allows greater
+                                    control of permissions.'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                apiTokenSecretRef:
+                                  description: API token used to authenticate with
+                                    Cloudflare.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                email:
+                                  description: Email of the account, only required
+                                    when using API key based authentication.
+                                  type: string
+                              type: object
+                            cnameStrategy:
+                              description: CNAMEStrategy configures how the DNS01
+                                provider should handle CNAME records when found in
+                                DNS zones.
+                              enum:
+                              - None
+                              - Follow
+                              type: string
+                            digitalocean:
+                              description: Use the DigitalOcean DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                tokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - tokenSecretRef
+                              type: object
+                            rfc2136:
+                              description: Use RFC2136 ("Dynamic Updates in the Domain
+                                Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+                                to manage DNS01 challenge records.
+                              properties:
+                                nameserver:
+                                  description: The IP address or hostname of an authoritative
+                                    DNS server supporting RFC2136 in the form host:port.
+                                    If the host is an IPv6 address it must be enclosed
+                                    in square brackets (e.g [2001:db8::1]) ; port
+                                    is optional. This field is required.
+                                  type: string
+                                tsigAlgorithm:
+                                  description: 'The TSIG Algorithm configured in the
+                                    DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                                    and ``tsigKeyName`` are defined. Supported values
+                                    are (case-insensitive): ``HMACMD5`` (default),
+                                    ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+                                  type: string
+                                tsigKeyName:
+                                  description: The TSIG Key name configured in the
+                                    DNS. If ``tsigSecretSecretRef`` is defined, this
+                                    field is required.
+                                  type: string
+                                tsigSecretSecretRef:
+                                  description: The name of the secret containing the
+                                    TSIG value. If ``tsigKeyName`` is defined, this
+                                    field is required.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - nameserver
+                              type: object
+                            route53:
+                              description: Use the AWS Route53 API to manage DNS01
+                                challenge records.
+                              properties:
+                                accessKeyID:
+                                  description: 'The AccessKeyID is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata see:
+                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  type: string
+                                hostedZoneID:
+                                  description: If set, the provider will manage only
+                                    this zone in Route53 and will not do an lookup
+                                    using the route53:ListHostedZonesByName api call.
+                                  type: string
+                                region:
+                                  description: Always set the region when using AccessKeyID
+                                    and SecretAccessKey
+                                  type: string
+                                role:
+                                  description: Role is a Role ARN which the Route53
+                                    provider will assume using either the explicit
+                                    credentials AccessKeyID/SecretAccessKey or the
+                                    inferred credentials from environment variables,
+                                    shared credentials file or AWS Instance metadata
+                                  type: string
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - region
+                              type: object
+                            webhook:
+                              description: Configure an external webhook based DNS01
+                                challenge solver to manage DNS01 challenge records.
+                              properties:
+                                config:
+                                  description: Additional configuration that should
+                                    be passed to the webhook apiserver when challenges
+                                    are processed. This can contain arbitrary JSON
+                                    data. Secret values should not be specified in
+                                    this stanza. If secret values are needed (e.g.
+                                    credentials for a DNS service), you should use
+                                    a SecretKeySelector to reference a Secret resource.
+                                    For details on the schema of this field, consult
+                                    the webhook provider implementation's documentation.
+                                  x-kubernetes-preserve-unknown-fields: true
+                                groupName:
+                                  description: The API group name that should be used
+                                    when POSTing ChallengePayload resources to the
+                                    webhook apiserver. This should be the same as
+                                    the GroupName specified in the webhook provider
+                                    implementation.
+                                  type: string
+                                solverName:
+                                  description: The name of the solver to use, as defined
+                                    in the webhook provider implementation. This will
+                                    typically be the name of the provider, e.g. 'cloudflare'.
+                                  type: string
+                              required:
+                              - groupName
+                              - solverName
+                              type: object
+                          type: object
+                        http01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the HTTP01 challenge flow.
+                            It is not possible to obtain certificates for wildcard
+                            domain names (e.g. `*.example.com`) using the HTTP01 challenge
+                            mechanism.
+                          properties:
+                            ingress:
+                              description: The ingress based HTTP01 challenge solver
+                                will solve challenges by creating or modifying Ingress
+                                resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+                                to 'challenge solver' pods that are provisioned by
+                                cert-manager for each Challenge to be completed.
+                              properties:
+                                class:
+                                  description: The ingress class to use when creating
+                                    Ingress resources to solve ACME challenges that
+                                    use this challenge solver. Only one of 'class'
+                                    or 'name' may be specified.
+                                  type: string
+                                ingressTemplate:
+                                  description: Optional ingress template used to configure
+                                    the ACME challenge solver ingress used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the ingress
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the created ACME HTTP01 solver
+                                            ingress.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver ingress.
+                                          type: object
+                                      type: object
+                                  type: object
+                                name:
+                                  description: The name of the ingress resource that
+                                    should have ACME challenge solving routes inserted
+                                    into it in order to solve HTTP01 challenges. This
+                                    is typically used in conjunction with ingress
+                                    controllers like ingress-gce, which maintains
+                                    a 1:1 mapping between external IPs and ingress
+                                    resources.
+                                  type: string
+                                podTemplate:
+                                  description: Optional pod template used to configure
+                                    the ACME challenge solver pods used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the pod
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the create ACME HTTP01 solver
+                                            pods.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver pods.
+                                          type: object
+                                      type: object
+                                    spec:
+                                      description: PodSpec defines overrides for the
+                                        HTTP01 challenge solver pod. Only the 'priorityClassName',
+                                        'nodeSelector', 'affinity', 'serviceAccountName'
+                                        and 'tolerations' fields are supported currently.
+                                        All other fields will be ignored.
+                                      properties:
+                                        affinity:
+                                          description: If specified, the pod's scheduling
+                                            constraints
+                                          properties:
+                                            nodeAffinity:
+                                              description: Describes node affinity
+                                                scheduling rules for the pod.
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node matches
+                                                    the corresponding matchExpressions;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: An empty preferred
+                                                      scheduling term matches all
+                                                      objects with implicit weight
+                                                      0 (i.e. it's a no-op). A null
+                                                      preferred scheduling term matches
+                                                      no objects (i.e. is also a no-op).
+                                                    properties:
+                                                      preference:
+                                                        description: A node selector
+                                                          term, associated with the
+                                                          corresponding weight.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      weight:
+                                                        description: Weight associated
+                                                          with matching the corresponding
+                                                          nodeSelectorTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - preference
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to an
+                                                    update), the system may or may
+                                                    not try to eventually evict the
+                                                    pod from its node.
+                                                  properties:
+                                                    nodeSelectorTerms:
+                                                      description: Required. A list
+                                                        of node selector terms. The
+                                                        terms are ORed.
+                                                      items:
+                                                        description: A null or empty
+                                                          node selector term matches
+                                                          no objects. The requirements
+                                                          of them are ANDed. The TopologySelectorTerm
+                                                          type implements a subset
+                                                          of the NodeSelectorTerm.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      type: array
+                                                  required:
+                                                  - nodeSelectorTerms
+                                                  type: object
+                                              type: object
+                                            podAffinity:
+                                              description: Describes pod affinity
+                                                scheduling rules (e.g. co-locate this
+                                                pod in the same node, zone, etc. as
+                                                some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node has pods
+                                                    which matches the corresponding
+                                                    podAffinityTerm; the node(s) with
+                                                    the highest sum are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to a pod
+                                                    label update), the system may
+                                                    or may not try to eventually evict
+                                                    the pod from its node. When there
+                                                    are multiple elements, the lists
+                                                    of nodes corresponding to each
+                                                    podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            podAntiAffinity:
+                                              description: Describes pod anti-affinity
+                                                scheduling rules (e.g. avoid putting
+                                                this pod in the same node, zone, etc.
+                                                as some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the anti-affinity
+                                                    expressions specified by this
+                                                    field, but it may choose a node
+                                                    that violates one or more of the
+                                                    expressions. The node that is
+                                                    most preferred is the one with
+                                                    the greatest sum of weights, i.e.
+                                                    for each node that meets all of
+                                                    the scheduling requirements (resource
+                                                    request, requiredDuringScheduling
+                                                    anti-affinity expressions, etc.),
+                                                    compute a sum by iterating through
+                                                    the elements of this field and
+                                                    adding "weight" to the sum if
+                                                    the node has pods which matches
+                                                    the corresponding podAffinityTerm;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the anti-affinity
+                                                    requirements specified by this
+                                                    field are not met at scheduling
+                                                    time, the pod will not be scheduled
+                                                    onto the node. If the anti-affinity
+                                                    requirements specified by this
+                                                    field cease to be met at some
+                                                    point during pod execution (e.g.
+                                                    due to a pod label update), the
+                                                    system may or may not try to eventually
+                                                    evict the pod from its node. When
+                                                    there are multiple elements, the
+                                                    lists of nodes corresponding to
+                                                    each podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                          type: object
+                                        nodeSelector:
+                                          additionalProperties:
+                                            type: string
+                                          description: 'NodeSelector is a selector
+                                            which must be true for the pod to fit
+                                            on a node. Selector which must match a
+                                            node''s labels for the pod to be scheduled
+                                            on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                          type: object
+                                        priorityClassName:
+                                          description: If specified, the pod's priorityClassName.
+                                          type: string
+                                        serviceAccountName:
+                                          description: If specified, the pod's service
+                                            account
+                                          type: string
+                                        tolerations:
+                                          description: If specified, the pod's tolerations.
+                                          items:
+                                            description: The pod this Toleration is
+                                              attached to tolerates any taint that
+                                              matches the triple <key,value,effect>
+                                              using the matching operator <operator>.
+                                            properties:
+                                              effect:
+                                                description: Effect indicates the
+                                                  taint effect to match. Empty means
+                                                  match all taint effects. When specified,
+                                                  allowed values are NoSchedule, PreferNoSchedule
+                                                  and NoExecute.
+                                                type: string
+                                              key:
+                                                description: Key is the taint key
+                                                  that the toleration applies to.
+                                                  Empty means match all taint keys.
+                                                  If the key is empty, operator must
+                                                  be Exists; this combination means
+                                                  to match all values and all keys.
+                                                type: string
+                                              operator:
+                                                description: Operator represents a
+                                                  key's relationship to the value.
+                                                  Valid operators are Exists and Equal.
+                                                  Defaults to Equal. Exists is equivalent
+                                                  to wildcard for value, so that a
+                                                  pod can tolerate all taints of a
+                                                  particular category.
+                                                type: string
+                                              tolerationSeconds:
+                                                description: TolerationSeconds represents
+                                                  the period of time the toleration
+                                                  (which must be of effect NoExecute,
+                                                  otherwise this field is ignored)
+                                                  tolerates the taint. By default,
+                                                  it is not set, which means tolerate
+                                                  the taint forever (do not evict).
+                                                  Zero and negative values will be
+                                                  treated as 0 (evict immediately)
+                                                  by the system.
+                                                format: int64
+                                                type: integer
+                                              value:
+                                                description: Value is the taint value
+                                                  the toleration matches to. If the
+                                                  operator is Exists, the value should
+                                                  be empty, otherwise just a regular
+                                                  string.
+                                                type: string
+                                            type: object
+                                          type: array
+                                      type: object
+                                  type: object
+                                serviceType:
+                                  description: Optional service type for Kubernetes
+                                    solver service
+                                  type: string
+                              type: object
+                          type: object
+                        selector:
+                          description: Selector selects a set of DNSNames on the Certificate
+                            resource that should be solved using this challenge solver.
+                            If not specified, the solver will be treated as the 'default'
+                            solver with the lowest priority, i.e. if any other solver
+                            has a more specific match, it will be used instead.
+                          properties:
+                            dnsNames:
+                              description: List of DNSNames that this solver will
+                                be used to solve. If specified and a match is found,
+                                a dnsNames selector will take precedence over a dnsZones
+                                selector. If multiple solvers match with the same
+                                dnsNames value, the solver with the most matching
+                                labels in matchLabels will be selected. If neither
+                                has more matches, the solver defined earlier in the
+                                list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            dnsZones:
+                              description: List of DNSZones that this solver will
+                                be used to solve. The most specific DNS zone match
+                                specified here will take precedence over other DNS
+                                zone matches, so a solver specifying sys.example.com
+                                will be selected over one specifying example.com for
+                                the domain www.sys.example.com. If multiple solvers
+                                match with the same dnsZones value, the solver with
+                                the most matching labels in matchLabels will be selected.
+                                If neither has more matches, the solver defined earlier
+                                in the list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: A label selector that is used to refine
+                                the set of certificate's that this challenge solver
+                                will apply to.
+                              type: object
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - privateKeySecretRef
+                - server
+                type: object
+              ca:
+                description: CA configures this issuer to sign certificates using
+                  a signing CA keypair stored in a Secret resource. This is used to
+                  build internal PKIs that are managed by cert-manager.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set,
+                      certificates will be issued without distribution points set.
+                    items:
+                      type: string
+                    type: array
+                  secretName:
+                    description: SecretName is the name of the secret used to sign
+                      Certificates issued by this Issuer.
+                    type: string
+                required:
+                - secretName
+                type: object
+              selfSigned:
+                description: SelfSigned configures this issuer to 'self sign' certificates
+                  using the private key used to create the CertificateRequest object.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set
+                      certificate will be issued without CDP. Values are strings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              vault:
+                description: Vault configures this issuer to sign certificates using
+                  a HashiCorp Vault PKI backend.
+                properties:
+                  auth:
+                    description: Auth configures how cert-manager authenticates with
+                      the Vault server.
+                    properties:
+                      appRole:
+                        description: AppRole authenticates with Vault using the App
+                          Role auth mechanism, with the role and secret stored in
+                          a Kubernetes Secret resource.
+                        properties:
+                          path:
+                            description: 'Path where the App Role authentication backend
+                              is mounted in Vault, e.g: "approle"'
+                            type: string
+                          roleId:
+                            description: RoleID configured in the App Role authentication
+                              backend when setting up the authentication backend in
+                              Vault.
+                            type: string
+                          secretRef:
+                            description: Reference to a key in a Secret that contains
+                              the App Role secret used to authenticate with Vault.
+                              The `key` field must be specified and denotes which
+                              entry within the Secret resource is used as the app
+                              role secret.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - path
+                        - roleId
+                        - secretRef
+                        type: object
+                      kubernetes:
+                        description: Kubernetes authenticates with Vault by passing
+                          the ServiceAccount token stored in the named Secret resource
+                          to the Vault server.
+                        properties:
+                          mountPath:
+                            description: The Vault mountPath here is the mount path
+                              to use when authenticating with Vault. For example,
+                              setting a value to `/v1/auth/foo`, will use the path
+                              `/v1/auth/foo/login` to authenticate with Vault. If
+                              unspecified, the default value "/v1/auth/kubernetes"
+                              will be used.
+                            type: string
+                          role:
+                            description: A required field containing the Vault Role
+                              to assume. A Role binds a Kubernetes ServiceAccount
+                              with a set of Vault policies.
+                            type: string
+                          secretRef:
+                            description: The required Secret field containing a Kubernetes
+                              ServiceAccount JWT used for authenticating with Vault.
+                              Use of 'ambient credentials' is not supported.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - role
+                        - secretRef
+                        type: object
+                      tokenSecretRef:
+                        description: TokenSecretRef authenticates with Vault by presenting
+                          a token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    type: object
+                  caBundle:
+                    description: PEM encoded CA bundle used to validate Vault server
+                      certificate. Only used if the Server URL is using HTTPS protocol.
+                      This parameter is ignored for plain HTTP protocol connection.
+                      If not set the system root certificates are used to validate
+                      the TLS connection.
+                    format: byte
+                    type: string
+                  namespace:
+                    description: 'Name of the vault namespace. Namespaces is a set
+                      of features within Vault Enterprise that allows Vault environments
+                      to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
+                      can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                    type: string
+                  path:
+                    description: 'Path is the mount path of the Vault PKI backend''s
+                      `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
+                    type: string
+                  server:
+                    description: 'Server is the connection address for the Vault server,
+                      e.g: "https://vault.example.com:8200".'
+                    type: string
+                required:
+                - auth
+                - path
+                - server
+                type: object
+              venafi:
+                description: Venafi configures this issuer to sign certificates using
+                  a Venafi TPP or Venafi Cloud policy zone.
+                properties:
+                  cloud:
+                    description: Cloud specifies the Venafi cloud configuration settings.
+                      Only one of TPP or Cloud may be specified.
+                    properties:
+                      apiTokenSecretRef:
+                        description: APITokenSecretRef is a secret key selector for
+                          the Venafi Cloud API token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: URL is the base URL for Venafi Cloud. Defaults
+                          to "https://api.venafi.cloud/v1".
+                        type: string
+                    required:
+                    - apiTokenSecretRef
+                    type: object
+                  tpp:
+                    description: TPP specifies Trust Protection Platform configuration
+                      settings. Only one of TPP or Cloud may be specified.
+                    properties:
+                      caBundle:
+                        description: CABundle is a PEM encoded TLS certificate to
+                          use to verify connections to the TPP instance. If specified,
+                          system roots will not be used and the issuing CA for the
+                          TPP instance must be verifiable using the provided root.
+                          If not specified, the connection will be verified using
+                          the cert-manager system root certificates.
+                        format: byte
+                        type: string
+                      credentialsRef:
+                        description: CredentialsRef is a reference to a Secret containing
+                          the username and password for the TPP server. The secret
+                          must contain two keys, 'username' and 'password'.
+                        properties:
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: 'URL is the base URL for the vedsdk endpoint
+                          of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
+                        type: string
+                    required:
+                    - credentialsRef
+                    - url
+                    type: object
+                  zone:
+                    description: Zone is the Venafi Policy Zone to use for this issuer.
+                      All requests made to the Venafi platform will be restricted
+                      by the named zone policy. This field is required.
+                    type: string
+                required:
+                - zone
+                type: object
+            type: object
+          status:
+            description: Status of the ClusterIssuer. This is set and managed automatically.
+            properties:
+              acme:
+                description: ACME specific status options. This field should only
+                  be set if the Issuer is configured to use an ACME server to issue
+                  certificates.
+                properties:
+                  lastRegisteredEmail:
+                    description: LastRegisteredEmail is the email associated with
+                      the latest registered ACME account, in order to track changes
+                      made to registered account associated with the  Issuer
+                    type: string
+                  uri:
+                    description: URI is the unique account identifier, which can also
+                      be used to retrieve account details from the CA
+                    type: string
+                type: object
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready`.
+                items:
+                  description: IssuerCondition contains condition information for
+                    an Issuer.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: A ClusterIssuer represents a certificate issuing authority which
+          can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
+          however it is cluster-scoped and therefore can be referenced by resources
+          that exist in *any* namespace, not just the same namespace as the referent.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the ClusterIssuer resource.
+            properties:
+              acme:
+                description: ACME configures this issuer to communicate with a RFC8555
+                  (ACME) server to obtain signed x509 certificates.
+                properties:
+                  disableAccountKeyGeneration:
+                    description: Enables or disables generating a new ACME account
+                      key. If true, the Issuer resource will *not* request a new account
+                      but will expect the account key to be supplied via an existing
+                      secret. If false, the cert-manager system will generate a new
+                      ACME account key for the Issuer. Defaults to false.
+                    type: boolean
+                  email:
+                    description: Email is the email address to be associated with
+                      the ACME account. This field is optional, but it is strongly
+                      recommended to be set. It will be used to contact you in case
+                      of issues with your account or certificates, including expiry
+                      notification emails. This field may be updated after the account
+                      is initially registered.
+                    type: string
+                  externalAccountBinding:
+                    description: ExternalAccountBinding is a reference to a CA external
+                      account of the ACME server. If set, upon registration cert-manager
+                      will attempt to associate the given external account credentials
+                      with the registered ACME account.
+                    properties:
+                      keyAlgorithm:
+                        description: keyAlgorithm is the MAC key algorithm that the
+                          key is used for. Valid values are "HS256", "HS384" and "HS512".
+                        enum:
+                        - HS256
+                        - HS384
+                        - HS512
+                        type: string
+                      keyID:
+                        description: keyID is the ID of the CA key that the External
+                          Account is bound to.
+                        type: string
+                      keySecretRef:
+                        description: keySecretRef is a Secret Key Selector referencing
+                          a data item in a Kubernetes Secret which holds the symmetric
+                          MAC key of the External Account Binding. The `key` is the
+                          index string that is paired with the key data in the Secret
+                          and should not be confused with the key data itself, or
+                          indeed with the External Account Binding keyID above. The
+                          secret key stored in the Secret **must** be un-padded, base64
+                          URL encoded data.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - keyAlgorithm
+                    - keyID
+                    - keySecretRef
+                    type: object
+                  preferredChain:
+                    description: 'PreferredChain is the chain to use if the ACME server
+                      outputs multiple. PreferredChain is no guarantee that this one
+                      gets delivered by the ACME endpoint. For example, for Let''s
+                      Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+                      "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+                      picks the first certificate bundle in the ACME alternative chains
+                      that has a certificate with this value as its issuer''s CN'
+                    maxLength: 64
+                    type: string
+                  privateKeySecretRef:
+                    description: PrivateKey is the name of a Kubernetes Secret resource
+                      that will be used to store the automatically generated ACME
+                      account private key. Optionally, a `key` may be specified to
+                      select a specific entry within the named Secret resource. If
+                      `key` is not specified, a default of `tls.key` will be used.
+                    properties:
+                      key:
+                        description: The key of the entry in the Secret resource's
+                          `data` field to be used. Some instances of this field may
+                          be defaulted, in others it may be required.
+                        type: string
+                      name:
+                        description: 'Name of the resource being referred to. More
+                          info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  server:
+                    description: 'Server is the URL used to access the ACME server''s
+                      ''directory'' endpoint. For example, for Let''s Encrypt''s staging
+                      endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
+                      Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
+                    type: string
+                  skipTLSVerify:
+                    description: Enables or disables validation of the ACME server
+                      TLS certificate. If true, requests to the ACME server will not
+                      have their TLS certificate validated (i.e. insecure connections
+                      will be allowed). Only enable this option in development environments.
+                      The cert-manager system installed roots will be used to verify
+                      connections to the ACME server if this is false. Defaults to
+                      false.
+                    type: boolean
+                  solvers:
+                    description: 'Solvers is a list of challenge solvers that will
+                      be used to solve ACME challenges for the matching domains. Solver
+                      configurations must be provided in order to obtain certificates
+                      from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
+                    items:
+                      description: Configures an issuer to solve challenges using
+                        the specified options. Only one of HTTP01 or DNS01 may be
+                        provided.
+                      properties:
+                        dns01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the DNS01 challenge flow.
+                          properties:
+                            acmedns:
+                              description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                                API to manage DNS01 challenge records.
+                              properties:
+                                accountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                host:
+                                  type: string
+                              required:
+                              - accountSecretRef
+                              - host
+                              type: object
+                            akamai:
+                              description: Use the Akamai DNS zone management API
+                                to manage DNS01 challenge records.
+                              properties:
+                                accessTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientSecretSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                serviceConsumerDomain:
+                                  type: string
+                              required:
+                              - accessTokenSecretRef
+                              - clientSecretSecretRef
+                              - clientTokenSecretRef
+                              - serviceConsumerDomain
+                              type: object
+                            azuredns:
+                              description: Use the Microsoft Azure DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                clientID:
+                                  description: if both this and ClientSecret are left
+                                    unset MSI will be used
+                                  type: string
+                                clientSecretSecretRef:
+                                  description: if both this and ClientID are left
+                                    unset MSI will be used
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                environment:
+                                  enum:
+                                  - AzurePublicCloud
+                                  - AzureChinaCloud
+                                  - AzureGermanCloud
+                                  - AzureUSGovernmentCloud
+                                  type: string
+                                hostedZoneName:
+                                  type: string
+                                resourceGroupName:
+                                  type: string
+                                subscriptionID:
+                                  type: string
+                                tenantID:
+                                  description: when specifying ClientID and ClientSecret
+                                    then this field is also needed
+                                  type: string
+                              required:
+                              - resourceGroupName
+                              - subscriptionID
+                              type: object
+                            clouddns:
+                              description: Use the Google Cloud DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                hostedZoneName:
+                                  description: HostedZoneName is an optional field
+                                    that tells cert-manager in which Cloud DNS zone
+                                    the challenge record has to be created. If left
+                                    empty cert-manager will automatically choose a
+                                    zone.
+                                  type: string
+                                project:
+                                  type: string
+                                serviceAccountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - project
+                              type: object
+                            cloudflare:
+                              description: Use the Cloudflare API to manage DNS01
+                                challenge records.
+                              properties:
+                                apiKeySecretRef:
+                                  description: 'API key to use to authenticate with
+                                    Cloudflare. Note: using an API token to authenticate
+                                    is now the recommended method as it allows greater
+                                    control of permissions.'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                apiTokenSecretRef:
+                                  description: API token used to authenticate with
+                                    Cloudflare.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                email:
+                                  description: Email of the account, only required
+                                    when using API key based authentication.
+                                  type: string
+                              type: object
+                            cnameStrategy:
+                              description: CNAMEStrategy configures how the DNS01
+                                provider should handle CNAME records when found in
+                                DNS zones.
+                              enum:
+                              - None
+                              - Follow
+                              type: string
+                            digitalocean:
+                              description: Use the DigitalOcean DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                tokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - tokenSecretRef
+                              type: object
+                            rfc2136:
+                              description: Use RFC2136 ("Dynamic Updates in the Domain
+                                Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+                                to manage DNS01 challenge records.
+                              properties:
+                                nameserver:
+                                  description: The IP address or hostname of an authoritative
+                                    DNS server supporting RFC2136 in the form host:port.
+                                    If the host is an IPv6 address it must be enclosed
+                                    in square brackets (e.g [2001:db8::1]) ; port
+                                    is optional. This field is required.
+                                  type: string
+                                tsigAlgorithm:
+                                  description: 'The TSIG Algorithm configured in the
+                                    DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                                    and ``tsigKeyName`` are defined. Supported values
+                                    are (case-insensitive): ``HMACMD5`` (default),
+                                    ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+                                  type: string
+                                tsigKeyName:
+                                  description: The TSIG Key name configured in the
+                                    DNS. If ``tsigSecretSecretRef`` is defined, this
+                                    field is required.
+                                  type: string
+                                tsigSecretSecretRef:
+                                  description: The name of the secret containing the
+                                    TSIG value. If ``tsigKeyName`` is defined, this
+                                    field is required.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - nameserver
+                              type: object
+                            route53:
+                              description: Use the AWS Route53 API to manage DNS01
+                                challenge records.
+                              properties:
+                                accessKeyID:
+                                  description: 'The AccessKeyID is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata see:
+                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  type: string
+                                hostedZoneID:
+                                  description: If set, the provider will manage only
+                                    this zone in Route53 and will not do an lookup
+                                    using the route53:ListHostedZonesByName api call.
+                                  type: string
+                                region:
+                                  description: Always set the region when using AccessKeyID
+                                    and SecretAccessKey
+                                  type: string
+                                role:
+                                  description: Role is a Role ARN which the Route53
+                                    provider will assume using either the explicit
+                                    credentials AccessKeyID/SecretAccessKey or the
+                                    inferred credentials from environment variables,
+                                    shared credentials file or AWS Instance metadata
+                                  type: string
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - region
+                              type: object
+                            webhook:
+                              description: Configure an external webhook based DNS01
+                                challenge solver to manage DNS01 challenge records.
+                              properties:
+                                config:
+                                  description: Additional configuration that should
+                                    be passed to the webhook apiserver when challenges
+                                    are processed. This can contain arbitrary JSON
+                                    data. Secret values should not be specified in
+                                    this stanza. If secret values are needed (e.g.
+                                    credentials for a DNS service), you should use
+                                    a SecretKeySelector to reference a Secret resource.
+                                    For details on the schema of this field, consult
+                                    the webhook provider implementation's documentation.
+                                  x-kubernetes-preserve-unknown-fields: true
+                                groupName:
+                                  description: The API group name that should be used
+                                    when POSTing ChallengePayload resources to the
+                                    webhook apiserver. This should be the same as
+                                    the GroupName specified in the webhook provider
+                                    implementation.
+                                  type: string
+                                solverName:
+                                  description: The name of the solver to use, as defined
+                                    in the webhook provider implementation. This will
+                                    typically be the name of the provider, e.g. 'cloudflare'.
+                                  type: string
+                              required:
+                              - groupName
+                              - solverName
+                              type: object
+                          type: object
+                        http01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the HTTP01 challenge flow.
+                            It is not possible to obtain certificates for wildcard
+                            domain names (e.g. `*.example.com`) using the HTTP01 challenge
+                            mechanism.
+                          properties:
+                            ingress:
+                              description: The ingress based HTTP01 challenge solver
+                                will solve challenges by creating or modifying Ingress
+                                resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+                                to 'challenge solver' pods that are provisioned by
+                                cert-manager for each Challenge to be completed.
+                              properties:
+                                class:
+                                  description: The ingress class to use when creating
+                                    Ingress resources to solve ACME challenges that
+                                    use this challenge solver. Only one of 'class'
+                                    or 'name' may be specified.
+                                  type: string
+                                ingressTemplate:
+                                  description: Optional ingress template used to configure
+                                    the ACME challenge solver ingress used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the ingress
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the created ACME HTTP01 solver
+                                            ingress.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver ingress.
+                                          type: object
+                                      type: object
+                                  type: object
+                                name:
+                                  description: The name of the ingress resource that
+                                    should have ACME challenge solving routes inserted
+                                    into it in order to solve HTTP01 challenges. This
+                                    is typically used in conjunction with ingress
+                                    controllers like ingress-gce, which maintains
+                                    a 1:1 mapping between external IPs and ingress
+                                    resources.
+                                  type: string
+                                podTemplate:
+                                  description: Optional pod template used to configure
+                                    the ACME challenge solver pods used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the pod
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the create ACME HTTP01 solver
+                                            pods.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver pods.
+                                          type: object
+                                      type: object
+                                    spec:
+                                      description: PodSpec defines overrides for the
+                                        HTTP01 challenge solver pod. Only the 'priorityClassName',
+                                        'nodeSelector', 'affinity', 'serviceAccountName'
+                                        and 'tolerations' fields are supported currently.
+                                        All other fields will be ignored.
+                                      properties:
+                                        affinity:
+                                          description: If specified, the pod's scheduling
+                                            constraints
+                                          properties:
+                                            nodeAffinity:
+                                              description: Describes node affinity
+                                                scheduling rules for the pod.
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node matches
+                                                    the corresponding matchExpressions;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: An empty preferred
+                                                      scheduling term matches all
+                                                      objects with implicit weight
+                                                      0 (i.e. it's a no-op). A null
+                                                      preferred scheduling term matches
+                                                      no objects (i.e. is also a no-op).
+                                                    properties:
+                                                      preference:
+                                                        description: A node selector
+                                                          term, associated with the
+                                                          corresponding weight.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      weight:
+                                                        description: Weight associated
+                                                          with matching the corresponding
+                                                          nodeSelectorTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - preference
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to an
+                                                    update), the system may or may
+                                                    not try to eventually evict the
+                                                    pod from its node.
+                                                  properties:
+                                                    nodeSelectorTerms:
+                                                      description: Required. A list
+                                                        of node selector terms. The
+                                                        terms are ORed.
+                                                      items:
+                                                        description: A null or empty
+                                                          node selector term matches
+                                                          no objects. The requirements
+                                                          of them are ANDed. The TopologySelectorTerm
+                                                          type implements a subset
+                                                          of the NodeSelectorTerm.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      type: array
+                                                  required:
+                                                  - nodeSelectorTerms
+                                                  type: object
+                                              type: object
+                                            podAffinity:
+                                              description: Describes pod affinity
+                                                scheduling rules (e.g. co-locate this
+                                                pod in the same node, zone, etc. as
+                                                some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node has pods
+                                                    which matches the corresponding
+                                                    podAffinityTerm; the node(s) with
+                                                    the highest sum are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to a pod
+                                                    label update), the system may
+                                                    or may not try to eventually evict
+                                                    the pod from its node. When there
+                                                    are multiple elements, the lists
+                                                    of nodes corresponding to each
+                                                    podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            podAntiAffinity:
+                                              description: Describes pod anti-affinity
+                                                scheduling rules (e.g. avoid putting
+                                                this pod in the same node, zone, etc.
+                                                as some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the anti-affinity
+                                                    expressions specified by this
+                                                    field, but it may choose a node
+                                                    that violates one or more of the
+                                                    expressions. The node that is
+                                                    most preferred is the one with
+                                                    the greatest sum of weights, i.e.
+                                                    for each node that meets all of
+                                                    the scheduling requirements (resource
+                                                    request, requiredDuringScheduling
+                                                    anti-affinity expressions, etc.),
+                                                    compute a sum by iterating through
+                                                    the elements of this field and
+                                                    adding "weight" to the sum if
+                                                    the node has pods which matches
+                                                    the corresponding podAffinityTerm;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the anti-affinity
+                                                    requirements specified by this
+                                                    field are not met at scheduling
+                                                    time, the pod will not be scheduled
+                                                    onto the node. If the anti-affinity
+                                                    requirements specified by this
+                                                    field cease to be met at some
+                                                    point during pod execution (e.g.
+                                                    due to a pod label update), the
+                                                    system may or may not try to eventually
+                                                    evict the pod from its node. When
+                                                    there are multiple elements, the
+                                                    lists of nodes corresponding to
+                                                    each podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                          type: object
+                                        nodeSelector:
+                                          additionalProperties:
+                                            type: string
+                                          description: 'NodeSelector is a selector
+                                            which must be true for the pod to fit
+                                            on a node. Selector which must match a
+                                            node''s labels for the pod to be scheduled
+                                            on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                          type: object
+                                        priorityClassName:
+                                          description: If specified, the pod's priorityClassName.
+                                          type: string
+                                        serviceAccountName:
+                                          description: If specified, the pod's service
+                                            account
+                                          type: string
+                                        tolerations:
+                                          description: If specified, the pod's tolerations.
+                                          items:
+                                            description: The pod this Toleration is
+                                              attached to tolerates any taint that
+                                              matches the triple <key,value,effect>
+                                              using the matching operator <operator>.
+                                            properties:
+                                              effect:
+                                                description: Effect indicates the
+                                                  taint effect to match. Empty means
+                                                  match all taint effects. When specified,
+                                                  allowed values are NoSchedule, PreferNoSchedule
+                                                  and NoExecute.
+                                                type: string
+                                              key:
+                                                description: Key is the taint key
+                                                  that the toleration applies to.
+                                                  Empty means match all taint keys.
+                                                  If the key is empty, operator must
+                                                  be Exists; this combination means
+                                                  to match all values and all keys.
+                                                type: string
+                                              operator:
+                                                description: Operator represents a
+                                                  key's relationship to the value.
+                                                  Valid operators are Exists and Equal.
+                                                  Defaults to Equal. Exists is equivalent
+                                                  to wildcard for value, so that a
+                                                  pod can tolerate all taints of a
+                                                  particular category.
+                                                type: string
+                                              tolerationSeconds:
+                                                description: TolerationSeconds represents
+                                                  the period of time the toleration
+                                                  (which must be of effect NoExecute,
+                                                  otherwise this field is ignored)
+                                                  tolerates the taint. By default,
+                                                  it is not set, which means tolerate
+                                                  the taint forever (do not evict).
+                                                  Zero and negative values will be
+                                                  treated as 0 (evict immediately)
+                                                  by the system.
+                                                format: int64
+                                                type: integer
+                                              value:
+                                                description: Value is the taint value
+                                                  the toleration matches to. If the
+                                                  operator is Exists, the value should
+                                                  be empty, otherwise just a regular
+                                                  string.
+                                                type: string
+                                            type: object
+                                          type: array
+                                      type: object
+                                  type: object
+                                serviceType:
+                                  description: Optional service type for Kubernetes
+                                    solver service
+                                  type: string
+                              type: object
+                          type: object
+                        selector:
+                          description: Selector selects a set of DNSNames on the Certificate
+                            resource that should be solved using this challenge solver.
+                            If not specified, the solver will be treated as the 'default'
+                            solver with the lowest priority, i.e. if any other solver
+                            has a more specific match, it will be used instead.
+                          properties:
+                            dnsNames:
+                              description: List of DNSNames that this solver will
+                                be used to solve. If specified and a match is found,
+                                a dnsNames selector will take precedence over a dnsZones
+                                selector. If multiple solvers match with the same
+                                dnsNames value, the solver with the most matching
+                                labels in matchLabels will be selected. If neither
+                                has more matches, the solver defined earlier in the
+                                list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            dnsZones:
+                              description: List of DNSZones that this solver will
+                                be used to solve. The most specific DNS zone match
+                                specified here will take precedence over other DNS
+                                zone matches, so a solver specifying sys.example.com
+                                will be selected over one specifying example.com for
+                                the domain www.sys.example.com. If multiple solvers
+                                match with the same dnsZones value, the solver with
+                                the most matching labels in matchLabels will be selected.
+                                If neither has more matches, the solver defined earlier
+                                in the list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: A label selector that is used to refine
+                                the set of certificate's that this challenge solver
+                                will apply to.
+                              type: object
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - privateKeySecretRef
+                - server
+                type: object
+              ca:
+                description: CA configures this issuer to sign certificates using
+                  a signing CA keypair stored in a Secret resource. This is used to
+                  build internal PKIs that are managed by cert-manager.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set,
+                      certificates will be issued without distribution points set.
+                    items:
+                      type: string
+                    type: array
+                  secretName:
+                    description: SecretName is the name of the secret used to sign
+                      Certificates issued by this Issuer.
+                    type: string
+                required:
+                - secretName
+                type: object
+              selfSigned:
+                description: SelfSigned configures this issuer to 'self sign' certificates
+                  using the private key used to create the CertificateRequest object.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set
+                      certificate will be issued without CDP. Values are strings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              vault:
+                description: Vault configures this issuer to sign certificates using
+                  a HashiCorp Vault PKI backend.
+                properties:
+                  auth:
+                    description: Auth configures how cert-manager authenticates with
+                      the Vault server.
+                    properties:
+                      appRole:
+                        description: AppRole authenticates with Vault using the App
+                          Role auth mechanism, with the role and secret stored in
+                          a Kubernetes Secret resource.
+                        properties:
+                          path:
+                            description: 'Path where the App Role authentication backend
+                              is mounted in Vault, e.g: "approle"'
+                            type: string
+                          roleId:
+                            description: RoleID configured in the App Role authentication
+                              backend when setting up the authentication backend in
+                              Vault.
+                            type: string
+                          secretRef:
+                            description: Reference to a key in a Secret that contains
+                              the App Role secret used to authenticate with Vault.
+                              The `key` field must be specified and denotes which
+                              entry within the Secret resource is used as the app
+                              role secret.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - path
+                        - roleId
+                        - secretRef
+                        type: object
+                      kubernetes:
+                        description: Kubernetes authenticates with Vault by passing
+                          the ServiceAccount token stored in the named Secret resource
+                          to the Vault server.
+                        properties:
+                          mountPath:
+                            description: The Vault mountPath here is the mount path
+                              to use when authenticating with Vault. For example,
+                              setting a value to `/v1/auth/foo`, will use the path
+                              `/v1/auth/foo/login` to authenticate with Vault. If
+                              unspecified, the default value "/v1/auth/kubernetes"
+                              will be used.
+                            type: string
+                          role:
+                            description: A required field containing the Vault Role
+                              to assume. A Role binds a Kubernetes ServiceAccount
+                              with a set of Vault policies.
+                            type: string
+                          secretRef:
+                            description: The required Secret field containing a Kubernetes
+                              ServiceAccount JWT used for authenticating with Vault.
+                              Use of 'ambient credentials' is not supported.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - role
+                        - secretRef
+                        type: object
+                      tokenSecretRef:
+                        description: TokenSecretRef authenticates with Vault by presenting
+                          a token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    type: object
+                  caBundle:
+                    description: PEM encoded CA bundle used to validate Vault server
+                      certificate. Only used if the Server URL is using HTTPS protocol.
+                      This parameter is ignored for plain HTTP protocol connection.
+                      If not set the system root certificates are used to validate
+                      the TLS connection.
+                    format: byte
+                    type: string
+                  namespace:
+                    description: 'Name of the vault namespace. Namespaces is a set
+                      of features within Vault Enterprise that allows Vault environments
+                      to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
+                      can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                    type: string
+                  path:
+                    description: 'Path is the mount path of the Vault PKI backend''s
+                      `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
+                    type: string
+                  server:
+                    description: 'Server is the connection address for the Vault server,
+                      e.g: "https://vault.example.com:8200".'
+                    type: string
+                required:
+                - auth
+                - path
+                - server
+                type: object
+              venafi:
+                description: Venafi configures this issuer to sign certificates using
+                  a Venafi TPP or Venafi Cloud policy zone.
+                properties:
+                  cloud:
+                    description: Cloud specifies the Venafi cloud configuration settings.
+                      Only one of TPP or Cloud may be specified.
+                    properties:
+                      apiTokenSecretRef:
+                        description: APITokenSecretRef is a secret key selector for
+                          the Venafi Cloud API token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: URL is the base URL for Venafi Cloud. Defaults
+                          to "https://api.venafi.cloud/v1".
+                        type: string
+                    required:
+                    - apiTokenSecretRef
+                    type: object
+                  tpp:
+                    description: TPP specifies Trust Protection Platform configuration
+                      settings. Only one of TPP or Cloud may be specified.
+                    properties:
+                      caBundle:
+                        description: CABundle is a PEM encoded TLS certificate to
+                          use to verify connections to the TPP instance. If specified,
+                          system roots will not be used and the issuing CA for the
+                          TPP instance must be verifiable using the provided root.
+                          If not specified, the connection will be verified using
+                          the cert-manager system root certificates.
+                        format: byte
+                        type: string
+                      credentialsRef:
+                        description: CredentialsRef is a reference to a Secret containing
+                          the username and password for the TPP server. The secret
+                          must contain two keys, 'username' and 'password'.
+                        properties:
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: 'URL is the base URL for the vedsdk endpoint
+                          of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
+                        type: string
+                    required:
+                    - credentialsRef
+                    - url
+                    type: object
+                  zone:
+                    description: Zone is the Venafi Policy Zone to use for this issuer.
+                      All requests made to the Venafi platform will be restricted
+                      by the named zone policy. This field is required.
+                    type: string
+                required:
+                - zone
+                type: object
+            type: object
+          status:
+            description: Status of the ClusterIssuer. This is set and managed automatically.
+            properties:
+              acme:
+                description: ACME specific status options. This field should only
+                  be set if the Issuer is configured to use an ACME server to issue
+                  certificates.
+                properties:
+                  lastRegisteredEmail:
+                    description: LastRegisteredEmail is the email associated with
+                      the latest registered ACME account, in order to track changes
+                      made to registered account associated with the  Issuer
+                    type: string
+                  uri:
+                    description: URI is the unique account identifier, which can also
+                      be used to retrieve account details from the CA
+                    type: string
+                type: object
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready`.
+                items:
+                  description: IssuerCondition contains condition information for
+                    an Issuer.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: A ClusterIssuer represents a certificate issuing authority which
+          can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
+          however it is cluster-scoped and therefore can be referenced by resources
+          that exist in *any* namespace, not just the same namespace as the referent.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the ClusterIssuer resource.
+            properties:
+              acme:
+                description: ACME configures this issuer to communicate with a RFC8555
+                  (ACME) server to obtain signed x509 certificates.
+                properties:
+                  disableAccountKeyGeneration:
+                    description: Enables or disables generating a new ACME account
+                      key. If true, the Issuer resource will *not* request a new account
+                      but will expect the account key to be supplied via an existing
+                      secret. If false, the cert-manager system will generate a new
+                      ACME account key for the Issuer. Defaults to false.
+                    type: boolean
+                  email:
+                    description: Email is the email address to be associated with
+                      the ACME account. This field is optional, but it is strongly
+                      recommended to be set. It will be used to contact you in case
+                      of issues with your account or certificates, including expiry
+                      notification emails. This field may be updated after the account
+                      is initially registered.
+                    type: string
+                  externalAccountBinding:
+                    description: ExternalAccountBinding is a reference to a CA external
+                      account of the ACME server. If set, upon registration cert-manager
+                      will attempt to associate the given external account credentials
+                      with the registered ACME account.
+                    properties:
+                      keyAlgorithm:
+                        description: keyAlgorithm is the MAC key algorithm that the
+                          key is used for. Valid values are "HS256", "HS384" and "HS512".
+                        enum:
+                        - HS256
+                        - HS384
+                        - HS512
+                        type: string
+                      keyID:
+                        description: keyID is the ID of the CA key that the External
+                          Account is bound to.
+                        type: string
+                      keySecretRef:
+                        description: keySecretRef is a Secret Key Selector referencing
+                          a data item in a Kubernetes Secret which holds the symmetric
+                          MAC key of the External Account Binding. The `key` is the
+                          index string that is paired with the key data in the Secret
+                          and should not be confused with the key data itself, or
+                          indeed with the External Account Binding keyID above. The
+                          secret key stored in the Secret **must** be un-padded, base64
+                          URL encoded data.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - keyAlgorithm
+                    - keyID
+                    - keySecretRef
+                    type: object
+                  preferredChain:
+                    description: 'PreferredChain is the chain to use if the ACME server
+                      outputs multiple. PreferredChain is no guarantee that this one
+                      gets delivered by the ACME endpoint. For example, for Let''s
+                      Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+                      "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+                      picks the first certificate bundle in the ACME alternative chains
+                      that has a certificate with this value as its issuer''s CN'
+                    maxLength: 64
+                    type: string
+                  privateKeySecretRef:
+                    description: PrivateKey is the name of a Kubernetes Secret resource
+                      that will be used to store the automatically generated ACME
+                      account private key. Optionally, a `key` may be specified to
+                      select a specific entry within the named Secret resource. If
+                      `key` is not specified, a default of `tls.key` will be used.
+                    properties:
+                      key:
+                        description: The key of the entry in the Secret resource's
+                          `data` field to be used. Some instances of this field may
+                          be defaulted, in others it may be required.
+                        type: string
+                      name:
+                        description: 'Name of the resource being referred to. More
+                          info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  server:
+                    description: 'Server is the URL used to access the ACME server''s
+                      ''directory'' endpoint. For example, for Let''s Encrypt''s staging
+                      endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
+                      Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
+                    type: string
+                  skipTLSVerify:
+                    description: Enables or disables validation of the ACME server
+                      TLS certificate. If true, requests to the ACME server will not
+                      have their TLS certificate validated (i.e. insecure connections
+                      will be allowed). Only enable this option in development environments.
+                      The cert-manager system installed roots will be used to verify
+                      connections to the ACME server if this is false. Defaults to
+                      false.
+                    type: boolean
+                  solvers:
+                    description: 'Solvers is a list of challenge solvers that will
+                      be used to solve ACME challenges for the matching domains. Solver
+                      configurations must be provided in order to obtain certificates
+                      from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
+                    items:
+                      description: Configures an issuer to solve challenges using
+                        the specified options. Only one of HTTP01 or DNS01 may be
+                        provided.
+                      properties:
+                        dns01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the DNS01 challenge flow.
+                          properties:
+                            acmeDNS:
+                              description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                                API to manage DNS01 challenge records.
+                              properties:
+                                accountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                host:
+                                  type: string
+                              required:
+                              - accountSecretRef
+                              - host
+                              type: object
+                            akamai:
+                              description: Use the Akamai DNS zone management API
+                                to manage DNS01 challenge records.
+                              properties:
+                                accessTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientSecretSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                serviceConsumerDomain:
+                                  type: string
+                              required:
+                              - accessTokenSecretRef
+                              - clientSecretSecretRef
+                              - clientTokenSecretRef
+                              - serviceConsumerDomain
+                              type: object
+                            azureDNS:
+                              description: Use the Microsoft Azure DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                clientID:
+                                  description: if both this and ClientSecret are left
+                                    unset MSI will be used
+                                  type: string
+                                clientSecretSecretRef:
+                                  description: if both this and ClientID are left
+                                    unset MSI will be used
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                environment:
+                                  enum:
+                                  - AzurePublicCloud
+                                  - AzureChinaCloud
+                                  - AzureGermanCloud
+                                  - AzureUSGovernmentCloud
+                                  type: string
+                                hostedZoneName:
+                                  type: string
+                                resourceGroupName:
+                                  type: string
+                                subscriptionID:
+                                  type: string
+                                tenantID:
+                                  description: when specifying ClientID and ClientSecret
+                                    then this field is also needed
+                                  type: string
+                              required:
+                              - resourceGroupName
+                              - subscriptionID
+                              type: object
+                            cloudDNS:
+                              description: Use the Google Cloud DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                hostedZoneName:
+                                  description: HostedZoneName is an optional field
+                                    that tells cert-manager in which Cloud DNS zone
+                                    the challenge record has to be created. If left
+                                    empty cert-manager will automatically choose a
+                                    zone.
+                                  type: string
+                                project:
+                                  type: string
+                                serviceAccountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - project
+                              type: object
+                            cloudflare:
+                              description: Use the Cloudflare API to manage DNS01
+                                challenge records.
+                              properties:
+                                apiKeySecretRef:
+                                  description: 'API key to use to authenticate with
+                                    Cloudflare. Note: using an API token to authenticate
+                                    is now the recommended method as it allows greater
+                                    control of permissions.'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                apiTokenSecretRef:
+                                  description: API token used to authenticate with
+                                    Cloudflare.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                email:
+                                  description: Email of the account, only required
+                                    when using API key based authentication.
+                                  type: string
+                              type: object
+                            cnameStrategy:
+                              description: CNAMEStrategy configures how the DNS01
+                                provider should handle CNAME records when found in
+                                DNS zones.
+                              enum:
+                              - None
+                              - Follow
+                              type: string
+                            digitalocean:
+                              description: Use the DigitalOcean DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                tokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - tokenSecretRef
+                              type: object
+                            rfc2136:
+                              description: Use RFC2136 ("Dynamic Updates in the Domain
+                                Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+                                to manage DNS01 challenge records.
+                              properties:
+                                nameserver:
+                                  description: The IP address or hostname of an authoritative
+                                    DNS server supporting RFC2136 in the form host:port.
+                                    If the host is an IPv6 address it must be enclosed
+                                    in square brackets (e.g [2001:db8::1]) ; port
+                                    is optional. This field is required.
+                                  type: string
+                                tsigAlgorithm:
+                                  description: 'The TSIG Algorithm configured in the
+                                    DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                                    and ``tsigKeyName`` are defined. Supported values
+                                    are (case-insensitive): ``HMACMD5`` (default),
+                                    ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+                                  type: string
+                                tsigKeyName:
+                                  description: The TSIG Key name configured in the
+                                    DNS. If ``tsigSecretSecretRef`` is defined, this
+                                    field is required.
+                                  type: string
+                                tsigSecretSecretRef:
+                                  description: The name of the secret containing the
+                                    TSIG value. If ``tsigKeyName`` is defined, this
+                                    field is required.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - nameserver
+                              type: object
+                            route53:
+                              description: Use the AWS Route53 API to manage DNS01
+                                challenge records.
+                              properties:
+                                accessKeyID:
+                                  description: 'The AccessKeyID is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata see:
+                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  type: string
+                                hostedZoneID:
+                                  description: If set, the provider will manage only
+                                    this zone in Route53 and will not do an lookup
+                                    using the route53:ListHostedZonesByName api call.
+                                  type: string
+                                region:
+                                  description: Always set the region when using AccessKeyID
+                                    and SecretAccessKey
+                                  type: string
+                                role:
+                                  description: Role is a Role ARN which the Route53
+                                    provider will assume using either the explicit
+                                    credentials AccessKeyID/SecretAccessKey or the
+                                    inferred credentials from environment variables,
+                                    shared credentials file or AWS Instance metadata
+                                  type: string
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - region
+                              type: object
+                            webhook:
+                              description: Configure an external webhook based DNS01
+                                challenge solver to manage DNS01 challenge records.
+                              properties:
+                                config:
+                                  description: Additional configuration that should
+                                    be passed to the webhook apiserver when challenges
+                                    are processed. This can contain arbitrary JSON
+                                    data. Secret values should not be specified in
+                                    this stanza. If secret values are needed (e.g.
+                                    credentials for a DNS service), you should use
+                                    a SecretKeySelector to reference a Secret resource.
+                                    For details on the schema of this field, consult
+                                    the webhook provider implementation's documentation.
+                                  x-kubernetes-preserve-unknown-fields: true
+                                groupName:
+                                  description: The API group name that should be used
+                                    when POSTing ChallengePayload resources to the
+                                    webhook apiserver. This should be the same as
+                                    the GroupName specified in the webhook provider
+                                    implementation.
+                                  type: string
+                                solverName:
+                                  description: The name of the solver to use, as defined
+                                    in the webhook provider implementation. This will
+                                    typically be the name of the provider, e.g. 'cloudflare'.
+                                  type: string
+                              required:
+                              - groupName
+                              - solverName
+                              type: object
+                          type: object
+                        http01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the HTTP01 challenge flow.
+                            It is not possible to obtain certificates for wildcard
+                            domain names (e.g. `*.example.com`) using the HTTP01 challenge
+                            mechanism.
+                          properties:
+                            ingress:
+                              description: The ingress based HTTP01 challenge solver
+                                will solve challenges by creating or modifying Ingress
+                                resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+                                to 'challenge solver' pods that are provisioned by
+                                cert-manager for each Challenge to be completed.
+                              properties:
+                                class:
+                                  description: The ingress class to use when creating
+                                    Ingress resources to solve ACME challenges that
+                                    use this challenge solver. Only one of 'class'
+                                    or 'name' may be specified.
+                                  type: string
+                                ingressTemplate:
+                                  description: Optional ingress template used to configure
+                                    the ACME challenge solver ingress used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the ingress
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the created ACME HTTP01 solver
+                                            ingress.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver ingress.
+                                          type: object
+                                      type: object
+                                  type: object
+                                name:
+                                  description: The name of the ingress resource that
+                                    should have ACME challenge solving routes inserted
+                                    into it in order to solve HTTP01 challenges. This
+                                    is typically used in conjunction with ingress
+                                    controllers like ingress-gce, which maintains
+                                    a 1:1 mapping between external IPs and ingress
+                                    resources.
+                                  type: string
+                                podTemplate:
+                                  description: Optional pod template used to configure
+                                    the ACME challenge solver pods used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the pod
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the create ACME HTTP01 solver
+                                            pods.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver pods.
+                                          type: object
+                                      type: object
+                                    spec:
+                                      description: PodSpec defines overrides for the
+                                        HTTP01 challenge solver pod. Only the 'priorityClassName',
+                                        'nodeSelector', 'affinity', 'serviceAccountName'
+                                        and 'tolerations' fields are supported currently.
+                                        All other fields will be ignored.
+                                      properties:
+                                        affinity:
+                                          description: If specified, the pod's scheduling
+                                            constraints
+                                          properties:
+                                            nodeAffinity:
+                                              description: Describes node affinity
+                                                scheduling rules for the pod.
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node matches
+                                                    the corresponding matchExpressions;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: An empty preferred
+                                                      scheduling term matches all
+                                                      objects with implicit weight
+                                                      0 (i.e. it's a no-op). A null
+                                                      preferred scheduling term matches
+                                                      no objects (i.e. is also a no-op).
+                                                    properties:
+                                                      preference:
+                                                        description: A node selector
+                                                          term, associated with the
+                                                          corresponding weight.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      weight:
+                                                        description: Weight associated
+                                                          with matching the corresponding
+                                                          nodeSelectorTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - preference
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to an
+                                                    update), the system may or may
+                                                    not try to eventually evict the
+                                                    pod from its node.
+                                                  properties:
+                                                    nodeSelectorTerms:
+                                                      description: Required. A list
+                                                        of node selector terms. The
+                                                        terms are ORed.
+                                                      items:
+                                                        description: A null or empty
+                                                          node selector term matches
+                                                          no objects. The requirements
+                                                          of them are ANDed. The TopologySelectorTerm
+                                                          type implements a subset
+                                                          of the NodeSelectorTerm.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      type: array
+                                                  required:
+                                                  - nodeSelectorTerms
+                                                  type: object
+                                              type: object
+                                            podAffinity:
+                                              description: Describes pod affinity
+                                                scheduling rules (e.g. co-locate this
+                                                pod in the same node, zone, etc. as
+                                                some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node has pods
+                                                    which matches the corresponding
+                                                    podAffinityTerm; the node(s) with
+                                                    the highest sum are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to a pod
+                                                    label update), the system may
+                                                    or may not try to eventually evict
+                                                    the pod from its node. When there
+                                                    are multiple elements, the lists
+                                                    of nodes corresponding to each
+                                                    podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            podAntiAffinity:
+                                              description: Describes pod anti-affinity
+                                                scheduling rules (e.g. avoid putting
+                                                this pod in the same node, zone, etc.
+                                                as some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the anti-affinity
+                                                    expressions specified by this
+                                                    field, but it may choose a node
+                                                    that violates one or more of the
+                                                    expressions. The node that is
+                                                    most preferred is the one with
+                                                    the greatest sum of weights, i.e.
+                                                    for each node that meets all of
+                                                    the scheduling requirements (resource
+                                                    request, requiredDuringScheduling
+                                                    anti-affinity expressions, etc.),
+                                                    compute a sum by iterating through
+                                                    the elements of this field and
+                                                    adding "weight" to the sum if
+                                                    the node has pods which matches
+                                                    the corresponding podAffinityTerm;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the anti-affinity
+                                                    requirements specified by this
+                                                    field are not met at scheduling
+                                                    time, the pod will not be scheduled
+                                                    onto the node. If the anti-affinity
+                                                    requirements specified by this
+                                                    field cease to be met at some
+                                                    point during pod execution (e.g.
+                                                    due to a pod label update), the
+                                                    system may or may not try to eventually
+                                                    evict the pod from its node. When
+                                                    there are multiple elements, the
+                                                    lists of nodes corresponding to
+                                                    each podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                          type: object
+                                        nodeSelector:
+                                          additionalProperties:
+                                            type: string
+                                          description: 'NodeSelector is a selector
+                                            which must be true for the pod to fit
+                                            on a node. Selector which must match a
+                                            node''s labels for the pod to be scheduled
+                                            on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                          type: object
+                                        priorityClassName:
+                                          description: If specified, the pod's priorityClassName.
+                                          type: string
+                                        serviceAccountName:
+                                          description: If specified, the pod's service
+                                            account
+                                          type: string
+                                        tolerations:
+                                          description: If specified, the pod's tolerations.
+                                          items:
+                                            description: The pod this Toleration is
+                                              attached to tolerates any taint that
+                                              matches the triple <key,value,effect>
+                                              using the matching operator <operator>.
+                                            properties:
+                                              effect:
+                                                description: Effect indicates the
+                                                  taint effect to match. Empty means
+                                                  match all taint effects. When specified,
+                                                  allowed values are NoSchedule, PreferNoSchedule
+                                                  and NoExecute.
+                                                type: string
+                                              key:
+                                                description: Key is the taint key
+                                                  that the toleration applies to.
+                                                  Empty means match all taint keys.
+                                                  If the key is empty, operator must
+                                                  be Exists; this combination means
+                                                  to match all values and all keys.
+                                                type: string
+                                              operator:
+                                                description: Operator represents a
+                                                  key's relationship to the value.
+                                                  Valid operators are Exists and Equal.
+                                                  Defaults to Equal. Exists is equivalent
+                                                  to wildcard for value, so that a
+                                                  pod can tolerate all taints of a
+                                                  particular category.
+                                                type: string
+                                              tolerationSeconds:
+                                                description: TolerationSeconds represents
+                                                  the period of time the toleration
+                                                  (which must be of effect NoExecute,
+                                                  otherwise this field is ignored)
+                                                  tolerates the taint. By default,
+                                                  it is not set, which means tolerate
+                                                  the taint forever (do not evict).
+                                                  Zero and negative values will be
+                                                  treated as 0 (evict immediately)
+                                                  by the system.
+                                                format: int64
+                                                type: integer
+                                              value:
+                                                description: Value is the taint value
+                                                  the toleration matches to. If the
+                                                  operator is Exists, the value should
+                                                  be empty, otherwise just a regular
+                                                  string.
+                                                type: string
+                                            type: object
+                                          type: array
+                                      type: object
+                                  type: object
+                                serviceType:
+                                  description: Optional service type for Kubernetes
+                                    solver service
+                                  type: string
+                              type: object
+                          type: object
+                        selector:
+                          description: Selector selects a set of DNSNames on the Certificate
+                            resource that should be solved using this challenge solver.
+                            If not specified, the solver will be treated as the 'default'
+                            solver with the lowest priority, i.e. if any other solver
+                            has a more specific match, it will be used instead.
+                          properties:
+                            dnsNames:
+                              description: List of DNSNames that this solver will
+                                be used to solve. If specified and a match is found,
+                                a dnsNames selector will take precedence over a dnsZones
+                                selector. If multiple solvers match with the same
+                                dnsNames value, the solver with the most matching
+                                labels in matchLabels will be selected. If neither
+                                has more matches, the solver defined earlier in the
+                                list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            dnsZones:
+                              description: List of DNSZones that this solver will
+                                be used to solve. The most specific DNS zone match
+                                specified here will take precedence over other DNS
+                                zone matches, so a solver specifying sys.example.com
+                                will be selected over one specifying example.com for
+                                the domain www.sys.example.com. If multiple solvers
+                                match with the same dnsZones value, the solver with
+                                the most matching labels in matchLabels will be selected.
+                                If neither has more matches, the solver defined earlier
+                                in the list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: A label selector that is used to refine
+                                the set of certificate's that this challenge solver
+                                will apply to.
+                              type: object
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - privateKeySecretRef
+                - server
+                type: object
+              ca:
+                description: CA configures this issuer to sign certificates using
+                  a signing CA keypair stored in a Secret resource. This is used to
+                  build internal PKIs that are managed by cert-manager.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set,
+                      certificates will be issued without distribution points set.
+                    items:
+                      type: string
+                    type: array
+                  secretName:
+                    description: SecretName is the name of the secret used to sign
+                      Certificates issued by this Issuer.
+                    type: string
+                required:
+                - secretName
+                type: object
+              selfSigned:
+                description: SelfSigned configures this issuer to 'self sign' certificates
+                  using the private key used to create the CertificateRequest object.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set
+                      certificate will be issued without CDP. Values are strings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              vault:
+                description: Vault configures this issuer to sign certificates using
+                  a HashiCorp Vault PKI backend.
+                properties:
+                  auth:
+                    description: Auth configures how cert-manager authenticates with
+                      the Vault server.
+                    properties:
+                      appRole:
+                        description: AppRole authenticates with Vault using the App
+                          Role auth mechanism, with the role and secret stored in
+                          a Kubernetes Secret resource.
+                        properties:
+                          path:
+                            description: 'Path where the App Role authentication backend
+                              is mounted in Vault, e.g: "approle"'
+                            type: string
+                          roleId:
+                            description: RoleID configured in the App Role authentication
+                              backend when setting up the authentication backend in
+                              Vault.
+                            type: string
+                          secretRef:
+                            description: Reference to a key in a Secret that contains
+                              the App Role secret used to authenticate with Vault.
+                              The `key` field must be specified and denotes which
+                              entry within the Secret resource is used as the app
+                              role secret.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - path
+                        - roleId
+                        - secretRef
+                        type: object
+                      kubernetes:
+                        description: Kubernetes authenticates with Vault by passing
+                          the ServiceAccount token stored in the named Secret resource
+                          to the Vault server.
+                        properties:
+                          mountPath:
+                            description: The Vault mountPath here is the mount path
+                              to use when authenticating with Vault. For example,
+                              setting a value to `/v1/auth/foo`, will use the path
+                              `/v1/auth/foo/login` to authenticate with Vault. If
+                              unspecified, the default value "/v1/auth/kubernetes"
+                              will be used.
+                            type: string
+                          role:
+                            description: A required field containing the Vault Role
+                              to assume. A Role binds a Kubernetes ServiceAccount
+                              with a set of Vault policies.
+                            type: string
+                          secretRef:
+                            description: The required Secret field containing a Kubernetes
+                              ServiceAccount JWT used for authenticating with Vault.
+                              Use of 'ambient credentials' is not supported.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - role
+                        - secretRef
+                        type: object
+                      tokenSecretRef:
+                        description: TokenSecretRef authenticates with Vault by presenting
+                          a token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    type: object
+                  caBundle:
+                    description: PEM encoded CA bundle used to validate Vault server
+                      certificate. Only used if the Server URL is using HTTPS protocol.
+                      This parameter is ignored for plain HTTP protocol connection.
+                      If not set the system root certificates are used to validate
+                      the TLS connection.
+                    format: byte
+                    type: string
+                  namespace:
+                    description: 'Name of the vault namespace. Namespaces is a set
+                      of features within Vault Enterprise that allows Vault environments
+                      to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
+                      can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                    type: string
+                  path:
+                    description: 'Path is the mount path of the Vault PKI backend''s
+                      `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
+                    type: string
+                  server:
+                    description: 'Server is the connection address for the Vault server,
+                      e.g: "https://vault.example.com:8200".'
+                    type: string
+                required:
+                - auth
+                - path
+                - server
+                type: object
+              venafi:
+                description: Venafi configures this issuer to sign certificates using
+                  a Venafi TPP or Venafi Cloud policy zone.
+                properties:
+                  cloud:
+                    description: Cloud specifies the Venafi cloud configuration settings.
+                      Only one of TPP or Cloud may be specified.
+                    properties:
+                      apiTokenSecretRef:
+                        description: APITokenSecretRef is a secret key selector for
+                          the Venafi Cloud API token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: URL is the base URL for Venafi Cloud. Defaults
+                          to "https://api.venafi.cloud/v1".
+                        type: string
+                    required:
+                    - apiTokenSecretRef
+                    type: object
+                  tpp:
+                    description: TPP specifies Trust Protection Platform configuration
+                      settings. Only one of TPP or Cloud may be specified.
+                    properties:
+                      caBundle:
+                        description: CABundle is a PEM encoded TLS certificate to
+                          use to verify connections to the TPP instance. If specified,
+                          system roots will not be used and the issuing CA for the
+                          TPP instance must be verifiable using the provided root.
+                          If not specified, the connection will be verified using
+                          the cert-manager system root certificates.
+                        format: byte
+                        type: string
+                      credentialsRef:
+                        description: CredentialsRef is a reference to a Secret containing
+                          the username and password for the TPP server. The secret
+                          must contain two keys, 'username' and 'password'.
+                        properties:
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: 'URL is the base URL for the vedsdk endpoint
+                          of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
+                        type: string
+                    required:
+                    - credentialsRef
+                    - url
+                    type: object
+                  zone:
+                    description: Zone is the Venafi Policy Zone to use for this issuer.
+                      All requests made to the Venafi platform will be restricted
+                      by the named zone policy. This field is required.
+                    type: string
+                required:
+                - zone
+                type: object
+            type: object
+          status:
+            description: Status of the ClusterIssuer. This is set and managed automatically.
+            properties:
+              acme:
+                description: ACME specific status options. This field should only
+                  be set if the Issuer is configured to use an ACME server to issue
+                  certificates.
+                properties:
+                  lastRegisteredEmail:
+                    description: LastRegisteredEmail is the email associated with
+                      the latest registered ACME account, in order to track changes
+                      made to registered account associated with the  Issuer
+                    type: string
+                  uri:
+                    description: URI is the unique account identifier, which can also
+                      be used to retrieve account details from the CA
+                    type: string
+                type: object
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready`.
+                items:
+                  description: IssuerCondition contains condition information for
+                    an Issuer.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: A ClusterIssuer represents a certificate issuing authority which
+          can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
+          however it is cluster-scoped and therefore can be referenced by resources
+          that exist in *any* namespace, not just the same namespace as the referent.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the ClusterIssuer resource.
+            properties:
+              acme:
+                description: ACME configures this issuer to communicate with a RFC8555
+                  (ACME) server to obtain signed x509 certificates.
+                properties:
+                  disableAccountKeyGeneration:
+                    description: Enables or disables generating a new ACME account
+                      key. If true, the Issuer resource will *not* request a new account
+                      but will expect the account key to be supplied via an existing
+                      secret. If false, the cert-manager system will generate a new
+                      ACME account key for the Issuer. Defaults to false.
+                    type: boolean
+                  email:
+                    description: Email is the email address to be associated with
+                      the ACME account. This field is optional, but it is strongly
+                      recommended to be set. It will be used to contact you in case
+                      of issues with your account or certificates, including expiry
+                      notification emails. This field may be updated after the account
+                      is initially registered.
+                    type: string
+                  externalAccountBinding:
+                    description: ExternalAccountBinding is a reference to a CA external
+                      account of the ACME server. If set, upon registration cert-manager
+                      will attempt to associate the given external account credentials
+                      with the registered ACME account.
+                    properties:
+                      keyAlgorithm:
+                        description: keyAlgorithm is the MAC key algorithm that the
+                          key is used for. Valid values are "HS256", "HS384" and "HS512".
+                        enum:
+                        - HS256
+                        - HS384
+                        - HS512
+                        type: string
+                      keyID:
+                        description: keyID is the ID of the CA key that the External
+                          Account is bound to.
+                        type: string
+                      keySecretRef:
+                        description: keySecretRef is a Secret Key Selector referencing
+                          a data item in a Kubernetes Secret which holds the symmetric
+                          MAC key of the External Account Binding. The `key` is the
+                          index string that is paired with the key data in the Secret
+                          and should not be confused with the key data itself, or
+                          indeed with the External Account Binding keyID above. The
+                          secret key stored in the Secret **must** be un-padded, base64
+                          URL encoded data.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - keyAlgorithm
+                    - keyID
+                    - keySecretRef
+                    type: object
+                  preferredChain:
+                    description: 'PreferredChain is the chain to use if the ACME server
+                      outputs multiple. PreferredChain is no guarantee that this one
+                      gets delivered by the ACME endpoint. For example, for Let''s
+                      Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+                      "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+                      picks the first certificate bundle in the ACME alternative chains
+                      that has a certificate with this value as its issuer''s CN'
+                    maxLength: 64
+                    type: string
+                  privateKeySecretRef:
+                    description: PrivateKey is the name of a Kubernetes Secret resource
+                      that will be used to store the automatically generated ACME
+                      account private key. Optionally, a `key` may be specified to
+                      select a specific entry within the named Secret resource. If
+                      `key` is not specified, a default of `tls.key` will be used.
+                    properties:
+                      key:
+                        description: The key of the entry in the Secret resource's
+                          `data` field to be used. Some instances of this field may
+                          be defaulted, in others it may be required.
+                        type: string
+                      name:
+                        description: 'Name of the resource being referred to. More
+                          info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  server:
+                    description: 'Server is the URL used to access the ACME server''s
+                      ''directory'' endpoint. For example, for Let''s Encrypt''s staging
+                      endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
+                      Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
+                    type: string
+                  skipTLSVerify:
+                    description: Enables or disables validation of the ACME server
+                      TLS certificate. If true, requests to the ACME server will not
+                      have their TLS certificate validated (i.e. insecure connections
+                      will be allowed). Only enable this option in development environments.
+                      The cert-manager system installed roots will be used to verify
+                      connections to the ACME server if this is false. Defaults to
+                      false.
+                    type: boolean
+                  solvers:
+                    description: 'Solvers is a list of challenge solvers that will
+                      be used to solve ACME challenges for the matching domains. Solver
+                      configurations must be provided in order to obtain certificates
+                      from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
+                    items:
+                      description: Configures an issuer to solve challenges using
+                        the specified options. Only one of HTTP01 or DNS01 may be
+                        provided.
+                      properties:
+                        dns01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the DNS01 challenge flow.
+                          properties:
+                            acmeDNS:
+                              description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                                API to manage DNS01 challenge records.
+                              properties:
+                                accountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                host:
+                                  type: string
+                              required:
+                              - accountSecretRef
+                              - host
+                              type: object
+                            akamai:
+                              description: Use the Akamai DNS zone management API
+                                to manage DNS01 challenge records.
+                              properties:
+                                accessTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientSecretSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                serviceConsumerDomain:
+                                  type: string
+                              required:
+                              - accessTokenSecretRef
+                              - clientSecretSecretRef
+                              - clientTokenSecretRef
+                              - serviceConsumerDomain
+                              type: object
+                            azureDNS:
+                              description: Use the Microsoft Azure DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                clientID:
+                                  description: if both this and ClientSecret are left
+                                    unset MSI will be used
+                                  type: string
+                                clientSecretSecretRef:
+                                  description: if both this and ClientID are left
+                                    unset MSI will be used
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                environment:
+                                  enum:
+                                  - AzurePublicCloud
+                                  - AzureChinaCloud
+                                  - AzureGermanCloud
+                                  - AzureUSGovernmentCloud
+                                  type: string
+                                hostedZoneName:
+                                  type: string
+                                resourceGroupName:
+                                  type: string
+                                subscriptionID:
+                                  type: string
+                                tenantID:
+                                  description: when specifying ClientID and ClientSecret
+                                    then this field is also needed
+                                  type: string
+                              required:
+                              - resourceGroupName
+                              - subscriptionID
+                              type: object
+                            cloudDNS:
+                              description: Use the Google Cloud DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                hostedZoneName:
+                                  description: HostedZoneName is an optional field
+                                    that tells cert-manager in which Cloud DNS zone
+                                    the challenge record has to be created. If left
+                                    empty cert-manager will automatically choose a
+                                    zone.
+                                  type: string
+                                project:
+                                  type: string
+                                serviceAccountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - project
+                              type: object
+                            cloudflare:
+                              description: Use the Cloudflare API to manage DNS01
+                                challenge records.
+                              properties:
+                                apiKeySecretRef:
+                                  description: 'API key to use to authenticate with
+                                    Cloudflare. Note: using an API token to authenticate
+                                    is now the recommended method as it allows greater
+                                    control of permissions.'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                apiTokenSecretRef:
+                                  description: API token used to authenticate with
+                                    Cloudflare.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                email:
+                                  description: Email of the account, only required
+                                    when using API key based authentication.
+                                  type: string
+                              type: object
+                            cnameStrategy:
+                              description: CNAMEStrategy configures how the DNS01
+                                provider should handle CNAME records when found in
+                                DNS zones.
+                              enum:
+                              - None
+                              - Follow
+                              type: string
+                            digitalocean:
+                              description: Use the DigitalOcean DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                tokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - tokenSecretRef
+                              type: object
+                            rfc2136:
+                              description: Use RFC2136 ("Dynamic Updates in the Domain
+                                Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+                                to manage DNS01 challenge records.
+                              properties:
+                                nameserver:
+                                  description: The IP address or hostname of an authoritative
+                                    DNS server supporting RFC2136 in the form host:port.
+                                    If the host is an IPv6 address it must be enclosed
+                                    in square brackets (e.g [2001:db8::1]) ; port
+                                    is optional. This field is required.
+                                  type: string
+                                tsigAlgorithm:
+                                  description: 'The TSIG Algorithm configured in the
+                                    DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                                    and ``tsigKeyName`` are defined. Supported values
+                                    are (case-insensitive): ``HMACMD5`` (default),
+                                    ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+                                  type: string
+                                tsigKeyName:
+                                  description: The TSIG Key name configured in the
+                                    DNS. If ``tsigSecretSecretRef`` is defined, this
+                                    field is required.
+                                  type: string
+                                tsigSecretSecretRef:
+                                  description: The name of the secret containing the
+                                    TSIG value. If ``tsigKeyName`` is defined, this
+                                    field is required.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - nameserver
+                              type: object
+                            route53:
+                              description: Use the AWS Route53 API to manage DNS01
+                                challenge records.
+                              properties:
+                                accessKeyID:
+                                  description: 'The AccessKeyID is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata see:
+                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  type: string
+                                hostedZoneID:
+                                  description: If set, the provider will manage only
+                                    this zone in Route53 and will not do an lookup
+                                    using the route53:ListHostedZonesByName api call.
+                                  type: string
+                                region:
+                                  description: Always set the region when using AccessKeyID
+                                    and SecretAccessKey
+                                  type: string
+                                role:
+                                  description: Role is a Role ARN which the Route53
+                                    provider will assume using either the explicit
+                                    credentials AccessKeyID/SecretAccessKey or the
+                                    inferred credentials from environment variables,
+                                    shared credentials file or AWS Instance metadata
+                                  type: string
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - region
+                              type: object
+                            webhook:
+                              description: Configure an external webhook based DNS01
+                                challenge solver to manage DNS01 challenge records.
+                              properties:
+                                config:
+                                  description: Additional configuration that should
+                                    be passed to the webhook apiserver when challenges
+                                    are processed. This can contain arbitrary JSON
+                                    data. Secret values should not be specified in
+                                    this stanza. If secret values are needed (e.g.
+                                    credentials for a DNS service), you should use
+                                    a SecretKeySelector to reference a Secret resource.
+                                    For details on the schema of this field, consult
+                                    the webhook provider implementation's documentation.
+                                  x-kubernetes-preserve-unknown-fields: true
+                                groupName:
+                                  description: The API group name that should be used
+                                    when POSTing ChallengePayload resources to the
+                                    webhook apiserver. This should be the same as
+                                    the GroupName specified in the webhook provider
+                                    implementation.
+                                  type: string
+                                solverName:
+                                  description: The name of the solver to use, as defined
+                                    in the webhook provider implementation. This will
+                                    typically be the name of the provider, e.g. 'cloudflare'.
+                                  type: string
+                              required:
+                              - groupName
+                              - solverName
+                              type: object
+                          type: object
+                        http01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the HTTP01 challenge flow.
+                            It is not possible to obtain certificates for wildcard
+                            domain names (e.g. `*.example.com`) using the HTTP01 challenge
+                            mechanism.
+                          properties:
+                            ingress:
+                              description: The ingress based HTTP01 challenge solver
+                                will solve challenges by creating or modifying Ingress
+                                resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+                                to 'challenge solver' pods that are provisioned by
+                                cert-manager for each Challenge to be completed.
+                              properties:
+                                class:
+                                  description: The ingress class to use when creating
+                                    Ingress resources to solve ACME challenges that
+                                    use this challenge solver. Only one of 'class'
+                                    or 'name' may be specified.
+                                  type: string
+                                ingressTemplate:
+                                  description: Optional ingress template used to configure
+                                    the ACME challenge solver ingress used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the ingress
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the created ACME HTTP01 solver
+                                            ingress.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver ingress.
+                                          type: object
+                                      type: object
+                                  type: object
+                                name:
+                                  description: The name of the ingress resource that
+                                    should have ACME challenge solving routes inserted
+                                    into it in order to solve HTTP01 challenges. This
+                                    is typically used in conjunction with ingress
+                                    controllers like ingress-gce, which maintains
+                                    a 1:1 mapping between external IPs and ingress
+                                    resources.
+                                  type: string
+                                podTemplate:
+                                  description: Optional pod template used to configure
+                                    the ACME challenge solver pods used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the pod
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the create ACME HTTP01 solver
+                                            pods.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver pods.
+                                          type: object
+                                      type: object
+                                    spec:
+                                      description: PodSpec defines overrides for the
+                                        HTTP01 challenge solver pod. Only the 'priorityClassName',
+                                        'nodeSelector', 'affinity', 'serviceAccountName'
+                                        and 'tolerations' fields are supported currently.
+                                        All other fields will be ignored.
+                                      properties:
+                                        affinity:
+                                          description: If specified, the pod's scheduling
+                                            constraints
+                                          properties:
+                                            nodeAffinity:
+                                              description: Describes node affinity
+                                                scheduling rules for the pod.
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node matches
+                                                    the corresponding matchExpressions;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: An empty preferred
+                                                      scheduling term matches all
+                                                      objects with implicit weight
+                                                      0 (i.e. it's a no-op). A null
+                                                      preferred scheduling term matches
+                                                      no objects (i.e. is also a no-op).
+                                                    properties:
+                                                      preference:
+                                                        description: A node selector
+                                                          term, associated with the
+                                                          corresponding weight.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      weight:
+                                                        description: Weight associated
+                                                          with matching the corresponding
+                                                          nodeSelectorTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - preference
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to an
+                                                    update), the system may or may
+                                                    not try to eventually evict the
+                                                    pod from its node.
+                                                  properties:
+                                                    nodeSelectorTerms:
+                                                      description: Required. A list
+                                                        of node selector terms. The
+                                                        terms are ORed.
+                                                      items:
+                                                        description: A null or empty
+                                                          node selector term matches
+                                                          no objects. The requirements
+                                                          of them are ANDed. The TopologySelectorTerm
+                                                          type implements a subset
+                                                          of the NodeSelectorTerm.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      type: array
+                                                  required:
+                                                  - nodeSelectorTerms
+                                                  type: object
+                                              type: object
+                                            podAffinity:
+                                              description: Describes pod affinity
+                                                scheduling rules (e.g. co-locate this
+                                                pod in the same node, zone, etc. as
+                                                some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node has pods
+                                                    which matches the corresponding
+                                                    podAffinityTerm; the node(s) with
+                                                    the highest sum are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to a pod
+                                                    label update), the system may
+                                                    or may not try to eventually evict
+                                                    the pod from its node. When there
+                                                    are multiple elements, the lists
+                                                    of nodes corresponding to each
+                                                    podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            podAntiAffinity:
+                                              description: Describes pod anti-affinity
+                                                scheduling rules (e.g. avoid putting
+                                                this pod in the same node, zone, etc.
+                                                as some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the anti-affinity
+                                                    expressions specified by this
+                                                    field, but it may choose a node
+                                                    that violates one or more of the
+                                                    expressions. The node that is
+                                                    most preferred is the one with
+                                                    the greatest sum of weights, i.e.
+                                                    for each node that meets all of
+                                                    the scheduling requirements (resource
+                                                    request, requiredDuringScheduling
+                                                    anti-affinity expressions, etc.),
+                                                    compute a sum by iterating through
+                                                    the elements of this field and
+                                                    adding "weight" to the sum if
+                                                    the node has pods which matches
+                                                    the corresponding podAffinityTerm;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the anti-affinity
+                                                    requirements specified by this
+                                                    field are not met at scheduling
+                                                    time, the pod will not be scheduled
+                                                    onto the node. If the anti-affinity
+                                                    requirements specified by this
+                                                    field cease to be met at some
+                                                    point during pod execution (e.g.
+                                                    due to a pod label update), the
+                                                    system may or may not try to eventually
+                                                    evict the pod from its node. When
+                                                    there are multiple elements, the
+                                                    lists of nodes corresponding to
+                                                    each podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                          type: object
+                                        nodeSelector:
+                                          additionalProperties:
+                                            type: string
+                                          description: 'NodeSelector is a selector
+                                            which must be true for the pod to fit
+                                            on a node. Selector which must match a
+                                            node''s labels for the pod to be scheduled
+                                            on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                          type: object
+                                        priorityClassName:
+                                          description: If specified, the pod's priorityClassName.
+                                          type: string
+                                        serviceAccountName:
+                                          description: If specified, the pod's service
+                                            account
+                                          type: string
+                                        tolerations:
+                                          description: If specified, the pod's tolerations.
+                                          items:
+                                            description: The pod this Toleration is
+                                              attached to tolerates any taint that
+                                              matches the triple <key,value,effect>
+                                              using the matching operator <operator>.
+                                            properties:
+                                              effect:
+                                                description: Effect indicates the
+                                                  taint effect to match. Empty means
+                                                  match all taint effects. When specified,
+                                                  allowed values are NoSchedule, PreferNoSchedule
+                                                  and NoExecute.
+                                                type: string
+                                              key:
+                                                description: Key is the taint key
+                                                  that the toleration applies to.
+                                                  Empty means match all taint keys.
+                                                  If the key is empty, operator must
+                                                  be Exists; this combination means
+                                                  to match all values and all keys.
+                                                type: string
+                                              operator:
+                                                description: Operator represents a
+                                                  key's relationship to the value.
+                                                  Valid operators are Exists and Equal.
+                                                  Defaults to Equal. Exists is equivalent
+                                                  to wildcard for value, so that a
+                                                  pod can tolerate all taints of a
+                                                  particular category.
+                                                type: string
+                                              tolerationSeconds:
+                                                description: TolerationSeconds represents
+                                                  the period of time the toleration
+                                                  (which must be of effect NoExecute,
+                                                  otherwise this field is ignored)
+                                                  tolerates the taint. By default,
+                                                  it is not set, which means tolerate
+                                                  the taint forever (do not evict).
+                                                  Zero and negative values will be
+                                                  treated as 0 (evict immediately)
+                                                  by the system.
+                                                format: int64
+                                                type: integer
+                                              value:
+                                                description: Value is the taint value
+                                                  the toleration matches to. If the
+                                                  operator is Exists, the value should
+                                                  be empty, otherwise just a regular
+                                                  string.
+                                                type: string
+                                            type: object
+                                          type: array
+                                      type: object
+                                  type: object
+                                serviceType:
+                                  description: Optional service type for Kubernetes
+                                    solver service
+                                  type: string
+                              type: object
+                          type: object
+                        selector:
+                          description: Selector selects a set of DNSNames on the Certificate
+                            resource that should be solved using this challenge solver.
+                            If not specified, the solver will be treated as the 'default'
+                            solver with the lowest priority, i.e. if any other solver
+                            has a more specific match, it will be used instead.
+                          properties:
+                            dnsNames:
+                              description: List of DNSNames that this solver will
+                                be used to solve. If specified and a match is found,
+                                a dnsNames selector will take precedence over a dnsZones
+                                selector. If multiple solvers match with the same
+                                dnsNames value, the solver with the most matching
+                                labels in matchLabels will be selected. If neither
+                                has more matches, the solver defined earlier in the
+                                list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            dnsZones:
+                              description: List of DNSZones that this solver will
+                                be used to solve. The most specific DNS zone match
+                                specified here will take precedence over other DNS
+                                zone matches, so a solver specifying sys.example.com
+                                will be selected over one specifying example.com for
+                                the domain www.sys.example.com. If multiple solvers
+                                match with the same dnsZones value, the solver with
+                                the most matching labels in matchLabels will be selected.
+                                If neither has more matches, the solver defined earlier
+                                in the list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: A label selector that is used to refine
+                                the set of certificate's that this challenge solver
+                                will apply to.
+                              type: object
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - privateKeySecretRef
+                - server
+                type: object
+              ca:
+                description: CA configures this issuer to sign certificates using
+                  a signing CA keypair stored in a Secret resource. This is used to
+                  build internal PKIs that are managed by cert-manager.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set,
+                      certificates will be issued without distribution points set.
+                    items:
+                      type: string
+                    type: array
+                  secretName:
+                    description: SecretName is the name of the secret used to sign
+                      Certificates issued by this Issuer.
+                    type: string
+                required:
+                - secretName
+                type: object
+              selfSigned:
+                description: SelfSigned configures this issuer to 'self sign' certificates
+                  using the private key used to create the CertificateRequest object.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set
+                      certificate will be issued without CDP. Values are strings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              vault:
+                description: Vault configures this issuer to sign certificates using
+                  a HashiCorp Vault PKI backend.
+                properties:
+                  auth:
+                    description: Auth configures how cert-manager authenticates with
+                      the Vault server.
+                    properties:
+                      appRole:
+                        description: AppRole authenticates with Vault using the App
+                          Role auth mechanism, with the role and secret stored in
+                          a Kubernetes Secret resource.
+                        properties:
+                          path:
+                            description: 'Path where the App Role authentication backend
+                              is mounted in Vault, e.g: "approle"'
+                            type: string
+                          roleId:
+                            description: RoleID configured in the App Role authentication
+                              backend when setting up the authentication backend in
+                              Vault.
+                            type: string
+                          secretRef:
+                            description: Reference to a key in a Secret that contains
+                              the App Role secret used to authenticate with Vault.
+                              The `key` field must be specified and denotes which
+                              entry within the Secret resource is used as the app
+                              role secret.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - path
+                        - roleId
+                        - secretRef
+                        type: object
+                      kubernetes:
+                        description: Kubernetes authenticates with Vault by passing
+                          the ServiceAccount token stored in the named Secret resource
+                          to the Vault server.
+                        properties:
+                          mountPath:
+                            description: The Vault mountPath here is the mount path
+                              to use when authenticating with Vault. For example,
+                              setting a value to `/v1/auth/foo`, will use the path
+                              `/v1/auth/foo/login` to authenticate with Vault. If
+                              unspecified, the default value "/v1/auth/kubernetes"
+                              will be used.
+                            type: string
+                          role:
+                            description: A required field containing the Vault Role
+                              to assume. A Role binds a Kubernetes ServiceAccount
+                              with a set of Vault policies.
+                            type: string
+                          secretRef:
+                            description: The required Secret field containing a Kubernetes
+                              ServiceAccount JWT used for authenticating with Vault.
+                              Use of 'ambient credentials' is not supported.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - role
+                        - secretRef
+                        type: object
+                      tokenSecretRef:
+                        description: TokenSecretRef authenticates with Vault by presenting
+                          a token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    type: object
+                  caBundle:
+                    description: PEM encoded CA bundle used to validate Vault server
+                      certificate. Only used if the Server URL is using HTTPS protocol.
+                      This parameter is ignored for plain HTTP protocol connection.
+                      If not set the system root certificates are used to validate
+                      the TLS connection.
+                    format: byte
+                    type: string
+                  namespace:
+                    description: 'Name of the vault namespace. Namespaces is a set
+                      of features within Vault Enterprise that allows Vault environments
+                      to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
+                      can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                    type: string
+                  path:
+                    description: 'Path is the mount path of the Vault PKI backend''s
+                      `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
+                    type: string
+                  server:
+                    description: 'Server is the connection address for the Vault server,
+                      e.g: "https://vault.example.com:8200".'
+                    type: string
+                required:
+                - auth
+                - path
+                - server
+                type: object
+              venafi:
+                description: Venafi configures this issuer to sign certificates using
+                  a Venafi TPP or Venafi Cloud policy zone.
+                properties:
+                  cloud:
+                    description: Cloud specifies the Venafi cloud configuration settings.
+                      Only one of TPP or Cloud may be specified.
+                    properties:
+                      apiTokenSecretRef:
+                        description: APITokenSecretRef is a secret key selector for
+                          the Venafi Cloud API token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: URL is the base URL for Venafi Cloud. Defaults
+                          to "https://api.venafi.cloud/v1".
+                        type: string
+                    required:
+                    - apiTokenSecretRef
+                    type: object
+                  tpp:
+                    description: TPP specifies Trust Protection Platform configuration
+                      settings. Only one of TPP or Cloud may be specified.
+                    properties:
+                      caBundle:
+                        description: CABundle is a PEM encoded TLS certificate to
+                          use to verify connections to the TPP instance. If specified,
+                          system roots will not be used and the issuing CA for the
+                          TPP instance must be verifiable using the provided root.
+                          If not specified, the connection will be verified using
+                          the cert-manager system root certificates.
+                        format: byte
+                        type: string
+                      credentialsRef:
+                        description: CredentialsRef is a reference to a Secret containing
+                          the username and password for the TPP server. The secret
+                          must contain two keys, 'username' and 'password'.
+                        properties:
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: 'URL is the base URL for the vedsdk endpoint
+                          of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
+                        type: string
+                    required:
+                    - credentialsRef
+                    - url
+                    type: object
+                  zone:
+                    description: Zone is the Venafi Policy Zone to use for this issuer.
+                      All requests made to the Venafi platform will be restricted
+                      by the named zone policy. This field is required.
+                    type: string
+                required:
+                - zone
+                type: object
+            type: object
+          status:
+            description: Status of the ClusterIssuer. This is set and managed automatically.
+            properties:
+              acme:
+                description: ACME specific status options. This field should only
+                  be set if the Issuer is configured to use an ACME server to issue
+                  certificates.
+                properties:
+                  lastRegisteredEmail:
+                    description: LastRegisteredEmail is the email associated with
+                      the latest registered ACME account, in order to track changes
+                      made to registered account associated with the  Issuer
+                    type: string
+                  uri:
+                    description: URI is the unique account identifier, which can also
+                      be used to retrieve account details from the CA
+                    type: string
+                type: object
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready`.
+                items:
+                  description: IssuerCondition contains condition information for
+                    an Issuer.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: issuers.cert-manager.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: cert-manager-webhook
+          namespace: cert-manager
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cert-manager.io
+  names:
+    kind: Issuer
+    listKind: IssuerList
+    plural: issuers
+    singular: issuer
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: An Issuer represents a certificate issuing authority which can
+          be referenced as part of `issuerRef` fields. It is scoped to a single namespace
+          and can therefore only be referenced by resources within the same namespace.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the Issuer resource.
+            properties:
+              acme:
+                description: ACME configures this issuer to communicate with a RFC8555
+                  (ACME) server to obtain signed x509 certificates.
+                properties:
+                  disableAccountKeyGeneration:
+                    description: Enables or disables generating a new ACME account
+                      key. If true, the Issuer resource will *not* request a new account
+                      but will expect the account key to be supplied via an existing
+                      secret. If false, the cert-manager system will generate a new
+                      ACME account key for the Issuer. Defaults to false.
+                    type: boolean
+                  email:
+                    description: Email is the email address to be associated with
+                      the ACME account. This field is optional, but it is strongly
+                      recommended to be set. It will be used to contact you in case
+                      of issues with your account or certificates, including expiry
+                      notification emails. This field may be updated after the account
+                      is initially registered.
+                    type: string
+                  externalAccountBinding:
+                    description: ExternalAccountBinding is a reference to a CA external
+                      account of the ACME server. If set, upon registration cert-manager
+                      will attempt to associate the given external account credentials
+                      with the registered ACME account.
+                    properties:
+                      keyAlgorithm:
+                        description: keyAlgorithm is the MAC key algorithm that the
+                          key is used for. Valid values are "HS256", "HS384" and "HS512".
+                        enum:
+                        - HS256
+                        - HS384
+                        - HS512
+                        type: string
+                      keyID:
+                        description: keyID is the ID of the CA key that the External
+                          Account is bound to.
+                        type: string
+                      keySecretRef:
+                        description: keySecretRef is a Secret Key Selector referencing
+                          a data item in a Kubernetes Secret which holds the symmetric
+                          MAC key of the External Account Binding. The `key` is the
+                          index string that is paired with the key data in the Secret
+                          and should not be confused with the key data itself, or
+                          indeed with the External Account Binding keyID above. The
+                          secret key stored in the Secret **must** be un-padded, base64
+                          URL encoded data.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - keyAlgorithm
+                    - keyID
+                    - keySecretRef
+                    type: object
+                  preferredChain:
+                    description: 'PreferredChain is the chain to use if the ACME server
+                      outputs multiple. PreferredChain is no guarantee that this one
+                      gets delivered by the ACME endpoint. For example, for Let''s
+                      Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+                      "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+                      picks the first certificate bundle in the ACME alternative chains
+                      that has a certificate with this value as its issuer''s CN'
+                    maxLength: 64
+                    type: string
+                  privateKeySecretRef:
+                    description: PrivateKey is the name of a Kubernetes Secret resource
+                      that will be used to store the automatically generated ACME
+                      account private key. Optionally, a `key` may be specified to
+                      select a specific entry within the named Secret resource. If
+                      `key` is not specified, a default of `tls.key` will be used.
+                    properties:
+                      key:
+                        description: The key of the entry in the Secret resource's
+                          `data` field to be used. Some instances of this field may
+                          be defaulted, in others it may be required.
+                        type: string
+                      name:
+                        description: 'Name of the resource being referred to. More
+                          info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  server:
+                    description: 'Server is the URL used to access the ACME server''s
+                      ''directory'' endpoint. For example, for Let''s Encrypt''s staging
+                      endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
+                      Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
+                    type: string
+                  skipTLSVerify:
+                    description: Enables or disables validation of the ACME server
+                      TLS certificate. If true, requests to the ACME server will not
+                      have their TLS certificate validated (i.e. insecure connections
+                      will be allowed). Only enable this option in development environments.
+                      The cert-manager system installed roots will be used to verify
+                      connections to the ACME server if this is false. Defaults to
+                      false.
+                    type: boolean
+                  solvers:
+                    description: 'Solvers is a list of challenge solvers that will
+                      be used to solve ACME challenges for the matching domains. Solver
+                      configurations must be provided in order to obtain certificates
+                      from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
+                    items:
+                      description: Configures an issuer to solve challenges using
+                        the specified options. Only one of HTTP01 or DNS01 may be
+                        provided.
+                      properties:
+                        dns01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the DNS01 challenge flow.
+                          properties:
+                            acmedns:
+                              description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                                API to manage DNS01 challenge records.
+                              properties:
+                                accountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                host:
+                                  type: string
+                              required:
+                              - accountSecretRef
+                              - host
+                              type: object
+                            akamai:
+                              description: Use the Akamai DNS zone management API
+                                to manage DNS01 challenge records.
+                              properties:
+                                accessTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientSecretSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                serviceConsumerDomain:
+                                  type: string
+                              required:
+                              - accessTokenSecretRef
+                              - clientSecretSecretRef
+                              - clientTokenSecretRef
+                              - serviceConsumerDomain
+                              type: object
+                            azuredns:
+                              description: Use the Microsoft Azure DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                clientID:
+                                  description: if both this and ClientSecret are left
+                                    unset MSI will be used
+                                  type: string
+                                clientSecretSecretRef:
+                                  description: if both this and ClientID are left
+                                    unset MSI will be used
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                environment:
+                                  enum:
+                                  - AzurePublicCloud
+                                  - AzureChinaCloud
+                                  - AzureGermanCloud
+                                  - AzureUSGovernmentCloud
+                                  type: string
+                                hostedZoneName:
+                                  type: string
+                                resourceGroupName:
+                                  type: string
+                                subscriptionID:
+                                  type: string
+                                tenantID:
+                                  description: when specifying ClientID and ClientSecret
+                                    then this field is also needed
+                                  type: string
+                              required:
+                              - resourceGroupName
+                              - subscriptionID
+                              type: object
+                            clouddns:
+                              description: Use the Google Cloud DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                hostedZoneName:
+                                  description: HostedZoneName is an optional field
+                                    that tells cert-manager in which Cloud DNS zone
+                                    the challenge record has to be created. If left
+                                    empty cert-manager will automatically choose a
+                                    zone.
+                                  type: string
+                                project:
+                                  type: string
+                                serviceAccountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - project
+                              type: object
+                            cloudflare:
+                              description: Use the Cloudflare API to manage DNS01
+                                challenge records.
+                              properties:
+                                apiKeySecretRef:
+                                  description: 'API key to use to authenticate with
+                                    Cloudflare. Note: using an API token to authenticate
+                                    is now the recommended method as it allows greater
+                                    control of permissions.'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                apiTokenSecretRef:
+                                  description: API token used to authenticate with
+                                    Cloudflare.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                email:
+                                  description: Email of the account, only required
+                                    when using API key based authentication.
+                                  type: string
+                              type: object
+                            cnameStrategy:
+                              description: CNAMEStrategy configures how the DNS01
+                                provider should handle CNAME records when found in
+                                DNS zones.
+                              enum:
+                              - None
+                              - Follow
+                              type: string
+                            digitalocean:
+                              description: Use the DigitalOcean DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                tokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - tokenSecretRef
+                              type: object
+                            rfc2136:
+                              description: Use RFC2136 ("Dynamic Updates in the Domain
+                                Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+                                to manage DNS01 challenge records.
+                              properties:
+                                nameserver:
+                                  description: The IP address or hostname of an authoritative
+                                    DNS server supporting RFC2136 in the form host:port.
+                                    If the host is an IPv6 address it must be enclosed
+                                    in square brackets (e.g [2001:db8::1]) ; port
+                                    is optional. This field is required.
+                                  type: string
+                                tsigAlgorithm:
+                                  description: 'The TSIG Algorithm configured in the
+                                    DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                                    and ``tsigKeyName`` are defined. Supported values
+                                    are (case-insensitive): ``HMACMD5`` (default),
+                                    ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+                                  type: string
+                                tsigKeyName:
+                                  description: The TSIG Key name configured in the
+                                    DNS. If ``tsigSecretSecretRef`` is defined, this
+                                    field is required.
+                                  type: string
+                                tsigSecretSecretRef:
+                                  description: The name of the secret containing the
+                                    TSIG value. If ``tsigKeyName`` is defined, this
+                                    field is required.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - nameserver
+                              type: object
+                            route53:
+                              description: Use the AWS Route53 API to manage DNS01
+                                challenge records.
+                              properties:
+                                accessKeyID:
+                                  description: 'The AccessKeyID is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata see:
+                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  type: string
+                                hostedZoneID:
+                                  description: If set, the provider will manage only
+                                    this zone in Route53 and will not do an lookup
+                                    using the route53:ListHostedZonesByName api call.
+                                  type: string
+                                region:
+                                  description: Always set the region when using AccessKeyID
+                                    and SecretAccessKey
+                                  type: string
+                                role:
+                                  description: Role is a Role ARN which the Route53
+                                    provider will assume using either the explicit
+                                    credentials AccessKeyID/SecretAccessKey or the
+                                    inferred credentials from environment variables,
+                                    shared credentials file or AWS Instance metadata
+                                  type: string
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - region
+                              type: object
+                            webhook:
+                              description: Configure an external webhook based DNS01
+                                challenge solver to manage DNS01 challenge records.
+                              properties:
+                                config:
+                                  description: Additional configuration that should
+                                    be passed to the webhook apiserver when challenges
+                                    are processed. This can contain arbitrary JSON
+                                    data. Secret values should not be specified in
+                                    this stanza. If secret values are needed (e.g.
+                                    credentials for a DNS service), you should use
+                                    a SecretKeySelector to reference a Secret resource.
+                                    For details on the schema of this field, consult
+                                    the webhook provider implementation's documentation.
+                                  x-kubernetes-preserve-unknown-fields: true
+                                groupName:
+                                  description: The API group name that should be used
+                                    when POSTing ChallengePayload resources to the
+                                    webhook apiserver. This should be the same as
+                                    the GroupName specified in the webhook provider
+                                    implementation.
+                                  type: string
+                                solverName:
+                                  description: The name of the solver to use, as defined
+                                    in the webhook provider implementation. This will
+                                    typically be the name of the provider, e.g. 'cloudflare'.
+                                  type: string
+                              required:
+                              - groupName
+                              - solverName
+                              type: object
+                          type: object
+                        http01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the HTTP01 challenge flow.
+                            It is not possible to obtain certificates for wildcard
+                            domain names (e.g. `*.example.com`) using the HTTP01 challenge
+                            mechanism.
+                          properties:
+                            ingress:
+                              description: The ingress based HTTP01 challenge solver
+                                will solve challenges by creating or modifying Ingress
+                                resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+                                to 'challenge solver' pods that are provisioned by
+                                cert-manager for each Challenge to be completed.
+                              properties:
+                                class:
+                                  description: The ingress class to use when creating
+                                    Ingress resources to solve ACME challenges that
+                                    use this challenge solver. Only one of 'class'
+                                    or 'name' may be specified.
+                                  type: string
+                                ingressTemplate:
+                                  description: Optional ingress template used to configure
+                                    the ACME challenge solver ingress used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the ingress
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the created ACME HTTP01 solver
+                                            ingress.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver ingress.
+                                          type: object
+                                      type: object
+                                  type: object
+                                name:
+                                  description: The name of the ingress resource that
+                                    should have ACME challenge solving routes inserted
+                                    into it in order to solve HTTP01 challenges. This
+                                    is typically used in conjunction with ingress
+                                    controllers like ingress-gce, which maintains
+                                    a 1:1 mapping between external IPs and ingress
+                                    resources.
+                                  type: string
+                                podTemplate:
+                                  description: Optional pod template used to configure
+                                    the ACME challenge solver pods used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the pod
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the create ACME HTTP01 solver
+                                            pods.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver pods.
+                                          type: object
+                                      type: object
+                                    spec:
+                                      description: PodSpec defines overrides for the
+                                        HTTP01 challenge solver pod. Only the 'priorityClassName',
+                                        'nodeSelector', 'affinity', 'serviceAccountName'
+                                        and 'tolerations' fields are supported currently.
+                                        All other fields will be ignored.
+                                      properties:
+                                        affinity:
+                                          description: If specified, the pod's scheduling
+                                            constraints
+                                          properties:
+                                            nodeAffinity:
+                                              description: Describes node affinity
+                                                scheduling rules for the pod.
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node matches
+                                                    the corresponding matchExpressions;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: An empty preferred
+                                                      scheduling term matches all
+                                                      objects with implicit weight
+                                                      0 (i.e. it's a no-op). A null
+                                                      preferred scheduling term matches
+                                                      no objects (i.e. is also a no-op).
+                                                    properties:
+                                                      preference:
+                                                        description: A node selector
+                                                          term, associated with the
+                                                          corresponding weight.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      weight:
+                                                        description: Weight associated
+                                                          with matching the corresponding
+                                                          nodeSelectorTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - preference
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to an
+                                                    update), the system may or may
+                                                    not try to eventually evict the
+                                                    pod from its node.
+                                                  properties:
+                                                    nodeSelectorTerms:
+                                                      description: Required. A list
+                                                        of node selector terms. The
+                                                        terms are ORed.
+                                                      items:
+                                                        description: A null or empty
+                                                          node selector term matches
+                                                          no objects. The requirements
+                                                          of them are ANDed. The TopologySelectorTerm
+                                                          type implements a subset
+                                                          of the NodeSelectorTerm.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      type: array
+                                                  required:
+                                                  - nodeSelectorTerms
+                                                  type: object
+                                              type: object
+                                            podAffinity:
+                                              description: Describes pod affinity
+                                                scheduling rules (e.g. co-locate this
+                                                pod in the same node, zone, etc. as
+                                                some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node has pods
+                                                    which matches the corresponding
+                                                    podAffinityTerm; the node(s) with
+                                                    the highest sum are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to a pod
+                                                    label update), the system may
+                                                    or may not try to eventually evict
+                                                    the pod from its node. When there
+                                                    are multiple elements, the lists
+                                                    of nodes corresponding to each
+                                                    podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            podAntiAffinity:
+                                              description: Describes pod anti-affinity
+                                                scheduling rules (e.g. avoid putting
+                                                this pod in the same node, zone, etc.
+                                                as some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the anti-affinity
+                                                    expressions specified by this
+                                                    field, but it may choose a node
+                                                    that violates one or more of the
+                                                    expressions. The node that is
+                                                    most preferred is the one with
+                                                    the greatest sum of weights, i.e.
+                                                    for each node that meets all of
+                                                    the scheduling requirements (resource
+                                                    request, requiredDuringScheduling
+                                                    anti-affinity expressions, etc.),
+                                                    compute a sum by iterating through
+                                                    the elements of this field and
+                                                    adding "weight" to the sum if
+                                                    the node has pods which matches
+                                                    the corresponding podAffinityTerm;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the anti-affinity
+                                                    requirements specified by this
+                                                    field are not met at scheduling
+                                                    time, the pod will not be scheduled
+                                                    onto the node. If the anti-affinity
+                                                    requirements specified by this
+                                                    field cease to be met at some
+                                                    point during pod execution (e.g.
+                                                    due to a pod label update), the
+                                                    system may or may not try to eventually
+                                                    evict the pod from its node. When
+                                                    there are multiple elements, the
+                                                    lists of nodes corresponding to
+                                                    each podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                          type: object
+                                        nodeSelector:
+                                          additionalProperties:
+                                            type: string
+                                          description: 'NodeSelector is a selector
+                                            which must be true for the pod to fit
+                                            on a node. Selector which must match a
+                                            node''s labels for the pod to be scheduled
+                                            on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                          type: object
+                                        priorityClassName:
+                                          description: If specified, the pod's priorityClassName.
+                                          type: string
+                                        serviceAccountName:
+                                          description: If specified, the pod's service
+                                            account
+                                          type: string
+                                        tolerations:
+                                          description: If specified, the pod's tolerations.
+                                          items:
+                                            description: The pod this Toleration is
+                                              attached to tolerates any taint that
+                                              matches the triple <key,value,effect>
+                                              using the matching operator <operator>.
+                                            properties:
+                                              effect:
+                                                description: Effect indicates the
+                                                  taint effect to match. Empty means
+                                                  match all taint effects. When specified,
+                                                  allowed values are NoSchedule, PreferNoSchedule
+                                                  and NoExecute.
+                                                type: string
+                                              key:
+                                                description: Key is the taint key
+                                                  that the toleration applies to.
+                                                  Empty means match all taint keys.
+                                                  If the key is empty, operator must
+                                                  be Exists; this combination means
+                                                  to match all values and all keys.
+                                                type: string
+                                              operator:
+                                                description: Operator represents a
+                                                  key's relationship to the value.
+                                                  Valid operators are Exists and Equal.
+                                                  Defaults to Equal. Exists is equivalent
+                                                  to wildcard for value, so that a
+                                                  pod can tolerate all taints of a
+                                                  particular category.
+                                                type: string
+                                              tolerationSeconds:
+                                                description: TolerationSeconds represents
+                                                  the period of time the toleration
+                                                  (which must be of effect NoExecute,
+                                                  otherwise this field is ignored)
+                                                  tolerates the taint. By default,
+                                                  it is not set, which means tolerate
+                                                  the taint forever (do not evict).
+                                                  Zero and negative values will be
+                                                  treated as 0 (evict immediately)
+                                                  by the system.
+                                                format: int64
+                                                type: integer
+                                              value:
+                                                description: Value is the taint value
+                                                  the toleration matches to. If the
+                                                  operator is Exists, the value should
+                                                  be empty, otherwise just a regular
+                                                  string.
+                                                type: string
+                                            type: object
+                                          type: array
+                                      type: object
+                                  type: object
+                                serviceType:
+                                  description: Optional service type for Kubernetes
+                                    solver service
+                                  type: string
+                              type: object
+                          type: object
+                        selector:
+                          description: Selector selects a set of DNSNames on the Certificate
+                            resource that should be solved using this challenge solver.
+                            If not specified, the solver will be treated as the 'default'
+                            solver with the lowest priority, i.e. if any other solver
+                            has a more specific match, it will be used instead.
+                          properties:
+                            dnsNames:
+                              description: List of DNSNames that this solver will
+                                be used to solve. If specified and a match is found,
+                                a dnsNames selector will take precedence over a dnsZones
+                                selector. If multiple solvers match with the same
+                                dnsNames value, the solver with the most matching
+                                labels in matchLabels will be selected. If neither
+                                has more matches, the solver defined earlier in the
+                                list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            dnsZones:
+                              description: List of DNSZones that this solver will
+                                be used to solve. The most specific DNS zone match
+                                specified here will take precedence over other DNS
+                                zone matches, so a solver specifying sys.example.com
+                                will be selected over one specifying example.com for
+                                the domain www.sys.example.com. If multiple solvers
+                                match with the same dnsZones value, the solver with
+                                the most matching labels in matchLabels will be selected.
+                                If neither has more matches, the solver defined earlier
+                                in the list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: A label selector that is used to refine
+                                the set of certificate's that this challenge solver
+                                will apply to.
+                              type: object
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - privateKeySecretRef
+                - server
+                type: object
+              ca:
+                description: CA configures this issuer to sign certificates using
+                  a signing CA keypair stored in a Secret resource. This is used to
+                  build internal PKIs that are managed by cert-manager.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set,
+                      certificates will be issued without distribution points set.
+                    items:
+                      type: string
+                    type: array
+                  secretName:
+                    description: SecretName is the name of the secret used to sign
+                      Certificates issued by this Issuer.
+                    type: string
+                required:
+                - secretName
+                type: object
+              selfSigned:
+                description: SelfSigned configures this issuer to 'self sign' certificates
+                  using the private key used to create the CertificateRequest object.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set
+                      certificate will be issued without CDP. Values are strings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              vault:
+                description: Vault configures this issuer to sign certificates using
+                  a HashiCorp Vault PKI backend.
+                properties:
+                  auth:
+                    description: Auth configures how cert-manager authenticates with
+                      the Vault server.
+                    properties:
+                      appRole:
+                        description: AppRole authenticates with Vault using the App
+                          Role auth mechanism, with the role and secret stored in
+                          a Kubernetes Secret resource.
+                        properties:
+                          path:
+                            description: 'Path where the App Role authentication backend
+                              is mounted in Vault, e.g: "approle"'
+                            type: string
+                          roleId:
+                            description: RoleID configured in the App Role authentication
+                              backend when setting up the authentication backend in
+                              Vault.
+                            type: string
+                          secretRef:
+                            description: Reference to a key in a Secret that contains
+                              the App Role secret used to authenticate with Vault.
+                              The `key` field must be specified and denotes which
+                              entry within the Secret resource is used as the app
+                              role secret.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - path
+                        - roleId
+                        - secretRef
+                        type: object
+                      kubernetes:
+                        description: Kubernetes authenticates with Vault by passing
+                          the ServiceAccount token stored in the named Secret resource
+                          to the Vault server.
+                        properties:
+                          mountPath:
+                            description: The Vault mountPath here is the mount path
+                              to use when authenticating with Vault. For example,
+                              setting a value to `/v1/auth/foo`, will use the path
+                              `/v1/auth/foo/login` to authenticate with Vault. If
+                              unspecified, the default value "/v1/auth/kubernetes"
+                              will be used.
+                            type: string
+                          role:
+                            description: A required field containing the Vault Role
+                              to assume. A Role binds a Kubernetes ServiceAccount
+                              with a set of Vault policies.
+                            type: string
+                          secretRef:
+                            description: The required Secret field containing a Kubernetes
+                              ServiceAccount JWT used for authenticating with Vault.
+                              Use of 'ambient credentials' is not supported.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - role
+                        - secretRef
+                        type: object
+                      tokenSecretRef:
+                        description: TokenSecretRef authenticates with Vault by presenting
+                          a token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    type: object
+                  caBundle:
+                    description: PEM encoded CA bundle used to validate Vault server
+                      certificate. Only used if the Server URL is using HTTPS protocol.
+                      This parameter is ignored for plain HTTP protocol connection.
+                      If not set the system root certificates are used to validate
+                      the TLS connection.
+                    format: byte
+                    type: string
+                  namespace:
+                    description: 'Name of the vault namespace. Namespaces is a set
+                      of features within Vault Enterprise that allows Vault environments
+                      to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
+                      can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                    type: string
+                  path:
+                    description: 'Path is the mount path of the Vault PKI backend''s
+                      `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
+                    type: string
+                  server:
+                    description: 'Server is the connection address for the Vault server,
+                      e.g: "https://vault.example.com:8200".'
+                    type: string
+                required:
+                - auth
+                - path
+                - server
+                type: object
+              venafi:
+                description: Venafi configures this issuer to sign certificates using
+                  a Venafi TPP or Venafi Cloud policy zone.
+                properties:
+                  cloud:
+                    description: Cloud specifies the Venafi cloud configuration settings.
+                      Only one of TPP or Cloud may be specified.
+                    properties:
+                      apiTokenSecretRef:
+                        description: APITokenSecretRef is a secret key selector for
+                          the Venafi Cloud API token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: URL is the base URL for Venafi Cloud. Defaults
+                          to "https://api.venafi.cloud/v1".
+                        type: string
+                    required:
+                    - apiTokenSecretRef
+                    type: object
+                  tpp:
+                    description: TPP specifies Trust Protection Platform configuration
+                      settings. Only one of TPP or Cloud may be specified.
+                    properties:
+                      caBundle:
+                        description: CABundle is a PEM encoded TLS certificate to
+                          use to verify connections to the TPP instance. If specified,
+                          system roots will not be used and the issuing CA for the
+                          TPP instance must be verifiable using the provided root.
+                          If not specified, the connection will be verified using
+                          the cert-manager system root certificates.
+                        format: byte
+                        type: string
+                      credentialsRef:
+                        description: CredentialsRef is a reference to a Secret containing
+                          the username and password for the TPP server. The secret
+                          must contain two keys, 'username' and 'password'.
+                        properties:
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: 'URL is the base URL for the vedsdk endpoint
+                          of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
+                        type: string
+                    required:
+                    - credentialsRef
+                    - url
+                    type: object
+                  zone:
+                    description: Zone is the Venafi Policy Zone to use for this issuer.
+                      All requests made to the Venafi platform will be restricted
+                      by the named zone policy. This field is required.
+                    type: string
+                required:
+                - zone
+                type: object
+            type: object
+          status:
+            description: Status of the Issuer. This is set and managed automatically.
+            properties:
+              acme:
+                description: ACME specific status options. This field should only
+                  be set if the Issuer is configured to use an ACME server to issue
+                  certificates.
+                properties:
+                  lastRegisteredEmail:
+                    description: LastRegisteredEmail is the email associated with
+                      the latest registered ACME account, in order to track changes
+                      made to registered account associated with the  Issuer
+                    type: string
+                  uri:
+                    description: URI is the unique account identifier, which can also
+                      be used to retrieve account details from the CA
+                    type: string
+                type: object
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready`.
+                items:
+                  description: IssuerCondition contains condition information for
+                    an Issuer.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: An Issuer represents a certificate issuing authority which can
+          be referenced as part of `issuerRef` fields. It is scoped to a single namespace
+          and can therefore only be referenced by resources within the same namespace.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the Issuer resource.
+            properties:
+              acme:
+                description: ACME configures this issuer to communicate with a RFC8555
+                  (ACME) server to obtain signed x509 certificates.
+                properties:
+                  disableAccountKeyGeneration:
+                    description: Enables or disables generating a new ACME account
+                      key. If true, the Issuer resource will *not* request a new account
+                      but will expect the account key to be supplied via an existing
+                      secret. If false, the cert-manager system will generate a new
+                      ACME account key for the Issuer. Defaults to false.
+                    type: boolean
+                  email:
+                    description: Email is the email address to be associated with
+                      the ACME account. This field is optional, but it is strongly
+                      recommended to be set. It will be used to contact you in case
+                      of issues with your account or certificates, including expiry
+                      notification emails. This field may be updated after the account
+                      is initially registered.
+                    type: string
+                  externalAccountBinding:
+                    description: ExternalAccountBinding is a reference to a CA external
+                      account of the ACME server. If set, upon registration cert-manager
+                      will attempt to associate the given external account credentials
+                      with the registered ACME account.
+                    properties:
+                      keyAlgorithm:
+                        description: keyAlgorithm is the MAC key algorithm that the
+                          key is used for. Valid values are "HS256", "HS384" and "HS512".
+                        enum:
+                        - HS256
+                        - HS384
+                        - HS512
+                        type: string
+                      keyID:
+                        description: keyID is the ID of the CA key that the External
+                          Account is bound to.
+                        type: string
+                      keySecretRef:
+                        description: keySecretRef is a Secret Key Selector referencing
+                          a data item in a Kubernetes Secret which holds the symmetric
+                          MAC key of the External Account Binding. The `key` is the
+                          index string that is paired with the key data in the Secret
+                          and should not be confused with the key data itself, or
+                          indeed with the External Account Binding keyID above. The
+                          secret key stored in the Secret **must** be un-padded, base64
+                          URL encoded data.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - keyAlgorithm
+                    - keyID
+                    - keySecretRef
+                    type: object
+                  preferredChain:
+                    description: 'PreferredChain is the chain to use if the ACME server
+                      outputs multiple. PreferredChain is no guarantee that this one
+                      gets delivered by the ACME endpoint. For example, for Let''s
+                      Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+                      "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+                      picks the first certificate bundle in the ACME alternative chains
+                      that has a certificate with this value as its issuer''s CN'
+                    maxLength: 64
+                    type: string
+                  privateKeySecretRef:
+                    description: PrivateKey is the name of a Kubernetes Secret resource
+                      that will be used to store the automatically generated ACME
+                      account private key. Optionally, a `key` may be specified to
+                      select a specific entry within the named Secret resource. If
+                      `key` is not specified, a default of `tls.key` will be used.
+                    properties:
+                      key:
+                        description: The key of the entry in the Secret resource's
+                          `data` field to be used. Some instances of this field may
+                          be defaulted, in others it may be required.
+                        type: string
+                      name:
+                        description: 'Name of the resource being referred to. More
+                          info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  server:
+                    description: 'Server is the URL used to access the ACME server''s
+                      ''directory'' endpoint. For example, for Let''s Encrypt''s staging
+                      endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
+                      Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
+                    type: string
+                  skipTLSVerify:
+                    description: Enables or disables validation of the ACME server
+                      TLS certificate. If true, requests to the ACME server will not
+                      have their TLS certificate validated (i.e. insecure connections
+                      will be allowed). Only enable this option in development environments.
+                      The cert-manager system installed roots will be used to verify
+                      connections to the ACME server if this is false. Defaults to
+                      false.
+                    type: boolean
+                  solvers:
+                    description: 'Solvers is a list of challenge solvers that will
+                      be used to solve ACME challenges for the matching domains. Solver
+                      configurations must be provided in order to obtain certificates
+                      from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
+                    items:
+                      description: Configures an issuer to solve challenges using
+                        the specified options. Only one of HTTP01 or DNS01 may be
+                        provided.
+                      properties:
+                        dns01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the DNS01 challenge flow.
+                          properties:
+                            acmedns:
+                              description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                                API to manage DNS01 challenge records.
+                              properties:
+                                accountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                host:
+                                  type: string
+                              required:
+                              - accountSecretRef
+                              - host
+                              type: object
+                            akamai:
+                              description: Use the Akamai DNS zone management API
+                                to manage DNS01 challenge records.
+                              properties:
+                                accessTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientSecretSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                serviceConsumerDomain:
+                                  type: string
+                              required:
+                              - accessTokenSecretRef
+                              - clientSecretSecretRef
+                              - clientTokenSecretRef
+                              - serviceConsumerDomain
+                              type: object
+                            azuredns:
+                              description: Use the Microsoft Azure DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                clientID:
+                                  description: if both this and ClientSecret are left
+                                    unset MSI will be used
+                                  type: string
+                                clientSecretSecretRef:
+                                  description: if both this and ClientID are left
+                                    unset MSI will be used
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                environment:
+                                  enum:
+                                  - AzurePublicCloud
+                                  - AzureChinaCloud
+                                  - AzureGermanCloud
+                                  - AzureUSGovernmentCloud
+                                  type: string
+                                hostedZoneName:
+                                  type: string
+                                resourceGroupName:
+                                  type: string
+                                subscriptionID:
+                                  type: string
+                                tenantID:
+                                  description: when specifying ClientID and ClientSecret
+                                    then this field is also needed
+                                  type: string
+                              required:
+                              - resourceGroupName
+                              - subscriptionID
+                              type: object
+                            clouddns:
+                              description: Use the Google Cloud DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                hostedZoneName:
+                                  description: HostedZoneName is an optional field
+                                    that tells cert-manager in which Cloud DNS zone
+                                    the challenge record has to be created. If left
+                                    empty cert-manager will automatically choose a
+                                    zone.
+                                  type: string
+                                project:
+                                  type: string
+                                serviceAccountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - project
+                              type: object
+                            cloudflare:
+                              description: Use the Cloudflare API to manage DNS01
+                                challenge records.
+                              properties:
+                                apiKeySecretRef:
+                                  description: 'API key to use to authenticate with
+                                    Cloudflare. Note: using an API token to authenticate
+                                    is now the recommended method as it allows greater
+                                    control of permissions.'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                apiTokenSecretRef:
+                                  description: API token used to authenticate with
+                                    Cloudflare.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                email:
+                                  description: Email of the account, only required
+                                    when using API key based authentication.
+                                  type: string
+                              type: object
+                            cnameStrategy:
+                              description: CNAMEStrategy configures how the DNS01
+                                provider should handle CNAME records when found in
+                                DNS zones.
+                              enum:
+                              - None
+                              - Follow
+                              type: string
+                            digitalocean:
+                              description: Use the DigitalOcean DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                tokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - tokenSecretRef
+                              type: object
+                            rfc2136:
+                              description: Use RFC2136 ("Dynamic Updates in the Domain
+                                Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+                                to manage DNS01 challenge records.
+                              properties:
+                                nameserver:
+                                  description: The IP address or hostname of an authoritative
+                                    DNS server supporting RFC2136 in the form host:port.
+                                    If the host is an IPv6 address it must be enclosed
+                                    in square brackets (e.g [2001:db8::1]) ; port
+                                    is optional. This field is required.
+                                  type: string
+                                tsigAlgorithm:
+                                  description: 'The TSIG Algorithm configured in the
+                                    DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                                    and ``tsigKeyName`` are defined. Supported values
+                                    are (case-insensitive): ``HMACMD5`` (default),
+                                    ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+                                  type: string
+                                tsigKeyName:
+                                  description: The TSIG Key name configured in the
+                                    DNS. If ``tsigSecretSecretRef`` is defined, this
+                                    field is required.
+                                  type: string
+                                tsigSecretSecretRef:
+                                  description: The name of the secret containing the
+                                    TSIG value. If ``tsigKeyName`` is defined, this
+                                    field is required.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - nameserver
+                              type: object
+                            route53:
+                              description: Use the AWS Route53 API to manage DNS01
+                                challenge records.
+                              properties:
+                                accessKeyID:
+                                  description: 'The AccessKeyID is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata see:
+                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  type: string
+                                hostedZoneID:
+                                  description: If set, the provider will manage only
+                                    this zone in Route53 and will not do an lookup
+                                    using the route53:ListHostedZonesByName api call.
+                                  type: string
+                                region:
+                                  description: Always set the region when using AccessKeyID
+                                    and SecretAccessKey
+                                  type: string
+                                role:
+                                  description: Role is a Role ARN which the Route53
+                                    provider will assume using either the explicit
+                                    credentials AccessKeyID/SecretAccessKey or the
+                                    inferred credentials from environment variables,
+                                    shared credentials file or AWS Instance metadata
+                                  type: string
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - region
+                              type: object
+                            webhook:
+                              description: Configure an external webhook based DNS01
+                                challenge solver to manage DNS01 challenge records.
+                              properties:
+                                config:
+                                  description: Additional configuration that should
+                                    be passed to the webhook apiserver when challenges
+                                    are processed. This can contain arbitrary JSON
+                                    data. Secret values should not be specified in
+                                    this stanza. If secret values are needed (e.g.
+                                    credentials for a DNS service), you should use
+                                    a SecretKeySelector to reference a Secret resource.
+                                    For details on the schema of this field, consult
+                                    the webhook provider implementation's documentation.
+                                  x-kubernetes-preserve-unknown-fields: true
+                                groupName:
+                                  description: The API group name that should be used
+                                    when POSTing ChallengePayload resources to the
+                                    webhook apiserver. This should be the same as
+                                    the GroupName specified in the webhook provider
+                                    implementation.
+                                  type: string
+                                solverName:
+                                  description: The name of the solver to use, as defined
+                                    in the webhook provider implementation. This will
+                                    typically be the name of the provider, e.g. 'cloudflare'.
+                                  type: string
+                              required:
+                              - groupName
+                              - solverName
+                              type: object
+                          type: object
+                        http01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the HTTP01 challenge flow.
+                            It is not possible to obtain certificates for wildcard
+                            domain names (e.g. `*.example.com`) using the HTTP01 challenge
+                            mechanism.
+                          properties:
+                            ingress:
+                              description: The ingress based HTTP01 challenge solver
+                                will solve challenges by creating or modifying Ingress
+                                resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+                                to 'challenge solver' pods that are provisioned by
+                                cert-manager for each Challenge to be completed.
+                              properties:
+                                class:
+                                  description: The ingress class to use when creating
+                                    Ingress resources to solve ACME challenges that
+                                    use this challenge solver. Only one of 'class'
+                                    or 'name' may be specified.
+                                  type: string
+                                ingressTemplate:
+                                  description: Optional ingress template used to configure
+                                    the ACME challenge solver ingress used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the ingress
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the created ACME HTTP01 solver
+                                            ingress.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver ingress.
+                                          type: object
+                                      type: object
+                                  type: object
+                                name:
+                                  description: The name of the ingress resource that
+                                    should have ACME challenge solving routes inserted
+                                    into it in order to solve HTTP01 challenges. This
+                                    is typically used in conjunction with ingress
+                                    controllers like ingress-gce, which maintains
+                                    a 1:1 mapping between external IPs and ingress
+                                    resources.
+                                  type: string
+                                podTemplate:
+                                  description: Optional pod template used to configure
+                                    the ACME challenge solver pods used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the pod
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the create ACME HTTP01 solver
+                                            pods.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver pods.
+                                          type: object
+                                      type: object
+                                    spec:
+                                      description: PodSpec defines overrides for the
+                                        HTTP01 challenge solver pod. Only the 'priorityClassName',
+                                        'nodeSelector', 'affinity', 'serviceAccountName'
+                                        and 'tolerations' fields are supported currently.
+                                        All other fields will be ignored.
+                                      properties:
+                                        affinity:
+                                          description: If specified, the pod's scheduling
+                                            constraints
+                                          properties:
+                                            nodeAffinity:
+                                              description: Describes node affinity
+                                                scheduling rules for the pod.
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node matches
+                                                    the corresponding matchExpressions;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: An empty preferred
+                                                      scheduling term matches all
+                                                      objects with implicit weight
+                                                      0 (i.e. it's a no-op). A null
+                                                      preferred scheduling term matches
+                                                      no objects (i.e. is also a no-op).
+                                                    properties:
+                                                      preference:
+                                                        description: A node selector
+                                                          term, associated with the
+                                                          corresponding weight.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      weight:
+                                                        description: Weight associated
+                                                          with matching the corresponding
+                                                          nodeSelectorTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - preference
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to an
+                                                    update), the system may or may
+                                                    not try to eventually evict the
+                                                    pod from its node.
+                                                  properties:
+                                                    nodeSelectorTerms:
+                                                      description: Required. A list
+                                                        of node selector terms. The
+                                                        terms are ORed.
+                                                      items:
+                                                        description: A null or empty
+                                                          node selector term matches
+                                                          no objects. The requirements
+                                                          of them are ANDed. The TopologySelectorTerm
+                                                          type implements a subset
+                                                          of the NodeSelectorTerm.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      type: array
+                                                  required:
+                                                  - nodeSelectorTerms
+                                                  type: object
+                                              type: object
+                                            podAffinity:
+                                              description: Describes pod affinity
+                                                scheduling rules (e.g. co-locate this
+                                                pod in the same node, zone, etc. as
+                                                some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node has pods
+                                                    which matches the corresponding
+                                                    podAffinityTerm; the node(s) with
+                                                    the highest sum are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to a pod
+                                                    label update), the system may
+                                                    or may not try to eventually evict
+                                                    the pod from its node. When there
+                                                    are multiple elements, the lists
+                                                    of nodes corresponding to each
+                                                    podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            podAntiAffinity:
+                                              description: Describes pod anti-affinity
+                                                scheduling rules (e.g. avoid putting
+                                                this pod in the same node, zone, etc.
+                                                as some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the anti-affinity
+                                                    expressions specified by this
+                                                    field, but it may choose a node
+                                                    that violates one or more of the
+                                                    expressions. The node that is
+                                                    most preferred is the one with
+                                                    the greatest sum of weights, i.e.
+                                                    for each node that meets all of
+                                                    the scheduling requirements (resource
+                                                    request, requiredDuringScheduling
+                                                    anti-affinity expressions, etc.),
+                                                    compute a sum by iterating through
+                                                    the elements of this field and
+                                                    adding "weight" to the sum if
+                                                    the node has pods which matches
+                                                    the corresponding podAffinityTerm;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the anti-affinity
+                                                    requirements specified by this
+                                                    field are not met at scheduling
+                                                    time, the pod will not be scheduled
+                                                    onto the node. If the anti-affinity
+                                                    requirements specified by this
+                                                    field cease to be met at some
+                                                    point during pod execution (e.g.
+                                                    due to a pod label update), the
+                                                    system may or may not try to eventually
+                                                    evict the pod from its node. When
+                                                    there are multiple elements, the
+                                                    lists of nodes corresponding to
+                                                    each podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                          type: object
+                                        nodeSelector:
+                                          additionalProperties:
+                                            type: string
+                                          description: 'NodeSelector is a selector
+                                            which must be true for the pod to fit
+                                            on a node. Selector which must match a
+                                            node''s labels for the pod to be scheduled
+                                            on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                          type: object
+                                        priorityClassName:
+                                          description: If specified, the pod's priorityClassName.
+                                          type: string
+                                        serviceAccountName:
+                                          description: If specified, the pod's service
+                                            account
+                                          type: string
+                                        tolerations:
+                                          description: If specified, the pod's tolerations.
+                                          items:
+                                            description: The pod this Toleration is
+                                              attached to tolerates any taint that
+                                              matches the triple <key,value,effect>
+                                              using the matching operator <operator>.
+                                            properties:
+                                              effect:
+                                                description: Effect indicates the
+                                                  taint effect to match. Empty means
+                                                  match all taint effects. When specified,
+                                                  allowed values are NoSchedule, PreferNoSchedule
+                                                  and NoExecute.
+                                                type: string
+                                              key:
+                                                description: Key is the taint key
+                                                  that the toleration applies to.
+                                                  Empty means match all taint keys.
+                                                  If the key is empty, operator must
+                                                  be Exists; this combination means
+                                                  to match all values and all keys.
+                                                type: string
+                                              operator:
+                                                description: Operator represents a
+                                                  key's relationship to the value.
+                                                  Valid operators are Exists and Equal.
+                                                  Defaults to Equal. Exists is equivalent
+                                                  to wildcard for value, so that a
+                                                  pod can tolerate all taints of a
+                                                  particular category.
+                                                type: string
+                                              tolerationSeconds:
+                                                description: TolerationSeconds represents
+                                                  the period of time the toleration
+                                                  (which must be of effect NoExecute,
+                                                  otherwise this field is ignored)
+                                                  tolerates the taint. By default,
+                                                  it is not set, which means tolerate
+                                                  the taint forever (do not evict).
+                                                  Zero and negative values will be
+                                                  treated as 0 (evict immediately)
+                                                  by the system.
+                                                format: int64
+                                                type: integer
+                                              value:
+                                                description: Value is the taint value
+                                                  the toleration matches to. If the
+                                                  operator is Exists, the value should
+                                                  be empty, otherwise just a regular
+                                                  string.
+                                                type: string
+                                            type: object
+                                          type: array
+                                      type: object
+                                  type: object
+                                serviceType:
+                                  description: Optional service type for Kubernetes
+                                    solver service
+                                  type: string
+                              type: object
+                          type: object
+                        selector:
+                          description: Selector selects a set of DNSNames on the Certificate
+                            resource that should be solved using this challenge solver.
+                            If not specified, the solver will be treated as the 'default'
+                            solver with the lowest priority, i.e. if any other solver
+                            has a more specific match, it will be used instead.
+                          properties:
+                            dnsNames:
+                              description: List of DNSNames that this solver will
+                                be used to solve. If specified and a match is found,
+                                a dnsNames selector will take precedence over a dnsZones
+                                selector. If multiple solvers match with the same
+                                dnsNames value, the solver with the most matching
+                                labels in matchLabels will be selected. If neither
+                                has more matches, the solver defined earlier in the
+                                list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            dnsZones:
+                              description: List of DNSZones that this solver will
+                                be used to solve. The most specific DNS zone match
+                                specified here will take precedence over other DNS
+                                zone matches, so a solver specifying sys.example.com
+                                will be selected over one specifying example.com for
+                                the domain www.sys.example.com. If multiple solvers
+                                match with the same dnsZones value, the solver with
+                                the most matching labels in matchLabels will be selected.
+                                If neither has more matches, the solver defined earlier
+                                in the list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: A label selector that is used to refine
+                                the set of certificate's that this challenge solver
+                                will apply to.
+                              type: object
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - privateKeySecretRef
+                - server
+                type: object
+              ca:
+                description: CA configures this issuer to sign certificates using
+                  a signing CA keypair stored in a Secret resource. This is used to
+                  build internal PKIs that are managed by cert-manager.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set,
+                      certificates will be issued without distribution points set.
+                    items:
+                      type: string
+                    type: array
+                  secretName:
+                    description: SecretName is the name of the secret used to sign
+                      Certificates issued by this Issuer.
+                    type: string
+                required:
+                - secretName
+                type: object
+              selfSigned:
+                description: SelfSigned configures this issuer to 'self sign' certificates
+                  using the private key used to create the CertificateRequest object.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set
+                      certificate will be issued without CDP. Values are strings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              vault:
+                description: Vault configures this issuer to sign certificates using
+                  a HashiCorp Vault PKI backend.
+                properties:
+                  auth:
+                    description: Auth configures how cert-manager authenticates with
+                      the Vault server.
+                    properties:
+                      appRole:
+                        description: AppRole authenticates with Vault using the App
+                          Role auth mechanism, with the role and secret stored in
+                          a Kubernetes Secret resource.
+                        properties:
+                          path:
+                            description: 'Path where the App Role authentication backend
+                              is mounted in Vault, e.g: "approle"'
+                            type: string
+                          roleId:
+                            description: RoleID configured in the App Role authentication
+                              backend when setting up the authentication backend in
+                              Vault.
+                            type: string
+                          secretRef:
+                            description: Reference to a key in a Secret that contains
+                              the App Role secret used to authenticate with Vault.
+                              The `key` field must be specified and denotes which
+                              entry within the Secret resource is used as the app
+                              role secret.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - path
+                        - roleId
+                        - secretRef
+                        type: object
+                      kubernetes:
+                        description: Kubernetes authenticates with Vault by passing
+                          the ServiceAccount token stored in the named Secret resource
+                          to the Vault server.
+                        properties:
+                          mountPath:
+                            description: The Vault mountPath here is the mount path
+                              to use when authenticating with Vault. For example,
+                              setting a value to `/v1/auth/foo`, will use the path
+                              `/v1/auth/foo/login` to authenticate with Vault. If
+                              unspecified, the default value "/v1/auth/kubernetes"
+                              will be used.
+                            type: string
+                          role:
+                            description: A required field containing the Vault Role
+                              to assume. A Role binds a Kubernetes ServiceAccount
+                              with a set of Vault policies.
+                            type: string
+                          secretRef:
+                            description: The required Secret field containing a Kubernetes
+                              ServiceAccount JWT used for authenticating with Vault.
+                              Use of 'ambient credentials' is not supported.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - role
+                        - secretRef
+                        type: object
+                      tokenSecretRef:
+                        description: TokenSecretRef authenticates with Vault by presenting
+                          a token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    type: object
+                  caBundle:
+                    description: PEM encoded CA bundle used to validate Vault server
+                      certificate. Only used if the Server URL is using HTTPS protocol.
+                      This parameter is ignored for plain HTTP protocol connection.
+                      If not set the system root certificates are used to validate
+                      the TLS connection.
+                    format: byte
+                    type: string
+                  namespace:
+                    description: 'Name of the vault namespace. Namespaces is a set
+                      of features within Vault Enterprise that allows Vault environments
+                      to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
+                      can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                    type: string
+                  path:
+                    description: 'Path is the mount path of the Vault PKI backend''s
+                      `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
+                    type: string
+                  server:
+                    description: 'Server is the connection address for the Vault server,
+                      e.g: "https://vault.example.com:8200".'
+                    type: string
+                required:
+                - auth
+                - path
+                - server
+                type: object
+              venafi:
+                description: Venafi configures this issuer to sign certificates using
+                  a Venafi TPP or Venafi Cloud policy zone.
+                properties:
+                  cloud:
+                    description: Cloud specifies the Venafi cloud configuration settings.
+                      Only one of TPP or Cloud may be specified.
+                    properties:
+                      apiTokenSecretRef:
+                        description: APITokenSecretRef is a secret key selector for
+                          the Venafi Cloud API token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: URL is the base URL for Venafi Cloud. Defaults
+                          to "https://api.venafi.cloud/v1".
+                        type: string
+                    required:
+                    - apiTokenSecretRef
+                    type: object
+                  tpp:
+                    description: TPP specifies Trust Protection Platform configuration
+                      settings. Only one of TPP or Cloud may be specified.
+                    properties:
+                      caBundle:
+                        description: CABundle is a PEM encoded TLS certificate to
+                          use to verify connections to the TPP instance. If specified,
+                          system roots will not be used and the issuing CA for the
+                          TPP instance must be verifiable using the provided root.
+                          If not specified, the connection will be verified using
+                          the cert-manager system root certificates.
+                        format: byte
+                        type: string
+                      credentialsRef:
+                        description: CredentialsRef is a reference to a Secret containing
+                          the username and password for the TPP server. The secret
+                          must contain two keys, 'username' and 'password'.
+                        properties:
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: 'URL is the base URL for the vedsdk endpoint
+                          of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
+                        type: string
+                    required:
+                    - credentialsRef
+                    - url
+                    type: object
+                  zone:
+                    description: Zone is the Venafi Policy Zone to use for this issuer.
+                      All requests made to the Venafi platform will be restricted
+                      by the named zone policy. This field is required.
+                    type: string
+                required:
+                - zone
+                type: object
+            type: object
+          status:
+            description: Status of the Issuer. This is set and managed automatically.
+            properties:
+              acme:
+                description: ACME specific status options. This field should only
+                  be set if the Issuer is configured to use an ACME server to issue
+                  certificates.
+                properties:
+                  lastRegisteredEmail:
+                    description: LastRegisteredEmail is the email associated with
+                      the latest registered ACME account, in order to track changes
+                      made to registered account associated with the  Issuer
+                    type: string
+                  uri:
+                    description: URI is the unique account identifier, which can also
+                      be used to retrieve account details from the CA
+                    type: string
+                type: object
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready`.
+                items:
+                  description: IssuerCondition contains condition information for
+                    an Issuer.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: An Issuer represents a certificate issuing authority which can
+          be referenced as part of `issuerRef` fields. It is scoped to a single namespace
+          and can therefore only be referenced by resources within the same namespace.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the Issuer resource.
+            properties:
+              acme:
+                description: ACME configures this issuer to communicate with a RFC8555
+                  (ACME) server to obtain signed x509 certificates.
+                properties:
+                  disableAccountKeyGeneration:
+                    description: Enables or disables generating a new ACME account
+                      key. If true, the Issuer resource will *not* request a new account
+                      but will expect the account key to be supplied via an existing
+                      secret. If false, the cert-manager system will generate a new
+                      ACME account key for the Issuer. Defaults to false.
+                    type: boolean
+                  email:
+                    description: Email is the email address to be associated with
+                      the ACME account. This field is optional, but it is strongly
+                      recommended to be set. It will be used to contact you in case
+                      of issues with your account or certificates, including expiry
+                      notification emails. This field may be updated after the account
+                      is initially registered.
+                    type: string
+                  externalAccountBinding:
+                    description: ExternalAccountBinding is a reference to a CA external
+                      account of the ACME server. If set, upon registration cert-manager
+                      will attempt to associate the given external account credentials
+                      with the registered ACME account.
+                    properties:
+                      keyAlgorithm:
+                        description: keyAlgorithm is the MAC key algorithm that the
+                          key is used for. Valid values are "HS256", "HS384" and "HS512".
+                        enum:
+                        - HS256
+                        - HS384
+                        - HS512
+                        type: string
+                      keyID:
+                        description: keyID is the ID of the CA key that the External
+                          Account is bound to.
+                        type: string
+                      keySecretRef:
+                        description: keySecretRef is a Secret Key Selector referencing
+                          a data item in a Kubernetes Secret which holds the symmetric
+                          MAC key of the External Account Binding. The `key` is the
+                          index string that is paired with the key data in the Secret
+                          and should not be confused with the key data itself, or
+                          indeed with the External Account Binding keyID above. The
+                          secret key stored in the Secret **must** be un-padded, base64
+                          URL encoded data.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - keyAlgorithm
+                    - keyID
+                    - keySecretRef
+                    type: object
+                  preferredChain:
+                    description: 'PreferredChain is the chain to use if the ACME server
+                      outputs multiple. PreferredChain is no guarantee that this one
+                      gets delivered by the ACME endpoint. For example, for Let''s
+                      Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+                      "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+                      picks the first certificate bundle in the ACME alternative chains
+                      that has a certificate with this value as its issuer''s CN'
+                    maxLength: 64
+                    type: string
+                  privateKeySecretRef:
+                    description: PrivateKey is the name of a Kubernetes Secret resource
+                      that will be used to store the automatically generated ACME
+                      account private key. Optionally, a `key` may be specified to
+                      select a specific entry within the named Secret resource. If
+                      `key` is not specified, a default of `tls.key` will be used.
+                    properties:
+                      key:
+                        description: The key of the entry in the Secret resource's
+                          `data` field to be used. Some instances of this field may
+                          be defaulted, in others it may be required.
+                        type: string
+                      name:
+                        description: 'Name of the resource being referred to. More
+                          info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  server:
+                    description: 'Server is the URL used to access the ACME server''s
+                      ''directory'' endpoint. For example, for Let''s Encrypt''s staging
+                      endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
+                      Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
+                    type: string
+                  skipTLSVerify:
+                    description: Enables or disables validation of the ACME server
+                      TLS certificate. If true, requests to the ACME server will not
+                      have their TLS certificate validated (i.e. insecure connections
+                      will be allowed). Only enable this option in development environments.
+                      The cert-manager system installed roots will be used to verify
+                      connections to the ACME server if this is false. Defaults to
+                      false.
+                    type: boolean
+                  solvers:
+                    description: 'Solvers is a list of challenge solvers that will
+                      be used to solve ACME challenges for the matching domains. Solver
+                      configurations must be provided in order to obtain certificates
+                      from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
+                    items:
+                      description: Configures an issuer to solve challenges using
+                        the specified options. Only one of HTTP01 or DNS01 may be
+                        provided.
+                      properties:
+                        dns01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the DNS01 challenge flow.
+                          properties:
+                            acmeDNS:
+                              description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                                API to manage DNS01 challenge records.
+                              properties:
+                                accountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                host:
+                                  type: string
+                              required:
+                              - accountSecretRef
+                              - host
+                              type: object
+                            akamai:
+                              description: Use the Akamai DNS zone management API
+                                to manage DNS01 challenge records.
+                              properties:
+                                accessTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientSecretSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                serviceConsumerDomain:
+                                  type: string
+                              required:
+                              - accessTokenSecretRef
+                              - clientSecretSecretRef
+                              - clientTokenSecretRef
+                              - serviceConsumerDomain
+                              type: object
+                            azureDNS:
+                              description: Use the Microsoft Azure DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                clientID:
+                                  description: if both this and ClientSecret are left
+                                    unset MSI will be used
+                                  type: string
+                                clientSecretSecretRef:
+                                  description: if both this and ClientID are left
+                                    unset MSI will be used
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                environment:
+                                  enum:
+                                  - AzurePublicCloud
+                                  - AzureChinaCloud
+                                  - AzureGermanCloud
+                                  - AzureUSGovernmentCloud
+                                  type: string
+                                hostedZoneName:
+                                  type: string
+                                resourceGroupName:
+                                  type: string
+                                subscriptionID:
+                                  type: string
+                                tenantID:
+                                  description: when specifying ClientID and ClientSecret
+                                    then this field is also needed
+                                  type: string
+                              required:
+                              - resourceGroupName
+                              - subscriptionID
+                              type: object
+                            cloudDNS:
+                              description: Use the Google Cloud DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                hostedZoneName:
+                                  description: HostedZoneName is an optional field
+                                    that tells cert-manager in which Cloud DNS zone
+                                    the challenge record has to be created. If left
+                                    empty cert-manager will automatically choose a
+                                    zone.
+                                  type: string
+                                project:
+                                  type: string
+                                serviceAccountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - project
+                              type: object
+                            cloudflare:
+                              description: Use the Cloudflare API to manage DNS01
+                                challenge records.
+                              properties:
+                                apiKeySecretRef:
+                                  description: 'API key to use to authenticate with
+                                    Cloudflare. Note: using an API token to authenticate
+                                    is now the recommended method as it allows greater
+                                    control of permissions.'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                apiTokenSecretRef:
+                                  description: API token used to authenticate with
+                                    Cloudflare.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                email:
+                                  description: Email of the account, only required
+                                    when using API key based authentication.
+                                  type: string
+                              type: object
+                            cnameStrategy:
+                              description: CNAMEStrategy configures how the DNS01
+                                provider should handle CNAME records when found in
+                                DNS zones.
+                              enum:
+                              - None
+                              - Follow
+                              type: string
+                            digitalocean:
+                              description: Use the DigitalOcean DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                tokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - tokenSecretRef
+                              type: object
+                            rfc2136:
+                              description: Use RFC2136 ("Dynamic Updates in the Domain
+                                Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+                                to manage DNS01 challenge records.
+                              properties:
+                                nameserver:
+                                  description: The IP address or hostname of an authoritative
+                                    DNS server supporting RFC2136 in the form host:port.
+                                    If the host is an IPv6 address it must be enclosed
+                                    in square brackets (e.g [2001:db8::1]) ; port
+                                    is optional. This field is required.
+                                  type: string
+                                tsigAlgorithm:
+                                  description: 'The TSIG Algorithm configured in the
+                                    DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                                    and ``tsigKeyName`` are defined. Supported values
+                                    are (case-insensitive): ``HMACMD5`` (default),
+                                    ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+                                  type: string
+                                tsigKeyName:
+                                  description: The TSIG Key name configured in the
+                                    DNS. If ``tsigSecretSecretRef`` is defined, this
+                                    field is required.
+                                  type: string
+                                tsigSecretSecretRef:
+                                  description: The name of the secret containing the
+                                    TSIG value. If ``tsigKeyName`` is defined, this
+                                    field is required.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - nameserver
+                              type: object
+                            route53:
+                              description: Use the AWS Route53 API to manage DNS01
+                                challenge records.
+                              properties:
+                                accessKeyID:
+                                  description: 'The AccessKeyID is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata see:
+                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  type: string
+                                hostedZoneID:
+                                  description: If set, the provider will manage only
+                                    this zone in Route53 and will not do an lookup
+                                    using the route53:ListHostedZonesByName api call.
+                                  type: string
+                                region:
+                                  description: Always set the region when using AccessKeyID
+                                    and SecretAccessKey
+                                  type: string
+                                role:
+                                  description: Role is a Role ARN which the Route53
+                                    provider will assume using either the explicit
+                                    credentials AccessKeyID/SecretAccessKey or the
+                                    inferred credentials from environment variables,
+                                    shared credentials file or AWS Instance metadata
+                                  type: string
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - region
+                              type: object
+                            webhook:
+                              description: Configure an external webhook based DNS01
+                                challenge solver to manage DNS01 challenge records.
+                              properties:
+                                config:
+                                  description: Additional configuration that should
+                                    be passed to the webhook apiserver when challenges
+                                    are processed. This can contain arbitrary JSON
+                                    data. Secret values should not be specified in
+                                    this stanza. If secret values are needed (e.g.
+                                    credentials for a DNS service), you should use
+                                    a SecretKeySelector to reference a Secret resource.
+                                    For details on the schema of this field, consult
+                                    the webhook provider implementation's documentation.
+                                  x-kubernetes-preserve-unknown-fields: true
+                                groupName:
+                                  description: The API group name that should be used
+                                    when POSTing ChallengePayload resources to the
+                                    webhook apiserver. This should be the same as
+                                    the GroupName specified in the webhook provider
+                                    implementation.
+                                  type: string
+                                solverName:
+                                  description: The name of the solver to use, as defined
+                                    in the webhook provider implementation. This will
+                                    typically be the name of the provider, e.g. 'cloudflare'.
+                                  type: string
+                              required:
+                              - groupName
+                              - solverName
+                              type: object
+                          type: object
+                        http01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the HTTP01 challenge flow.
+                            It is not possible to obtain certificates for wildcard
+                            domain names (e.g. `*.example.com`) using the HTTP01 challenge
+                            mechanism.
+                          properties:
+                            ingress:
+                              description: The ingress based HTTP01 challenge solver
+                                will solve challenges by creating or modifying Ingress
+                                resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+                                to 'challenge solver' pods that are provisioned by
+                                cert-manager for each Challenge to be completed.
+                              properties:
+                                class:
+                                  description: The ingress class to use when creating
+                                    Ingress resources to solve ACME challenges that
+                                    use this challenge solver. Only one of 'class'
+                                    or 'name' may be specified.
+                                  type: string
+                                ingressTemplate:
+                                  description: Optional ingress template used to configure
+                                    the ACME challenge solver ingress used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the ingress
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the created ACME HTTP01 solver
+                                            ingress.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver ingress.
+                                          type: object
+                                      type: object
+                                  type: object
+                                name:
+                                  description: The name of the ingress resource that
+                                    should have ACME challenge solving routes inserted
+                                    into it in order to solve HTTP01 challenges. This
+                                    is typically used in conjunction with ingress
+                                    controllers like ingress-gce, which maintains
+                                    a 1:1 mapping between external IPs and ingress
+                                    resources.
+                                  type: string
+                                podTemplate:
+                                  description: Optional pod template used to configure
+                                    the ACME challenge solver pods used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the pod
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the create ACME HTTP01 solver
+                                            pods.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver pods.
+                                          type: object
+                                      type: object
+                                    spec:
+                                      description: PodSpec defines overrides for the
+                                        HTTP01 challenge solver pod. Only the 'priorityClassName',
+                                        'nodeSelector', 'affinity', 'serviceAccountName'
+                                        and 'tolerations' fields are supported currently.
+                                        All other fields will be ignored.
+                                      properties:
+                                        affinity:
+                                          description: If specified, the pod's scheduling
+                                            constraints
+                                          properties:
+                                            nodeAffinity:
+                                              description: Describes node affinity
+                                                scheduling rules for the pod.
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node matches
+                                                    the corresponding matchExpressions;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: An empty preferred
+                                                      scheduling term matches all
+                                                      objects with implicit weight
+                                                      0 (i.e. it's a no-op). A null
+                                                      preferred scheduling term matches
+                                                      no objects (i.e. is also a no-op).
+                                                    properties:
+                                                      preference:
+                                                        description: A node selector
+                                                          term, associated with the
+                                                          corresponding weight.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      weight:
+                                                        description: Weight associated
+                                                          with matching the corresponding
+                                                          nodeSelectorTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - preference
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to an
+                                                    update), the system may or may
+                                                    not try to eventually evict the
+                                                    pod from its node.
+                                                  properties:
+                                                    nodeSelectorTerms:
+                                                      description: Required. A list
+                                                        of node selector terms. The
+                                                        terms are ORed.
+                                                      items:
+                                                        description: A null or empty
+                                                          node selector term matches
+                                                          no objects. The requirements
+                                                          of them are ANDed. The TopologySelectorTerm
+                                                          type implements a subset
+                                                          of the NodeSelectorTerm.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      type: array
+                                                  required:
+                                                  - nodeSelectorTerms
+                                                  type: object
+                                              type: object
+                                            podAffinity:
+                                              description: Describes pod affinity
+                                                scheduling rules (e.g. co-locate this
+                                                pod in the same node, zone, etc. as
+                                                some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node has pods
+                                                    which matches the corresponding
+                                                    podAffinityTerm; the node(s) with
+                                                    the highest sum are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to a pod
+                                                    label update), the system may
+                                                    or may not try to eventually evict
+                                                    the pod from its node. When there
+                                                    are multiple elements, the lists
+                                                    of nodes corresponding to each
+                                                    podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            podAntiAffinity:
+                                              description: Describes pod anti-affinity
+                                                scheduling rules (e.g. avoid putting
+                                                this pod in the same node, zone, etc.
+                                                as some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the anti-affinity
+                                                    expressions specified by this
+                                                    field, but it may choose a node
+                                                    that violates one or more of the
+                                                    expressions. The node that is
+                                                    most preferred is the one with
+                                                    the greatest sum of weights, i.e.
+                                                    for each node that meets all of
+                                                    the scheduling requirements (resource
+                                                    request, requiredDuringScheduling
+                                                    anti-affinity expressions, etc.),
+                                                    compute a sum by iterating through
+                                                    the elements of this field and
+                                                    adding "weight" to the sum if
+                                                    the node has pods which matches
+                                                    the corresponding podAffinityTerm;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the anti-affinity
+                                                    requirements specified by this
+                                                    field are not met at scheduling
+                                                    time, the pod will not be scheduled
+                                                    onto the node. If the anti-affinity
+                                                    requirements specified by this
+                                                    field cease to be met at some
+                                                    point during pod execution (e.g.
+                                                    due to a pod label update), the
+                                                    system may or may not try to eventually
+                                                    evict the pod from its node. When
+                                                    there are multiple elements, the
+                                                    lists of nodes corresponding to
+                                                    each podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                          type: object
+                                        nodeSelector:
+                                          additionalProperties:
+                                            type: string
+                                          description: 'NodeSelector is a selector
+                                            which must be true for the pod to fit
+                                            on a node. Selector which must match a
+                                            node''s labels for the pod to be scheduled
+                                            on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                          type: object
+                                        priorityClassName:
+                                          description: If specified, the pod's priorityClassName.
+                                          type: string
+                                        serviceAccountName:
+                                          description: If specified, the pod's service
+                                            account
+                                          type: string
+                                        tolerations:
+                                          description: If specified, the pod's tolerations.
+                                          items:
+                                            description: The pod this Toleration is
+                                              attached to tolerates any taint that
+                                              matches the triple <key,value,effect>
+                                              using the matching operator <operator>.
+                                            properties:
+                                              effect:
+                                                description: Effect indicates the
+                                                  taint effect to match. Empty means
+                                                  match all taint effects. When specified,
+                                                  allowed values are NoSchedule, PreferNoSchedule
+                                                  and NoExecute.
+                                                type: string
+                                              key:
+                                                description: Key is the taint key
+                                                  that the toleration applies to.
+                                                  Empty means match all taint keys.
+                                                  If the key is empty, operator must
+                                                  be Exists; this combination means
+                                                  to match all values and all keys.
+                                                type: string
+                                              operator:
+                                                description: Operator represents a
+                                                  key's relationship to the value.
+                                                  Valid operators are Exists and Equal.
+                                                  Defaults to Equal. Exists is equivalent
+                                                  to wildcard for value, so that a
+                                                  pod can tolerate all taints of a
+                                                  particular category.
+                                                type: string
+                                              tolerationSeconds:
+                                                description: TolerationSeconds represents
+                                                  the period of time the toleration
+                                                  (which must be of effect NoExecute,
+                                                  otherwise this field is ignored)
+                                                  tolerates the taint. By default,
+                                                  it is not set, which means tolerate
+                                                  the taint forever (do not evict).
+                                                  Zero and negative values will be
+                                                  treated as 0 (evict immediately)
+                                                  by the system.
+                                                format: int64
+                                                type: integer
+                                              value:
+                                                description: Value is the taint value
+                                                  the toleration matches to. If the
+                                                  operator is Exists, the value should
+                                                  be empty, otherwise just a regular
+                                                  string.
+                                                type: string
+                                            type: object
+                                          type: array
+                                      type: object
+                                  type: object
+                                serviceType:
+                                  description: Optional service type for Kubernetes
+                                    solver service
+                                  type: string
+                              type: object
+                          type: object
+                        selector:
+                          description: Selector selects a set of DNSNames on the Certificate
+                            resource that should be solved using this challenge solver.
+                            If not specified, the solver will be treated as the 'default'
+                            solver with the lowest priority, i.e. if any other solver
+                            has a more specific match, it will be used instead.
+                          properties:
+                            dnsNames:
+                              description: List of DNSNames that this solver will
+                                be used to solve. If specified and a match is found,
+                                a dnsNames selector will take precedence over a dnsZones
+                                selector. If multiple solvers match with the same
+                                dnsNames value, the solver with the most matching
+                                labels in matchLabels will be selected. If neither
+                                has more matches, the solver defined earlier in the
+                                list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            dnsZones:
+                              description: List of DNSZones that this solver will
+                                be used to solve. The most specific DNS zone match
+                                specified here will take precedence over other DNS
+                                zone matches, so a solver specifying sys.example.com
+                                will be selected over one specifying example.com for
+                                the domain www.sys.example.com. If multiple solvers
+                                match with the same dnsZones value, the solver with
+                                the most matching labels in matchLabels will be selected.
+                                If neither has more matches, the solver defined earlier
+                                in the list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: A label selector that is used to refine
+                                the set of certificate's that this challenge solver
+                                will apply to.
+                              type: object
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - privateKeySecretRef
+                - server
+                type: object
+              ca:
+                description: CA configures this issuer to sign certificates using
+                  a signing CA keypair stored in a Secret resource. This is used to
+                  build internal PKIs that are managed by cert-manager.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set,
+                      certificates will be issued without distribution points set.
+                    items:
+                      type: string
+                    type: array
+                  secretName:
+                    description: SecretName is the name of the secret used to sign
+                      Certificates issued by this Issuer.
+                    type: string
+                required:
+                - secretName
+                type: object
+              selfSigned:
+                description: SelfSigned configures this issuer to 'self sign' certificates
+                  using the private key used to create the CertificateRequest object.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set
+                      certificate will be issued without CDP. Values are strings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              vault:
+                description: Vault configures this issuer to sign certificates using
+                  a HashiCorp Vault PKI backend.
+                properties:
+                  auth:
+                    description: Auth configures how cert-manager authenticates with
+                      the Vault server.
+                    properties:
+                      appRole:
+                        description: AppRole authenticates with Vault using the App
+                          Role auth mechanism, with the role and secret stored in
+                          a Kubernetes Secret resource.
+                        properties:
+                          path:
+                            description: 'Path where the App Role authentication backend
+                              is mounted in Vault, e.g: "approle"'
+                            type: string
+                          roleId:
+                            description: RoleID configured in the App Role authentication
+                              backend when setting up the authentication backend in
+                              Vault.
+                            type: string
+                          secretRef:
+                            description: Reference to a key in a Secret that contains
+                              the App Role secret used to authenticate with Vault.
+                              The `key` field must be specified and denotes which
+                              entry within the Secret resource is used as the app
+                              role secret.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - path
+                        - roleId
+                        - secretRef
+                        type: object
+                      kubernetes:
+                        description: Kubernetes authenticates with Vault by passing
+                          the ServiceAccount token stored in the named Secret resource
+                          to the Vault server.
+                        properties:
+                          mountPath:
+                            description: The Vault mountPath here is the mount path
+                              to use when authenticating with Vault. For example,
+                              setting a value to `/v1/auth/foo`, will use the path
+                              `/v1/auth/foo/login` to authenticate with Vault. If
+                              unspecified, the default value "/v1/auth/kubernetes"
+                              will be used.
+                            type: string
+                          role:
+                            description: A required field containing the Vault Role
+                              to assume. A Role binds a Kubernetes ServiceAccount
+                              with a set of Vault policies.
+                            type: string
+                          secretRef:
+                            description: The required Secret field containing a Kubernetes
+                              ServiceAccount JWT used for authenticating with Vault.
+                              Use of 'ambient credentials' is not supported.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - role
+                        - secretRef
+                        type: object
+                      tokenSecretRef:
+                        description: TokenSecretRef authenticates with Vault by presenting
+                          a token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    type: object
+                  caBundle:
+                    description: PEM encoded CA bundle used to validate Vault server
+                      certificate. Only used if the Server URL is using HTTPS protocol.
+                      This parameter is ignored for plain HTTP protocol connection.
+                      If not set the system root certificates are used to validate
+                      the TLS connection.
+                    format: byte
+                    type: string
+                  namespace:
+                    description: 'Name of the vault namespace. Namespaces is a set
+                      of features within Vault Enterprise that allows Vault environments
+                      to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
+                      can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                    type: string
+                  path:
+                    description: 'Path is the mount path of the Vault PKI backend''s
+                      `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
+                    type: string
+                  server:
+                    description: 'Server is the connection address for the Vault server,
+                      e.g: "https://vault.example.com:8200".'
+                    type: string
+                required:
+                - auth
+                - path
+                - server
+                type: object
+              venafi:
+                description: Venafi configures this issuer to sign certificates using
+                  a Venafi TPP or Venafi Cloud policy zone.
+                properties:
+                  cloud:
+                    description: Cloud specifies the Venafi cloud configuration settings.
+                      Only one of TPP or Cloud may be specified.
+                    properties:
+                      apiTokenSecretRef:
+                        description: APITokenSecretRef is a secret key selector for
+                          the Venafi Cloud API token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: URL is the base URL for Venafi Cloud. Defaults
+                          to "https://api.venafi.cloud/v1".
+                        type: string
+                    required:
+                    - apiTokenSecretRef
+                    type: object
+                  tpp:
+                    description: TPP specifies Trust Protection Platform configuration
+                      settings. Only one of TPP or Cloud may be specified.
+                    properties:
+                      caBundle:
+                        description: CABundle is a PEM encoded TLS certificate to
+                          use to verify connections to the TPP instance. If specified,
+                          system roots will not be used and the issuing CA for the
+                          TPP instance must be verifiable using the provided root.
+                          If not specified, the connection will be verified using
+                          the cert-manager system root certificates.
+                        format: byte
+                        type: string
+                      credentialsRef:
+                        description: CredentialsRef is a reference to a Secret containing
+                          the username and password for the TPP server. The secret
+                          must contain two keys, 'username' and 'password'.
+                        properties:
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: 'URL is the base URL for the vedsdk endpoint
+                          of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
+                        type: string
+                    required:
+                    - credentialsRef
+                    - url
+                    type: object
+                  zone:
+                    description: Zone is the Venafi Policy Zone to use for this issuer.
+                      All requests made to the Venafi platform will be restricted
+                      by the named zone policy. This field is required.
+                    type: string
+                required:
+                - zone
+                type: object
+            type: object
+          status:
+            description: Status of the Issuer. This is set and managed automatically.
+            properties:
+              acme:
+                description: ACME specific status options. This field should only
+                  be set if the Issuer is configured to use an ACME server to issue
+                  certificates.
+                properties:
+                  lastRegisteredEmail:
+                    description: LastRegisteredEmail is the email associated with
+                      the latest registered ACME account, in order to track changes
+                      made to registered account associated with the  Issuer
+                    type: string
+                  uri:
+                    description: URI is the unique account identifier, which can also
+                      be used to retrieve account details from the CA
+                    type: string
+                type: object
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready`.
+                items:
+                  description: IssuerCondition contains condition information for
+                    an Issuer.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: An Issuer represents a certificate issuing authority which can
+          be referenced as part of `issuerRef` fields. It is scoped to a single namespace
+          and can therefore only be referenced by resources within the same namespace.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Desired state of the Issuer resource.
+            properties:
+              acme:
+                description: ACME configures this issuer to communicate with a RFC8555
+                  (ACME) server to obtain signed x509 certificates.
+                properties:
+                  disableAccountKeyGeneration:
+                    description: Enables or disables generating a new ACME account
+                      key. If true, the Issuer resource will *not* request a new account
+                      but will expect the account key to be supplied via an existing
+                      secret. If false, the cert-manager system will generate a new
+                      ACME account key for the Issuer. Defaults to false.
+                    type: boolean
+                  email:
+                    description: Email is the email address to be associated with
+                      the ACME account. This field is optional, but it is strongly
+                      recommended to be set. It will be used to contact you in case
+                      of issues with your account or certificates, including expiry
+                      notification emails. This field may be updated after the account
+                      is initially registered.
+                    type: string
+                  externalAccountBinding:
+                    description: ExternalAccountBinding is a reference to a CA external
+                      account of the ACME server. If set, upon registration cert-manager
+                      will attempt to associate the given external account credentials
+                      with the registered ACME account.
+                    properties:
+                      keyAlgorithm:
+                        description: keyAlgorithm is the MAC key algorithm that the
+                          key is used for. Valid values are "HS256", "HS384" and "HS512".
+                        enum:
+                        - HS256
+                        - HS384
+                        - HS512
+                        type: string
+                      keyID:
+                        description: keyID is the ID of the CA key that the External
+                          Account is bound to.
+                        type: string
+                      keySecretRef:
+                        description: keySecretRef is a Secret Key Selector referencing
+                          a data item in a Kubernetes Secret which holds the symmetric
+                          MAC key of the External Account Binding. The `key` is the
+                          index string that is paired with the key data in the Secret
+                          and should not be confused with the key data itself, or
+                          indeed with the External Account Binding keyID above. The
+                          secret key stored in the Secret **must** be un-padded, base64
+                          URL encoded data.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    required:
+                    - keyAlgorithm
+                    - keyID
+                    - keySecretRef
+                    type: object
+                  preferredChain:
+                    description: 'PreferredChain is the chain to use if the ACME server
+                      outputs multiple. PreferredChain is no guarantee that this one
+                      gets delivered by the ACME endpoint. For example, for Let''s
+                      Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+                      "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+                      picks the first certificate bundle in the ACME alternative chains
+                      that has a certificate with this value as its issuer''s CN'
+                    maxLength: 64
+                    type: string
+                  privateKeySecretRef:
+                    description: PrivateKey is the name of a Kubernetes Secret resource
+                      that will be used to store the automatically generated ACME
+                      account private key. Optionally, a `key` may be specified to
+                      select a specific entry within the named Secret resource. If
+                      `key` is not specified, a default of `tls.key` will be used.
+                    properties:
+                      key:
+                        description: The key of the entry in the Secret resource's
+                          `data` field to be used. Some instances of this field may
+                          be defaulted, in others it may be required.
+                        type: string
+                      name:
+                        description: 'Name of the resource being referred to. More
+                          info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  server:
+                    description: 'Server is the URL used to access the ACME server''s
+                      ''directory'' endpoint. For example, for Let''s Encrypt''s staging
+                      endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
+                      Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
+                    type: string
+                  skipTLSVerify:
+                    description: Enables or disables validation of the ACME server
+                      TLS certificate. If true, requests to the ACME server will not
+                      have their TLS certificate validated (i.e. insecure connections
+                      will be allowed). Only enable this option in development environments.
+                      The cert-manager system installed roots will be used to verify
+                      connections to the ACME server if this is false. Defaults to
+                      false.
+                    type: boolean
+                  solvers:
+                    description: 'Solvers is a list of challenge solvers that will
+                      be used to solve ACME challenges for the matching domains. Solver
+                      configurations must be provided in order to obtain certificates
+                      from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
+                    items:
+                      description: Configures an issuer to solve challenges using
+                        the specified options. Only one of HTTP01 or DNS01 may be
+                        provided.
+                      properties:
+                        dns01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the DNS01 challenge flow.
+                          properties:
+                            acmeDNS:
+                              description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+                                API to manage DNS01 challenge records.
+                              properties:
+                                accountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                host:
+                                  type: string
+                              required:
+                              - accountSecretRef
+                              - host
+                              type: object
+                            akamai:
+                              description: Use the Akamai DNS zone management API
+                                to manage DNS01 challenge records.
+                              properties:
+                                accessTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientSecretSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                clientTokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                serviceConsumerDomain:
+                                  type: string
+                              required:
+                              - accessTokenSecretRef
+                              - clientSecretSecretRef
+                              - clientTokenSecretRef
+                              - serviceConsumerDomain
+                              type: object
+                            azureDNS:
+                              description: Use the Microsoft Azure DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                clientID:
+                                  description: if both this and ClientSecret are left
+                                    unset MSI will be used
+                                  type: string
+                                clientSecretSecretRef:
+                                  description: if both this and ClientID are left
+                                    unset MSI will be used
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                environment:
+                                  enum:
+                                  - AzurePublicCloud
+                                  - AzureChinaCloud
+                                  - AzureGermanCloud
+                                  - AzureUSGovernmentCloud
+                                  type: string
+                                hostedZoneName:
+                                  type: string
+                                resourceGroupName:
+                                  type: string
+                                subscriptionID:
+                                  type: string
+                                tenantID:
+                                  description: when specifying ClientID and ClientSecret
+                                    then this field is also needed
+                                  type: string
+                              required:
+                              - resourceGroupName
+                              - subscriptionID
+                              type: object
+                            cloudDNS:
+                              description: Use the Google Cloud DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                hostedZoneName:
+                                  description: HostedZoneName is an optional field
+                                    that tells cert-manager in which Cloud DNS zone
+                                    the challenge record has to be created. If left
+                                    empty cert-manager will automatically choose a
+                                    zone.
+                                  type: string
+                                project:
+                                  type: string
+                                serviceAccountSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - project
+                              type: object
+                            cloudflare:
+                              description: Use the Cloudflare API to manage DNS01
+                                challenge records.
+                              properties:
+                                apiKeySecretRef:
+                                  description: 'API key to use to authenticate with
+                                    Cloudflare. Note: using an API token to authenticate
+                                    is now the recommended method as it allows greater
+                                    control of permissions.'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                apiTokenSecretRef:
+                                  description: API token used to authenticate with
+                                    Cloudflare.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                email:
+                                  description: Email of the account, only required
+                                    when using API key based authentication.
+                                  type: string
+                              type: object
+                            cnameStrategy:
+                              description: CNAMEStrategy configures how the DNS01
+                                provider should handle CNAME records when found in
+                                DNS zones.
+                              enum:
+                              - None
+                              - Follow
+                              type: string
+                            digitalocean:
+                              description: Use the DigitalOcean DNS API to manage
+                                DNS01 challenge records.
+                              properties:
+                                tokenSecretRef:
+                                  description: A reference to a specific 'key' within
+                                    a Secret resource. In some instances, `key` is
+                                    a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - tokenSecretRef
+                              type: object
+                            rfc2136:
+                              description: Use RFC2136 ("Dynamic Updates in the Domain
+                                Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+                                to manage DNS01 challenge records.
+                              properties:
+                                nameserver:
+                                  description: The IP address or hostname of an authoritative
+                                    DNS server supporting RFC2136 in the form host:port.
+                                    If the host is an IPv6 address it must be enclosed
+                                    in square brackets (e.g [2001:db8::1]) ; port
+                                    is optional. This field is required.
+                                  type: string
+                                tsigAlgorithm:
+                                  description: 'The TSIG Algorithm configured in the
+                                    DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                                    and ``tsigKeyName`` are defined. Supported values
+                                    are (case-insensitive): ``HMACMD5`` (default),
+                                    ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+                                  type: string
+                                tsigKeyName:
+                                  description: The TSIG Key name configured in the
+                                    DNS. If ``tsigSecretSecretRef`` is defined, this
+                                    field is required.
+                                  type: string
+                                tsigSecretSecretRef:
+                                  description: The name of the secret containing the
+                                    TSIG value. If ``tsigKeyName`` is defined, this
+                                    field is required.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - nameserver
+                              type: object
+                            route53:
+                              description: Use the AWS Route53 API to manage DNS01
+                                challenge records.
+                              properties:
+                                accessKeyID:
+                                  description: 'The AccessKeyID is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata see:
+                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  type: string
+                                hostedZoneID:
+                                  description: If set, the provider will manage only
+                                    this zone in Route53 and will not do an lookup
+                                    using the route53:ListHostedZonesByName api call.
+                                  type: string
+                                region:
+                                  description: Always set the region when using AccessKeyID
+                                    and SecretAccessKey
+                                  type: string
+                                role:
+                                  description: Role is a Role ARN which the Route53
+                                    provider will assume using either the explicit
+                                    credentials AccessKeyID/SecretAccessKey or the
+                                    inferred credentials from environment variables,
+                                    shared credentials file or AWS Instance metadata
+                                  type: string
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication.
+                                    If not set we fall-back to using env vars, shared
+                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                              required:
+                              - region
+                              type: object
+                            webhook:
+                              description: Configure an external webhook based DNS01
+                                challenge solver to manage DNS01 challenge records.
+                              properties:
+                                config:
+                                  description: Additional configuration that should
+                                    be passed to the webhook apiserver when challenges
+                                    are processed. This can contain arbitrary JSON
+                                    data. Secret values should not be specified in
+                                    this stanza. If secret values are needed (e.g.
+                                    credentials for a DNS service), you should use
+                                    a SecretKeySelector to reference a Secret resource.
+                                    For details on the schema of this field, consult
+                                    the webhook provider implementation's documentation.
+                                  x-kubernetes-preserve-unknown-fields: true
+                                groupName:
+                                  description: The API group name that should be used
+                                    when POSTing ChallengePayload resources to the
+                                    webhook apiserver. This should be the same as
+                                    the GroupName specified in the webhook provider
+                                    implementation.
+                                  type: string
+                                solverName:
+                                  description: The name of the solver to use, as defined
+                                    in the webhook provider implementation. This will
+                                    typically be the name of the provider, e.g. 'cloudflare'.
+                                  type: string
+                              required:
+                              - groupName
+                              - solverName
+                              type: object
+                          type: object
+                        http01:
+                          description: Configures cert-manager to attempt to complete
+                            authorizations by performing the HTTP01 challenge flow.
+                            It is not possible to obtain certificates for wildcard
+                            domain names (e.g. `*.example.com`) using the HTTP01 challenge
+                            mechanism.
+                          properties:
+                            ingress:
+                              description: The ingress based HTTP01 challenge solver
+                                will solve challenges by creating or modifying Ingress
+                                resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+                                to 'challenge solver' pods that are provisioned by
+                                cert-manager for each Challenge to be completed.
+                              properties:
+                                class:
+                                  description: The ingress class to use when creating
+                                    Ingress resources to solve ACME challenges that
+                                    use this challenge solver. Only one of 'class'
+                                    or 'name' may be specified.
+                                  type: string
+                                ingressTemplate:
+                                  description: Optional ingress template used to configure
+                                    the ACME challenge solver ingress used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the ingress
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the created ACME HTTP01 solver
+                                            ingress.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver ingress.
+                                          type: object
+                                      type: object
+                                  type: object
+                                name:
+                                  description: The name of the ingress resource that
+                                    should have ACME challenge solving routes inserted
+                                    into it in order to solve HTTP01 challenges. This
+                                    is typically used in conjunction with ingress
+                                    controllers like ingress-gce, which maintains
+                                    a 1:1 mapping between external IPs and ingress
+                                    resources.
+                                  type: string
+                                podTemplate:
+                                  description: Optional pod template used to configure
+                                    the ACME challenge solver pods used for HTTP01
+                                    challenges
+                                  properties:
+                                    metadata:
+                                      description: ObjectMeta overrides for the pod
+                                        used to solve HTTP01 challenges. Only the
+                                        'labels' and 'annotations' fields may be set.
+                                        If labels or annotations overlap with in-built
+                                        values, the values here will override the
+                                        in-built values.
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: Annotations that should be
+                                            added to the create ACME HTTP01 solver
+                                            pods.
+                                          type: object
+                                        labels:
+                                          additionalProperties:
+                                            type: string
+                                          description: Labels that should be added
+                                            to the created ACME HTTP01 solver pods.
+                                          type: object
+                                      type: object
+                                    spec:
+                                      description: PodSpec defines overrides for the
+                                        HTTP01 challenge solver pod. Only the 'priorityClassName',
+                                        'nodeSelector', 'affinity', 'serviceAccountName'
+                                        and 'tolerations' fields are supported currently.
+                                        All other fields will be ignored.
+                                      properties:
+                                        affinity:
+                                          description: If specified, the pod's scheduling
+                                            constraints
+                                          properties:
+                                            nodeAffinity:
+                                              description: Describes node affinity
+                                                scheduling rules for the pod.
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node matches
+                                                    the corresponding matchExpressions;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: An empty preferred
+                                                      scheduling term matches all
+                                                      objects with implicit weight
+                                                      0 (i.e. it's a no-op). A null
+                                                      preferred scheduling term matches
+                                                      no objects (i.e. is also a no-op).
+                                                    properties:
+                                                      preference:
+                                                        description: A node selector
+                                                          term, associated with the
+                                                          corresponding weight.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      weight:
+                                                        description: Weight associated
+                                                          with matching the corresponding
+                                                          nodeSelectorTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - preference
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to an
+                                                    update), the system may or may
+                                                    not try to eventually evict the
+                                                    pod from its node.
+                                                  properties:
+                                                    nodeSelectorTerms:
+                                                      description: Required. A list
+                                                        of node selector terms. The
+                                                        terms are ORed.
+                                                      items:
+                                                        description: A null or empty
+                                                          node selector term matches
+                                                          no objects. The requirements
+                                                          of them are ANDed. The TopologySelectorTerm
+                                                          type implements a subset
+                                                          of the NodeSelectorTerm.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's labels.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchFields:
+                                                            description: A list of
+                                                              node selector requirements
+                                                              by node's fields.
+                                                            items:
+                                                              description: A node
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: The
+                                                                    label key that
+                                                                    the selector applies
+                                                                    to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: Represents
+                                                                    a key's relationship
+                                                                    to a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists, DoesNotExist.
+                                                                    Gt, and Lt.
+                                                                  type: string
+                                                                values:
+                                                                  description: An
+                                                                    array of string
+                                                                    values. If the
+                                                                    operator is In
+                                                                    or NotIn, the
+                                                                    values array must
+                                                                    be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    If the operator
+                                                                    is Gt or Lt, the
+                                                                    values array must
+                                                                    have a single
+                                                                    element, which
+                                                                    will be interpreted
+                                                                    as an integer.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                        type: object
+                                                      type: array
+                                                  required:
+                                                  - nodeSelectorTerms
+                                                  type: object
+                                              type: object
+                                            podAffinity:
+                                              description: Describes pod affinity
+                                                scheduling rules (e.g. co-locate this
+                                                pod in the same node, zone, etc. as
+                                                some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the affinity expressions
+                                                    specified by this field, but it
+                                                    may choose a node that violates
+                                                    one or more of the expressions.
+                                                    The node that is most preferred
+                                                    is the one with the greatest sum
+                                                    of weights, i.e. for each node
+                                                    that meets all of the scheduling
+                                                    requirements (resource request,
+                                                    requiredDuringScheduling affinity
+                                                    expressions, etc.), compute a
+                                                    sum by iterating through the elements
+                                                    of this field and adding "weight"
+                                                    to the sum if the node has pods
+                                                    which matches the corresponding
+                                                    podAffinityTerm; the node(s) with
+                                                    the highest sum are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the affinity requirements
+                                                    specified by this field are not
+                                                    met at scheduling time, the pod
+                                                    will not be scheduled onto the
+                                                    node. If the affinity requirements
+                                                    specified by this field cease
+                                                    to be met at some point during
+                                                    pod execution (e.g. due to a pod
+                                                    label update), the system may
+                                                    or may not try to eventually evict
+                                                    the pod from its node. When there
+                                                    are multiple elements, the lists
+                                                    of nodes corresponding to each
+                                                    podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            podAntiAffinity:
+                                              description: Describes pod anti-affinity
+                                                scheduling rules (e.g. avoid putting
+                                                this pod in the same node, zone, etc.
+                                                as some other pod(s)).
+                                              properties:
+                                                preferredDuringSchedulingIgnoredDuringExecution:
+                                                  description: The scheduler will
+                                                    prefer to schedule pods to nodes
+                                                    that satisfy the anti-affinity
+                                                    expressions specified by this
+                                                    field, but it may choose a node
+                                                    that violates one or more of the
+                                                    expressions. The node that is
+                                                    most preferred is the one with
+                                                    the greatest sum of weights, i.e.
+                                                    for each node that meets all of
+                                                    the scheduling requirements (resource
+                                                    request, requiredDuringScheduling
+                                                    anti-affinity expressions, etc.),
+                                                    compute a sum by iterating through
+                                                    the elements of this field and
+                                                    adding "weight" to the sum if
+                                                    the node has pods which matches
+                                                    the corresponding podAffinityTerm;
+                                                    the node(s) with the highest sum
+                                                    are the most preferred.
+                                                  items:
+                                                    description: The weights of all
+                                                      of the matched WeightedPodAffinityTerm
+                                                      fields are added per-node to
+                                                      find the most preferred node(s)
+                                                    properties:
+                                                      podAffinityTerm:
+                                                        description: Required. A pod
+                                                          affinity term, associated
+                                                          with the corresponding weight.
+                                                        properties:
+                                                          labelSelector:
+                                                            description: A label query
+                                                              over a set of resources,
+                                                              in this case pods.
+                                                            properties:
+                                                              matchExpressions:
+                                                                description: matchExpressions
+                                                                  is a list of label
+                                                                  selector requirements.
+                                                                  The requirements
+                                                                  are ANDed.
+                                                                items:
+                                                                  description: A label
+                                                                    selector requirement
+                                                                    is a selector
+                                                                    that contains
+                                                                    values, a key,
+                                                                    and an operator
+                                                                    that relates the
+                                                                    key and values.
+                                                                  properties:
+                                                                    key:
+                                                                      description: key
+                                                                        is the label
+                                                                        key that the
+                                                                        selector applies
+                                                                        to.
+                                                                      type: string
+                                                                    operator:
+                                                                      description: operator
+                                                                        represents
+                                                                        a key's relationship
+                                                                        to a set of
+                                                                        values. Valid
+                                                                        operators
+                                                                        are In, NotIn,
+                                                                        Exists and
+                                                                        DoesNotExist.
+                                                                      type: string
+                                                                    values:
+                                                                      description: values
+                                                                        is an array
+                                                                        of string
+                                                                        values. If
+                                                                        the operator
+                                                                        is In or NotIn,
+                                                                        the values
+                                                                        array must
+                                                                        be non-empty.
+                                                                        If the operator
+                                                                        is Exists
+                                                                        or DoesNotExist,
+                                                                        the values
+                                                                        array must
+                                                                        be empty.
+                                                                        This array
+                                                                        is replaced
+                                                                        during a strategic
+                                                                        merge patch.
+                                                                      items:
+                                                                        type: string
+                                                                      type: array
+                                                                  required:
+                                                                  - key
+                                                                  - operator
+                                                                  type: object
+                                                                type: array
+                                                              matchLabels:
+                                                                additionalProperties:
+                                                                  type: string
+                                                                description: matchLabels
+                                                                  is a map of {key,value}
+                                                                  pairs. A single
+                                                                  {key,value} in the
+                                                                  matchLabels map
+                                                                  is equivalent to
+                                                                  an element of matchExpressions,
+                                                                  whose key field
+                                                                  is "key", the operator
+                                                                  is "In", and the
+                                                                  values array contains
+                                                                  only "value". The
+                                                                  requirements are
+                                                                  ANDed.
+                                                                type: object
+                                                            type: object
+                                                          namespaces:
+                                                            description: namespaces
+                                                              specifies which namespaces
+                                                              the labelSelector applies
+                                                              to (matches against);
+                                                              null or empty list means
+                                                              "this pod's namespace"
+                                                            items:
+                                                              type: string
+                                                            type: array
+                                                          topologyKey:
+                                                            description: This pod
+                                                              should be co-located
+                                                              (affinity) or not co-located
+                                                              (anti-affinity) with
+                                                              the pods matching the
+                                                              labelSelector in the
+                                                              specified namespaces,
+                                                              where co-located is
+                                                              defined as running on
+                                                              a node whose value of
+                                                              the label with key topologyKey
+                                                              matches that of any
+                                                              node on which any of
+                                                              the selected pods is
+                                                              running. Empty topologyKey
+                                                              is not allowed.
+                                                            type: string
+                                                        required:
+                                                        - topologyKey
+                                                        type: object
+                                                      weight:
+                                                        description: weight associated
+                                                          with matching the corresponding
+                                                          podAffinityTerm, in the
+                                                          range 1-100.
+                                                        format: int32
+                                                        type: integer
+                                                    required:
+                                                    - podAffinityTerm
+                                                    - weight
+                                                    type: object
+                                                  type: array
+                                                requiredDuringSchedulingIgnoredDuringExecution:
+                                                  description: If the anti-affinity
+                                                    requirements specified by this
+                                                    field are not met at scheduling
+                                                    time, the pod will not be scheduled
+                                                    onto the node. If the anti-affinity
+                                                    requirements specified by this
+                                                    field cease to be met at some
+                                                    point during pod execution (e.g.
+                                                    due to a pod label update), the
+                                                    system may or may not try to eventually
+                                                    evict the pod from its node. When
+                                                    there are multiple elements, the
+                                                    lists of nodes corresponding to
+                                                    each podAffinityTerm are intersected,
+                                                    i.e. all terms must be satisfied.
+                                                  items:
+                                                    description: Defines a set of
+                                                      pods (namely those matching
+                                                      the labelSelector relative to
+                                                      the given namespace(s)) that
+                                                      this pod should be co-located
+                                                      (affinity) or not co-located
+                                                      (anti-affinity) with, where
+                                                      co-located is defined as running
+                                                      on a node whose value of the
+                                                      label with key <topologyKey>
+                                                      matches that of any node on
+                                                      which a pod of the set of pods
+                                                      is running
+                                                    properties:
+                                                      labelSelector:
+                                                        description: A label query
+                                                          over a set of resources,
+                                                          in this case pods.
+                                                        properties:
+                                                          matchExpressions:
+                                                            description: matchExpressions
+                                                              is a list of label selector
+                                                              requirements. The requirements
+                                                              are ANDed.
+                                                            items:
+                                                              description: A label
+                                                                selector requirement
+                                                                is a selector that
+                                                                contains values, a
+                                                                key, and an operator
+                                                                that relates the key
+                                                                and values.
+                                                              properties:
+                                                                key:
+                                                                  description: key
+                                                                    is the label key
+                                                                    that the selector
+                                                                    applies to.
+                                                                  type: string
+                                                                operator:
+                                                                  description: operator
+                                                                    represents a key's
+                                                                    relationship to
+                                                                    a set of values.
+                                                                    Valid operators
+                                                                    are In, NotIn,
+                                                                    Exists and DoesNotExist.
+                                                                  type: string
+                                                                values:
+                                                                  description: values
+                                                                    is an array of
+                                                                    string values.
+                                                                    If the operator
+                                                                    is In or NotIn,
+                                                                    the values array
+                                                                    must be non-empty.
+                                                                    If the operator
+                                                                    is Exists or DoesNotExist,
+                                                                    the values array
+                                                                    must be empty.
+                                                                    This array is
+                                                                    replaced during
+                                                                    a strategic merge
+                                                                    patch.
+                                                                  items:
+                                                                    type: string
+                                                                  type: array
+                                                              required:
+                                                              - key
+                                                              - operator
+                                                              type: object
+                                                            type: array
+                                                          matchLabels:
+                                                            additionalProperties:
+                                                              type: string
+                                                            description: matchLabels
+                                                              is a map of {key,value}
+                                                              pairs. A single {key,value}
+                                                              in the matchLabels map
+                                                              is equivalent to an
+                                                              element of matchExpressions,
+                                                              whose key field is "key",
+                                                              the operator is "In",
+                                                              and the values array
+                                                              contains only "value".
+                                                              The requirements are
+                                                              ANDed.
+                                                            type: object
+                                                        type: object
+                                                      namespaces:
+                                                        description: namespaces specifies
+                                                          which namespaces the labelSelector
+                                                          applies to (matches against);
+                                                          null or empty list means
+                                                          "this pod's namespace"
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                      topologyKey:
+                                                        description: This pod should
+                                                          be co-located (affinity)
+                                                          or not co-located (anti-affinity)
+                                                          with the pods matching the
+                                                          labelSelector in the specified
+                                                          namespaces, where co-located
+                                                          is defined as running on
+                                                          a node whose value of the
+                                                          label with key topologyKey
+                                                          matches that of any node
+                                                          on which any of the selected
+                                                          pods is running. Empty topologyKey
+                                                          is not allowed.
+                                                        type: string
+                                                    required:
+                                                    - topologyKey
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                          type: object
+                                        nodeSelector:
+                                          additionalProperties:
+                                            type: string
+                                          description: 'NodeSelector is a selector
+                                            which must be true for the pod to fit
+                                            on a node. Selector which must match a
+                                            node''s labels for the pod to be scheduled
+                                            on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                          type: object
+                                        priorityClassName:
+                                          description: If specified, the pod's priorityClassName.
+                                          type: string
+                                        serviceAccountName:
+                                          description: If specified, the pod's service
+                                            account
+                                          type: string
+                                        tolerations:
+                                          description: If specified, the pod's tolerations.
+                                          items:
+                                            description: The pod this Toleration is
+                                              attached to tolerates any taint that
+                                              matches the triple <key,value,effect>
+                                              using the matching operator <operator>.
+                                            properties:
+                                              effect:
+                                                description: Effect indicates the
+                                                  taint effect to match. Empty means
+                                                  match all taint effects. When specified,
+                                                  allowed values are NoSchedule, PreferNoSchedule
+                                                  and NoExecute.
+                                                type: string
+                                              key:
+                                                description: Key is the taint key
+                                                  that the toleration applies to.
+                                                  Empty means match all taint keys.
+                                                  If the key is empty, operator must
+                                                  be Exists; this combination means
+                                                  to match all values and all keys.
+                                                type: string
+                                              operator:
+                                                description: Operator represents a
+                                                  key's relationship to the value.
+                                                  Valid operators are Exists and Equal.
+                                                  Defaults to Equal. Exists is equivalent
+                                                  to wildcard for value, so that a
+                                                  pod can tolerate all taints of a
+                                                  particular category.
+                                                type: string
+                                              tolerationSeconds:
+                                                description: TolerationSeconds represents
+                                                  the period of time the toleration
+                                                  (which must be of effect NoExecute,
+                                                  otherwise this field is ignored)
+                                                  tolerates the taint. By default,
+                                                  it is not set, which means tolerate
+                                                  the taint forever (do not evict).
+                                                  Zero and negative values will be
+                                                  treated as 0 (evict immediately)
+                                                  by the system.
+                                                format: int64
+                                                type: integer
+                                              value:
+                                                description: Value is the taint value
+                                                  the toleration matches to. If the
+                                                  operator is Exists, the value should
+                                                  be empty, otherwise just a regular
+                                                  string.
+                                                type: string
+                                            type: object
+                                          type: array
+                                      type: object
+                                  type: object
+                                serviceType:
+                                  description: Optional service type for Kubernetes
+                                    solver service
+                                  type: string
+                              type: object
+                          type: object
+                        selector:
+                          description: Selector selects a set of DNSNames on the Certificate
+                            resource that should be solved using this challenge solver.
+                            If not specified, the solver will be treated as the 'default'
+                            solver with the lowest priority, i.e. if any other solver
+                            has a more specific match, it will be used instead.
+                          properties:
+                            dnsNames:
+                              description: List of DNSNames that this solver will
+                                be used to solve. If specified and a match is found,
+                                a dnsNames selector will take precedence over a dnsZones
+                                selector. If multiple solvers match with the same
+                                dnsNames value, the solver with the most matching
+                                labels in matchLabels will be selected. If neither
+                                has more matches, the solver defined earlier in the
+                                list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            dnsZones:
+                              description: List of DNSZones that this solver will
+                                be used to solve. The most specific DNS zone match
+                                specified here will take precedence over other DNS
+                                zone matches, so a solver specifying sys.example.com
+                                will be selected over one specifying example.com for
+                                the domain www.sys.example.com. If multiple solvers
+                                match with the same dnsZones value, the solver with
+                                the most matching labels in matchLabels will be selected.
+                                If neither has more matches, the solver defined earlier
+                                in the list will be selected.
+                              items:
+                                type: string
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: A label selector that is used to refine
+                                the set of certificate's that this challenge solver
+                                will apply to.
+                              type: object
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - privateKeySecretRef
+                - server
+                type: object
+              ca:
+                description: CA configures this issuer to sign certificates using
+                  a signing CA keypair stored in a Secret resource. This is used to
+                  build internal PKIs that are managed by cert-manager.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set,
+                      certificates will be issued without distribution points set.
+                    items:
+                      type: string
+                    type: array
+                  secretName:
+                    description: SecretName is the name of the secret used to sign
+                      Certificates issued by this Issuer.
+                    type: string
+                required:
+                - secretName
+                type: object
+              selfSigned:
+                description: SelfSigned configures this issuer to 'self sign' certificates
+                  using the private key used to create the CertificateRequest object.
+                properties:
+                  crlDistributionPoints:
+                    description: The CRL distribution points is an X.509 v3 certificate
+                      extension which identifies the location of the CRL from which
+                      the revocation of this certificate can be checked. If not set
+                      certificate will be issued without CDP. Values are strings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              vault:
+                description: Vault configures this issuer to sign certificates using
+                  a HashiCorp Vault PKI backend.
+                properties:
+                  auth:
+                    description: Auth configures how cert-manager authenticates with
+                      the Vault server.
+                    properties:
+                      appRole:
+                        description: AppRole authenticates with Vault using the App
+                          Role auth mechanism, with the role and secret stored in
+                          a Kubernetes Secret resource.
+                        properties:
+                          path:
+                            description: 'Path where the App Role authentication backend
+                              is mounted in Vault, e.g: "approle"'
+                            type: string
+                          roleId:
+                            description: RoleID configured in the App Role authentication
+                              backend when setting up the authentication backend in
+                              Vault.
+                            type: string
+                          secretRef:
+                            description: Reference to a key in a Secret that contains
+                              the App Role secret used to authenticate with Vault.
+                              The `key` field must be specified and denotes which
+                              entry within the Secret resource is used as the app
+                              role secret.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - path
+                        - roleId
+                        - secretRef
+                        type: object
+                      kubernetes:
+                        description: Kubernetes authenticates with Vault by passing
+                          the ServiceAccount token stored in the named Secret resource
+                          to the Vault server.
+                        properties:
+                          mountPath:
+                            description: The Vault mountPath here is the mount path
+                              to use when authenticating with Vault. For example,
+                              setting a value to `/v1/auth/foo`, will use the path
+                              `/v1/auth/foo/login` to authenticate with Vault. If
+                              unspecified, the default value "/v1/auth/kubernetes"
+                              will be used.
+                            type: string
+                          role:
+                            description: A required field containing the Vault Role
+                              to assume. A Role binds a Kubernetes ServiceAccount
+                              with a set of Vault policies.
+                            type: string
+                          secretRef:
+                            description: The required Secret field containing a Kubernetes
+                              ServiceAccount JWT used for authenticating with Vault.
+                              Use of 'ambient credentials' is not supported.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - role
+                        - secretRef
+                        type: object
+                      tokenSecretRef:
+                        description: TokenSecretRef authenticates with Vault by presenting
+                          a token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    type: object
+                  caBundle:
+                    description: PEM encoded CA bundle used to validate Vault server
+                      certificate. Only used if the Server URL is using HTTPS protocol.
+                      This parameter is ignored for plain HTTP protocol connection.
+                      If not set the system root certificates are used to validate
+                      the TLS connection.
+                    format: byte
+                    type: string
+                  namespace:
+                    description: 'Name of the vault namespace. Namespaces is a set
+                      of features within Vault Enterprise that allows Vault environments
+                      to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
+                      can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                    type: string
+                  path:
+                    description: 'Path is the mount path of the Vault PKI backend''s
+                      `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
+                    type: string
+                  server:
+                    description: 'Server is the connection address for the Vault server,
+                      e.g: "https://vault.example.com:8200".'
+                    type: string
+                required:
+                - auth
+                - path
+                - server
+                type: object
+              venafi:
+                description: Venafi configures this issuer to sign certificates using
+                  a Venafi TPP or Venafi Cloud policy zone.
+                properties:
+                  cloud:
+                    description: Cloud specifies the Venafi cloud configuration settings.
+                      Only one of TPP or Cloud may be specified.
+                    properties:
+                      apiTokenSecretRef:
+                        description: APITokenSecretRef is a secret key selector for
+                          the Venafi Cloud API token.
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: URL is the base URL for Venafi Cloud. Defaults
+                          to "https://api.venafi.cloud/v1".
+                        type: string
+                    required:
+                    - apiTokenSecretRef
+                    type: object
+                  tpp:
+                    description: TPP specifies Trust Protection Platform configuration
+                      settings. Only one of TPP or Cloud may be specified.
+                    properties:
+                      caBundle:
+                        description: CABundle is a PEM encoded TLS certificate to
+                          use to verify connections to the TPP instance. If specified,
+                          system roots will not be used and the issuing CA for the
+                          TPP instance must be verifiable using the provided root.
+                          If not specified, the connection will be verified using
+                          the cert-manager system root certificates.
+                        format: byte
+                        type: string
+                      credentialsRef:
+                        description: CredentialsRef is a reference to a Secret containing
+                          the username and password for the TPP server. The secret
+                          must contain two keys, 'username' and 'password'.
+                        properties:
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      url:
+                        description: 'URL is the base URL for the vedsdk endpoint
+                          of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
+                        type: string
+                    required:
+                    - credentialsRef
+                    - url
+                    type: object
+                  zone:
+                    description: Zone is the Venafi Policy Zone to use for this issuer.
+                      All requests made to the Venafi platform will be restricted
+                      by the named zone policy. This field is required.
+                    type: string
+                required:
+                - zone
+                type: object
+            type: object
+          status:
+            description: Status of the Issuer. This is set and managed automatically.
+            properties:
+              acme:
+                description: ACME specific status options. This field should only
+                  be set if the Issuer is configured to use an ACME server to issue
+                  certificates.
+                properties:
+                  lastRegisteredEmail:
+                    description: LastRegisteredEmail is the email associated with
+                      the latest registered ACME account, in order to track changes
+                      made to registered account associated with the  Issuer
+                    type: string
+                  uri:
+                    description: URI is the unique account identifier, which can also
+                      be used to retrieve account details from the CA
+                    type: string
+                type: object
+              conditions:
+                description: List of status conditions to indicate the status of a
+                  CertificateRequest. Known condition types are `Ready`.
+                items:
+                  description: IssuerCondition contains condition information for
+                    an Issuer.
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the timestamp corresponding
+                        to the last status change of this condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable description of the
+                        details of the last transition, complementing reason.
+                      type: string
+                    reason:
+                      description: Reason is a brief machine readable explanation
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of ('True', 'False',
+                        'Unknown').
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: Type of the condition, known values are ('Ready').
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: orders.acme.cert-manager.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: cert-manager-webhook
+          namespace: cert-manager
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: acme.cert-manager.io
+  names:
+    kind: Order
+    listKind: OrderList
+    plural: orders
+    singular: order
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: Order is a type to represent an Order with an ACME server
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              commonName:
+                description: CommonName is the common name as specified on the DER
+                  encoded CSR. If specified, this value must also be present in `dnsNames`.
+                  This field must match the corresponding field on the DER encoded
+                  CSR.
+                type: string
+              csr:
+                description: Certificate signing request bytes in DER encoding. This
+                  will be used when finalizing the order. This field must be set on
+                  the order.
+                format: byte
+                type: string
+              dnsNames:
+                description: DNSNames is a list of DNS names that should be included
+                  as part of the Order validation process. This field must match the
+                  corresponding field on the DER encoded CSR.
+                items:
+                  type: string
+                type: array
+              issuerRef:
+                description: IssuerRef references a properly configured ACME-type
+                  Issuer which should be used to create this Order. If the Issuer
+                  does not exist, processing will be retried. If the Issuer is not
+                  an 'ACME' Issuer, an error will be returned and the Order will be
+                  marked as failed.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+            required:
+            - csr
+            - dnsNames
+            - issuerRef
+            type: object
+          status:
+            properties:
+              authorizations:
+                description: Authorizations contains data returned from the ACME server
+                  on what authorizations must be completed in order to validate the
+                  DNS names specified on the Order.
+                items:
+                  description: ACMEAuthorization contains data returned from the ACME
+                    server on an authorization that must be completed in order validate
+                    a DNS name on an ACME Order resource.
+                  properties:
+                    challenges:
+                      description: Challenges specifies the challenge types offered
+                        by the ACME server. One of these challenge types will be selected
+                        when validating the DNS name and an appropriate Challenge
+                        resource will be created to perform the ACME challenge process.
+                      items:
+                        description: Challenge specifies a challenge offered by the
+                          ACME server for an Order. An appropriate Challenge resource
+                          can be created to perform the ACME challenge process.
+                        properties:
+                          token:
+                            description: Token is the token that must be presented
+                              for this challenge. This is used to compute the 'key'
+                              that must also be presented.
+                            type: string
+                          type:
+                            description: Type is the type of challenge being offered,
+                              e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
+                              the raw value retrieved from the ACME server. Only 'http-01'
+                              and 'dns-01' are supported by cert-manager, other values
+                              will be ignored.
+                            type: string
+                          url:
+                            description: URL is the URL of this challenge. It can
+                              be used to retrieve additional metadata about the Challenge
+                              from the ACME server.
+                            type: string
+                        required:
+                        - token
+                        - type
+                        - url
+                        type: object
+                      type: array
+                    identifier:
+                      description: Identifier is the DNS name to be validated as part
+                        of this authorization
+                      type: string
+                    initialState:
+                      description: InitialState is the initial state of the ACME authorization
+                        when first fetched from the ACME server. If an Authorization
+                        is already 'valid', the Order controller will not create a
+                        Challenge resource for the authorization. This will occur
+                        when working with an ACME server that enables 'authz reuse'
+                        (such as Let's Encrypt's production endpoint). If not set
+                        and 'identifier' is set, the state is assumed to be pending
+                        and a Challenge will be created.
+                      enum:
+                      - valid
+                      - ready
+                      - pending
+                      - processing
+                      - invalid
+                      - expired
+                      - errored
+                      type: string
+                    url:
+                      description: URL is the URL of the Authorization that must be
+                        completed
+                      type: string
+                    wildcard:
+                      description: Wildcard will be true if this authorization is
+                        for a wildcard DNS name. If this is true, the identifier will
+                        be the *non-wildcard* version of the DNS name. For example,
+                        if '*.example.com' is the DNS name being validated, this field
+                        will be 'true' and the 'identifier' field will be 'example.com'.
+                      type: boolean
+                  required:
+                  - url
+                  type: object
+                type: array
+              certificate:
+                description: Certificate is a copy of the PEM encoded certificate
+                  for this Order. This field will be populated after the order has
+                  been successfully finalized with the ACME server, and the order
+                  has transitioned to the 'valid' state.
+                format: byte
+                type: string
+              failureTime:
+                description: FailureTime stores the time that this order failed. This
+                  is used to influence garbage collection and back-off.
+                format: date-time
+                type: string
+              finalizeURL:
+                description: FinalizeURL of the Order. This is used to obtain certificates
+                  for this order once it has been completed.
+                type: string
+              reason:
+                description: Reason optionally provides more information about a why
+                  the order is in the current state.
+                type: string
+              state:
+                description: State contains the current state of this Order resource.
+                  States 'success' and 'expired' are 'final'
+                enum:
+                - valid
+                - ready
+                - pending
+                - processing
+                - invalid
+                - expired
+                - errored
+                type: string
+              url:
+                description: URL of the Order. This will initially be empty when the
+                  resource is first created. The Order controller will populate this
+                  field when the Order is first processed. This field will be immutable
+                  after it is initially set.
+                type: string
+            type: object
+        required:
+        - metadata
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: Order is a type to represent an Order with an ACME server
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              commonName:
+                description: CommonName is the common name as specified on the DER
+                  encoded CSR. If specified, this value must also be present in `dnsNames`.
+                  This field must match the corresponding field on the DER encoded
+                  CSR.
+                type: string
+              csr:
+                description: Certificate signing request bytes in DER encoding. This
+                  will be used when finalizing the order. This field must be set on
+                  the order.
+                format: byte
+                type: string
+              dnsNames:
+                description: DNSNames is a list of DNS names that should be included
+                  as part of the Order validation process. This field must match the
+                  corresponding field on the DER encoded CSR.
+                items:
+                  type: string
+                type: array
+              issuerRef:
+                description: IssuerRef references a properly configured ACME-type
+                  Issuer which should be used to create this Order. If the Issuer
+                  does not exist, processing will be retried. If the Issuer is not
+                  an 'ACME' Issuer, an error will be returned and the Order will be
+                  marked as failed.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+            required:
+            - csr
+            - dnsNames
+            - issuerRef
+            type: object
+          status:
+            properties:
+              authorizations:
+                description: Authorizations contains data returned from the ACME server
+                  on what authorizations must be completed in order to validate the
+                  DNS names specified on the Order.
+                items:
+                  description: ACMEAuthorization contains data returned from the ACME
+                    server on an authorization that must be completed in order validate
+                    a DNS name on an ACME Order resource.
+                  properties:
+                    challenges:
+                      description: Challenges specifies the challenge types offered
+                        by the ACME server. One of these challenge types will be selected
+                        when validating the DNS name and an appropriate Challenge
+                        resource will be created to perform the ACME challenge process.
+                      items:
+                        description: Challenge specifies a challenge offered by the
+                          ACME server for an Order. An appropriate Challenge resource
+                          can be created to perform the ACME challenge process.
+                        properties:
+                          token:
+                            description: Token is the token that must be presented
+                              for this challenge. This is used to compute the 'key'
+                              that must also be presented.
+                            type: string
+                          type:
+                            description: Type is the type of challenge being offered,
+                              e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
+                              the raw value retrieved from the ACME server. Only 'http-01'
+                              and 'dns-01' are supported by cert-manager, other values
+                              will be ignored.
+                            type: string
+                          url:
+                            description: URL is the URL of this challenge. It can
+                              be used to retrieve additional metadata about the Challenge
+                              from the ACME server.
+                            type: string
+                        required:
+                        - token
+                        - type
+                        - url
+                        type: object
+                      type: array
+                    identifier:
+                      description: Identifier is the DNS name to be validated as part
+                        of this authorization
+                      type: string
+                    initialState:
+                      description: InitialState is the initial state of the ACME authorization
+                        when first fetched from the ACME server. If an Authorization
+                        is already 'valid', the Order controller will not create a
+                        Challenge resource for the authorization. This will occur
+                        when working with an ACME server that enables 'authz reuse'
+                        (such as Let's Encrypt's production endpoint). If not set
+                        and 'identifier' is set, the state is assumed to be pending
+                        and a Challenge will be created.
+                      enum:
+                      - valid
+                      - ready
+                      - pending
+                      - processing
+                      - invalid
+                      - expired
+                      - errored
+                      type: string
+                    url:
+                      description: URL is the URL of the Authorization that must be
+                        completed
+                      type: string
+                    wildcard:
+                      description: Wildcard will be true if this authorization is
+                        for a wildcard DNS name. If this is true, the identifier will
+                        be the *non-wildcard* version of the DNS name. For example,
+                        if '*.example.com' is the DNS name being validated, this field
+                        will be 'true' and the 'identifier' field will be 'example.com'.
+                      type: boolean
+                  required:
+                  - url
+                  type: object
+                type: array
+              certificate:
+                description: Certificate is a copy of the PEM encoded certificate
+                  for this Order. This field will be populated after the order has
+                  been successfully finalized with the ACME server, and the order
+                  has transitioned to the 'valid' state.
+                format: byte
+                type: string
+              failureTime:
+                description: FailureTime stores the time that this order failed. This
+                  is used to influence garbage collection and back-off.
+                format: date-time
+                type: string
+              finalizeURL:
+                description: FinalizeURL of the Order. This is used to obtain certificates
+                  for this order once it has been completed.
+                type: string
+              reason:
+                description: Reason optionally provides more information about a why
+                  the order is in the current state.
+                type: string
+              state:
+                description: State contains the current state of this Order resource.
+                  States 'success' and 'expired' are 'final'
+                enum:
+                - valid
+                - ready
+                - pending
+                - processing
+                - invalid
+                - expired
+                - errored
+                type: string
+              url:
+                description: URL of the Order. This will initially be empty when the
+                  resource is first created. The Order controller will populate this
+                  field when the Order is first processed. This field will be immutable
+                  after it is initially set.
+                type: string
+            type: object
+        required:
+        - metadata
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Order is a type to represent an Order with an ACME server
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              commonName:
+                description: CommonName is the common name as specified on the DER
+                  encoded CSR. If specified, this value must also be present in `dnsNames`.
+                  This field must match the corresponding field on the DER encoded
+                  CSR.
+                type: string
+              dnsNames:
+                description: DNSNames is a list of DNS names that should be included
+                  as part of the Order validation process. This field must match the
+                  corresponding field on the DER encoded CSR.
+                items:
+                  type: string
+                type: array
+              issuerRef:
+                description: IssuerRef references a properly configured ACME-type
+                  Issuer which should be used to create this Order. If the Issuer
+                  does not exist, processing will be retried. If the Issuer is not
+                  an 'ACME' Issuer, an error will be returned and the Order will be
+                  marked as failed.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              request:
+                description: Certificate signing request bytes in DER encoding. This
+                  will be used when finalizing the order. This field must be set on
+                  the order.
+                format: byte
+                type: string
+            required:
+            - dnsNames
+            - issuerRef
+            - request
+            type: object
+          status:
+            properties:
+              authorizations:
+                description: Authorizations contains data returned from the ACME server
+                  on what authorizations must be completed in order to validate the
+                  DNS names specified on the Order.
+                items:
+                  description: ACMEAuthorization contains data returned from the ACME
+                    server on an authorization that must be completed in order validate
+                    a DNS name on an ACME Order resource.
+                  properties:
+                    challenges:
+                      description: Challenges specifies the challenge types offered
+                        by the ACME server. One of these challenge types will be selected
+                        when validating the DNS name and an appropriate Challenge
+                        resource will be created to perform the ACME challenge process.
+                      items:
+                        description: Challenge specifies a challenge offered by the
+                          ACME server for an Order. An appropriate Challenge resource
+                          can be created to perform the ACME challenge process.
+                        properties:
+                          token:
+                            description: Token is the token that must be presented
+                              for this challenge. This is used to compute the 'key'
+                              that must also be presented.
+                            type: string
+                          type:
+                            description: Type is the type of challenge being offered,
+                              e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
+                              the raw value retrieved from the ACME server. Only 'http-01'
+                              and 'dns-01' are supported by cert-manager, other values
+                              will be ignored.
+                            type: string
+                          url:
+                            description: URL is the URL of this challenge. It can
+                              be used to retrieve additional metadata about the Challenge
+                              from the ACME server.
+                            type: string
+                        required:
+                        - token
+                        - type
+                        - url
+                        type: object
+                      type: array
+                    identifier:
+                      description: Identifier is the DNS name to be validated as part
+                        of this authorization
+                      type: string
+                    initialState:
+                      description: InitialState is the initial state of the ACME authorization
+                        when first fetched from the ACME server. If an Authorization
+                        is already 'valid', the Order controller will not create a
+                        Challenge resource for the authorization. This will occur
+                        when working with an ACME server that enables 'authz reuse'
+                        (such as Let's Encrypt's production endpoint). If not set
+                        and 'identifier' is set, the state is assumed to be pending
+                        and a Challenge will be created.
+                      enum:
+                      - valid
+                      - ready
+                      - pending
+                      - processing
+                      - invalid
+                      - expired
+                      - errored
+                      type: string
+                    url:
+                      description: URL is the URL of the Authorization that must be
+                        completed
+                      type: string
+                    wildcard:
+                      description: Wildcard will be true if this authorization is
+                        for a wildcard DNS name. If this is true, the identifier will
+                        be the *non-wildcard* version of the DNS name. For example,
+                        if '*.example.com' is the DNS name being validated, this field
+                        will be 'true' and the 'identifier' field will be 'example.com'.
+                      type: boolean
+                  required:
+                  - url
+                  type: object
+                type: array
+              certificate:
+                description: Certificate is a copy of the PEM encoded certificate
+                  for this Order. This field will be populated after the order has
+                  been successfully finalized with the ACME server, and the order
+                  has transitioned to the 'valid' state.
+                format: byte
+                type: string
+              failureTime:
+                description: FailureTime stores the time that this order failed. This
+                  is used to influence garbage collection and back-off.
+                format: date-time
+                type: string
+              finalizeURL:
+                description: FinalizeURL of the Order. This is used to obtain certificates
+                  for this order once it has been completed.
+                type: string
+              reason:
+                description: Reason optionally provides more information about a why
+                  the order is in the current state.
+                type: string
+              state:
+                description: State contains the current state of this Order resource.
+                  States 'success' and 'expired' are 'final'
+                enum:
+                - valid
+                - ready
+                - pending
+                - processing
+                - invalid
+                - expired
+                - errored
+                type: string
+              url:
+                description: URL of the Order. This will initially be empty when the
+                  resource is first created. The Order controller will populate this
+                  field when the Order is first processed. This field will be immutable
+                  after it is initially set.
+                type: string
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: Order is a type to represent an Order with an ACME server
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              commonName:
+                description: CommonName is the common name as specified on the DER
+                  encoded CSR. If specified, this value must also be present in `dnsNames`.
+                  This field must match the corresponding field on the DER encoded
+                  CSR.
+                type: string
+              dnsNames:
+                description: DNSNames is a list of DNS names that should be included
+                  as part of the Order validation process. This field must match the
+                  corresponding field on the DER encoded CSR.
+                items:
+                  type: string
+                type: array
+              issuerRef:
+                description: IssuerRef references a properly configured ACME-type
+                  Issuer which should be used to create this Order. If the Issuer
+                  does not exist, processing will be retried. If the Issuer is not
+                  an 'ACME' Issuer, an error will be returned and the Order will be
+                  marked as failed.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              request:
+                description: Certificate signing request bytes in DER encoding. This
+                  will be used when finalizing the order. This field must be set on
+                  the order.
+                format: byte
+                type: string
+            required:
+            - dnsNames
+            - issuerRef
+            - request
+            type: object
+          status:
+            properties:
+              authorizations:
+                description: Authorizations contains data returned from the ACME server
+                  on what authorizations must be completed in order to validate the
+                  DNS names specified on the Order.
+                items:
+                  description: ACMEAuthorization contains data returned from the ACME
+                    server on an authorization that must be completed in order validate
+                    a DNS name on an ACME Order resource.
+                  properties:
+                    challenges:
+                      description: Challenges specifies the challenge types offered
+                        by the ACME server. One of these challenge types will be selected
+                        when validating the DNS name and an appropriate Challenge
+                        resource will be created to perform the ACME challenge process.
+                      items:
+                        description: Challenge specifies a challenge offered by the
+                          ACME server for an Order. An appropriate Challenge resource
+                          can be created to perform the ACME challenge process.
+                        properties:
+                          token:
+                            description: Token is the token that must be presented
+                              for this challenge. This is used to compute the 'key'
+                              that must also be presented.
+                            type: string
+                          type:
+                            description: Type is the type of challenge being offered,
+                              e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
+                              the raw value retrieved from the ACME server. Only 'http-01'
+                              and 'dns-01' are supported by cert-manager, other values
+                              will be ignored.
+                            type: string
+                          url:
+                            description: URL is the URL of this challenge. It can
+                              be used to retrieve additional metadata about the Challenge
+                              from the ACME server.
+                            type: string
+                        required:
+                        - token
+                        - type
+                        - url
+                        type: object
+                      type: array
+                    identifier:
+                      description: Identifier is the DNS name to be validated as part
+                        of this authorization
+                      type: string
+                    initialState:
+                      description: InitialState is the initial state of the ACME authorization
+                        when first fetched from the ACME server. If an Authorization
+                        is already 'valid', the Order controller will not create a
+                        Challenge resource for the authorization. This will occur
+                        when working with an ACME server that enables 'authz reuse'
+                        (such as Let's Encrypt's production endpoint). If not set
+                        and 'identifier' is set, the state is assumed to be pending
+                        and a Challenge will be created.
+                      enum:
+                      - valid
+                      - ready
+                      - pending
+                      - processing
+                      - invalid
+                      - expired
+                      - errored
+                      type: string
+                    url:
+                      description: URL is the URL of the Authorization that must be
+                        completed
+                      type: string
+                    wildcard:
+                      description: Wildcard will be true if this authorization is
+                        for a wildcard DNS name. If this is true, the identifier will
+                        be the *non-wildcard* version of the DNS name. For example,
+                        if '*.example.com' is the DNS name being validated, this field
+                        will be 'true' and the 'identifier' field will be 'example.com'.
+                      type: boolean
+                  required:
+                  - url
+                  type: object
+                type: array
+              certificate:
+                description: Certificate is a copy of the PEM encoded certificate
+                  for this Order. This field will be populated after the order has
+                  been successfully finalized with the ACME server, and the order
+                  has transitioned to the 'valid' state.
+                format: byte
+                type: string
+              failureTime:
+                description: FailureTime stores the time that this order failed. This
+                  is used to influence garbage collection and back-off.
+                format: date-time
+                type: string
+              finalizeURL:
+                description: FinalizeURL of the Order. This is used to obtain certificates
+                  for this order once it has been completed.
+                type: string
+              reason:
+                description: Reason optionally provides more information about a why
+                  the order is in the current state.
+                type: string
+              state:
+                description: State contains the current state of this Order resource.
+                  States 'success' and 'expired' are 'final'
+                enum:
+                - valid
+                - ready
+                - pending
+                - processing
+                - invalid
+                - expired
+                - errored
+                type: string
+              url:
+                description: URL of the Order. This will initially be empty when the
+                  resource is first created. The Order controller will populate this
+                  field when the Order is first processed. This field will be immutable
+                  after it is initially set.
+                type: string
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: cainjector
+    app.kubernetes.io/component: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
+  namespace: cert-manager
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager
+  namespace: cert-manager
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: webhook
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cainjector
+    app.kubernetes.io/component: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - get
+  - create
+  - update
+  - patch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - auditregistration.k8s.io
+  resources:
+  - auditsinks
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-issuers
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - issuers
+  - issuers/status
+  verbs:
+  - update
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-clusterissuers
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - clusterissuers/status
+  verbs:
+  - update
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-certificates
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificates/status
+  - certificaterequests
+  - certificaterequests/status
+  verbs:
+  - update
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - clusterissuers
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates/finalizers
+  - certificaterequests/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-orders
+rules:
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders
+  - orders/status
+  verbs:
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders
+  - challenges
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-challenges
+rules:
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges
+  - challenges/status
+  verbs:
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - issuers
+  - clusterissuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - update
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes/custom-host
+  verbs:
+  - create
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-ingress-shim
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  verbs:
+  - create
+  - update
+  - delete
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  - clusterissuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: cert-manager-view
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: cert-manager-edit
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cainjector
+    app.kubernetes.io/component: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-cainjector
+subjects:
+- kind: ServiceAccount
+  name: cert-manager-cainjector
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-issuers
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-issuers
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-clusterissuers
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-clusterissuers
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-certificates
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-certificates
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-orders
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-orders
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-challenges
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-challenges
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-ingress-shim
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-ingress-shim
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: cainjector
+    app.kubernetes.io/component: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - cert-manager-cainjector-leader-election
+  - cert-manager-cainjector-leader-election-core
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager:leaderelection
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - cert-manager-controller
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: webhook
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook:dynamic-serving
+  namespace: cert-manager
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - cert-manager-webhook-ca
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: cainjector
+    app.kubernetes.io/component: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-cainjector:leaderelection
+subjects:
+- kind: ServiceAccount
+  name: cert-manager-cainjector
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager:leaderelection
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager:leaderelection
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: webhook
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook:dynamic-serving
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook:dynamic-serving
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook
+  namespace: cert-manager
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  ports:
+  - port: 9402
+    protocol: TCP
+    targetPort: 9402
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: webhook
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+  namespace: cert-manager
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: 10250
+  selector:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: cainjector
+    app.kubernetes.io/component: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
+  namespace: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: cainjector
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/name: cainjector
+  template:
+    metadata:
+      labels:
+        app: cainjector
+        app.kubernetes.io/component: cainjector
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/name: cainjector
+    spec:
+      containers:
+      - args:
+        - --v=2
+        - --leader-election-namespace=kube-system
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: quay.io/jetstack/cert-manager-cainjector:v1.0.4
+        imagePullPolicy: IfNotPresent
+        name: cert-manager
+        resources: {}
+      serviceAccountName: cert-manager-cainjector
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/name: cert-manager
+  template:
+    metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "9402"
+        prometheus.io/scrape: "true"
+      labels:
+        app: cert-manager
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/name: cert-manager
+    spec:
+      containers:
+      - args:
+        - --v=2
+        - --cluster-resource-namespace=$(POD_NAMESPACE)
+        - --leader-election-namespace=kube-system
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: quay.io/jetstack/cert-manager-controller:v1.0.4
+        imagePullPolicy: IfNotPresent
+        name: cert-manager
+        ports:
+        - containerPort: 9402
+          protocol: TCP
+        resources: {}
+      serviceAccountName: cert-manager
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: webhook
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+  namespace: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: webhook
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/name: webhook
+  template:
+    metadata:
+      labels:
+        app: webhook
+        app.kubernetes.io/component: webhook
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/name: webhook
+    spec:
+      containers:
+      - args:
+        - --v=2
+        - --secure-port=10250
+        - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
+        - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
+        - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: quay.io/jetstack/cert-manager-webhook:v1.0.4
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /livez
+            port: 6080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: cert-manager
+        ports:
+        - containerPort: 10250
+          name: https
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 6080
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources: {}
+      serviceAccountName: cert-manager-webhook
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: webhook
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: cert-manager-webhook
+      namespace: cert-manager
+      path: /mutate
+  failurePolicy: Fail
+  name: webhook.cert-manager.io
+  rules:
+  - apiGroups:
+    - cert-manager.io
+    - acme.cert-manager.io
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - '*/*'
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: webhook
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: cert-manager-webhook
+      namespace: cert-manager
+      path: /validate
+  failurePolicy: Fail
+  name: webhook.cert-manager.io
+  namespaceSelector:
+    matchExpressions:
+    - key: cert-manager.io/disable-validation
+      operator: NotIn
+      values:
+      - "true"
+    - key: name
+      operator: NotIn
+      values:
+      - cert-manager
+  rules:
+  - apiGroups:
+    - cert-manager.io
+    - acme.cert-manager.io
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - '*/*'
+  sideEffects: None
+
diff --git a/kubernetes/cert-manager/certificate.yaml b/kubernetes/cert-manager/certificate.yaml
new file mode 100644
index 0000000..afcb9a8
--- /dev/null
+++ b/kubernetes/cert-manager/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: example-app
+  namespace: default
+spec:
+  dnsNames:
+    - marcel.guru
+  secretName: example-app-tls
+  issuerRef:
+    name: letsencrypt-cluster-issuer
+    kind: ClusterIssuer
\ No newline at end of file
diff --git a/kubernetes/cert-manager/ingress.yaml b/kubernetes/cert-manager/ingress.yaml
new file mode 100644
index 0000000..8267274
--- /dev/null
+++ b/kubernetes/cert-manager/ingress.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+  name: example-app
+spec:
+  tls:
+  - hosts:
+    - marcel.guru
+    secretName: example-app-tls
+  rules:
+  - host: marcel.guru
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service: 
+            name: example-service
+            port: 
+              number: 80
\ No newline at end of file
diff --git a/kubernetes/cert-manager/test.yaml b/kubernetes/cert-manager/test.yaml
new file mode 100644
index 0000000..736b876
--- /dev/null
+++ b/kubernetes/cert-manager/test.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager-test
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: test-selfsigned
+  namespace: cert-manager-test
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: selfsigned-cert
+  namespace: cert-manager-test
+spec:
+  dnsNames:
+    - example.com
+  secretName: selfsigned-cert-tls
+  issuerRef:
+    name: test-selfsigned
\ No newline at end of file

From 88a86f681a0112076b49ef347ebecf955e170e1c Mon Sep 17 00:00:00 2001
From: marcel-dempers <aimvec@gmail.com>
Date: Sun, 6 Dec 2020 22:41:46 +1100
Subject: [PATCH 8/8] cert-manager refactoring

---
 kubernetes/cert-manager/README.md             | 56 +++++++++----------
 .../cert-manager/selfsigned/certificate.yaml  | 11 ++++
 .../cert-manager/selfsigned/issuer.yaml       |  7 +++
 kubernetes/cert-manager/test.yaml             | 24 --------
 4 files changed, 45 insertions(+), 53 deletions(-)
 create mode 100644 kubernetes/cert-manager/selfsigned/certificate.yaml
 create mode 100644 kubernetes/cert-manager/selfsigned/issuer.yaml
 delete mode 100644 kubernetes/cert-manager/test.yaml

diff --git a/kubernetes/cert-manager/README.md b/kubernetes/cert-manager/README.md
index 86d5326..2257cfe 100644
--- a/kubernetes/cert-manager/README.md
+++ b/kubernetes/cert-manager/README.md
@@ -9,20 +9,15 @@ kind create cluster --name certmanager --image kindest/node:v1.19.1
 ```
 
 
-## Issuer 
+## Concepts 
 
-https://cert-manager.io/docs/concepts/issuer/
-
-
-## Certificate
-
-https://cert-manager.io/docs/concepts/certificate/
-
-
-## CertificateRequests
-
-## Orders and Challenges
+It's important to understand the various concepts and new Kubernetes resources that <br/>
+`cert-manager` introduces.
 
+* Issuers [docs](https://cert-manager.io/docs/concepts/issuer/)
+* Certificate [docs](https://cert-manager.io/docs/concepts/certificate/)
+* CertificateRequests [docs](https://cert-manager.io/docs/concepts/certificaterequest/)
+* Orders and Challenges [docs](https://cert-manager.io/docs/concepts/acme-orders-challenges/)
 
 ## Installation 
 
@@ -95,21 +90,22 @@ replicaset.apps/cert-manager-webhook-578954cdd       1         1         1
 Let's create some test certificates
 
 ```
- kubectl apply -f test.yaml
+kubectl create ns cert-manager-test
 
-  kubectl describe certificate -n cert-manager-test
+kubectl apply -f ./selfsigned/issuer.yaml
+
+kubectl apply -f ./selfsigned/certificate.yaml
+
+kubectl describe certificate -n cert-manager-test
+kubectl get secrets -n cert-manager-test
+
+kubectl delete ns cert-manager-test
 ```
 
 ## Configuration 
 
-
 https://cert-manager.io/docs/configuration/
 
-
-## DNS
-
-## HTTP
-
 ## Ingress Controller
 
 Let's deploy an Ingress controller: <br/>
@@ -120,7 +116,6 @@ kubectl create ns ingress-nginx
 kubectl -n ingress-nginx apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.41.2/deploy/static/provider/cloud/deploy.yaml
 
 kubectl -n ingress-nginx get pods
-kubectl -n ingress-nginx get svc
 
 kubectl -n ingress-nginx --address 0.0.0.0 port-forward svc/ingress-nginx-controller 80
 kubectl -n ingress-nginx --address 0.0.0.0 port-forward svc/ingress-nginx-controller 443
@@ -155,6 +150,17 @@ kubectl describe clusterissuer letsencrypt-cluster-issuer
 
 ```
 
+## Deploy a pod that uses SSL
+
+```
+kubectl apply -f .\kubernetes\deployments\
+kubectl apply -f .\kubernetes\services\
+kubectl get pods
+# deploy an ingress route
+kubectl apply -f .\kubernetes\cert-manager\ingress.yaml
+
+```
+
 ## Issue Certificate 
 
 ```
@@ -168,12 +174,4 @@ kubectl describe certificate example-app
 kubectl get secrets
 NAME                  TYPE                                  DATA   AGE
 example-app-tls       kubernetes.io/tls                     2      84m
-```
-
-## Deploy a pod that uses SSL
-
-```
-kubectl apply -f .\kubernetes\deployments\
-kubectl apply -f .\kubernetes\configmaps\
-kubectl apply -f .\kubernetes\services\
 ```
\ No newline at end of file
diff --git a/kubernetes/cert-manager/selfsigned/certificate.yaml b/kubernetes/cert-manager/selfsigned/certificate.yaml
new file mode 100644
index 0000000..ea72c52
--- /dev/null
+++ b/kubernetes/cert-manager/selfsigned/certificate.yaml
@@ -0,0 +1,11 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: selfsigned-cert
+  namespace: cert-manager-test
+spec:
+  dnsNames:
+    - example.com
+  secretName: selfsigned-cert-tls
+  issuerRef:
+    name: test-selfsigned
\ No newline at end of file
diff --git a/kubernetes/cert-manager/selfsigned/issuer.yaml b/kubernetes/cert-manager/selfsigned/issuer.yaml
new file mode 100644
index 0000000..4be5561
--- /dev/null
+++ b/kubernetes/cert-manager/selfsigned/issuer.yaml
@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: test-selfsigned
+  namespace: cert-manager-test
+spec:
+  selfSigned: {}
\ No newline at end of file
diff --git a/kubernetes/cert-manager/test.yaml b/kubernetes/cert-manager/test.yaml
deleted file mode 100644
index 736b876..0000000
--- a/kubernetes/cert-manager/test.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-test
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: test-selfsigned
-  namespace: cert-manager-test
-spec:
-  selfSigned: {}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: selfsigned-cert
-  namespace: cert-manager-test
-spec:
-  dnsNames:
-    - example.com
-  secretName: selfsigned-cert-tls
-  issuerRef:
-    name: test-selfsigned
\ No newline at end of file