--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.15.0 operatorframework.io/installed-alongside-7f57c23bcf345a9c: cert-manager-operator/cert-manager-operator.v1.18.0 creationTimestamp: "2025-12-04T00:56:09Z" generation: 1 labels: olm.managed: "true" operators.coreos.com/openshift-cert-manager-operator.cert-manager-operator: "" managedFields: - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:controller-gen.kubebuilder.io/version: {} f:operatorframework.io/installed-alongside-7f57c23bcf345a9c: {} f:labels: .: {} f:olm.managed: {} f:spec: f:conversion: .: {} f:strategy: {} f:group: {} f:names: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:scope: {} f:versions: {} manager: catalog operation: Update time: "2025-12-04T00:56:09Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:acceptedNames: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:conditions: k:{"type":"Established"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"NamesAccepted"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} manager: kube-apiserver operation: Update subresource: status time: "2025-12-04T00:56:09Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: f:operators.coreos.com/openshift-cert-manager-operator.cert-manager-operator: {} manager: olm operation: Update time: "2025-12-04T00:56:16Z" name: certmanagers.operator.openshift.io resourceVersion: "19792" uid: 0613c9fe-8ccc-44f0-92af-bd45ba998fd4 spec: conversion: strategy: None group: operator.openshift.io names: kind: CertManager listKind: CertManagerList plural: certmanagers singular: certmanager scope: Cluster versions: - name: v1alpha1 schema: openAPIV3Schema: description: CertManager is the Schema for the certmanagers API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: CertManagerSpec defines the desired state of CertManager properties: cainjectorConfig: description: |- CAInjectorConfig specifies further customization options for the cainjector's deployment spec. Possible customizations include the following, For OverrideArgs, --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace. --v Level number for the log level verbosity properties: overrideArgs: items: type: string type: array overrideEnv: items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: |- Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. properties: key: description: The key to select. type: string name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key type: object x-kubernetes-map-type: atomic fieldRef: description: |- Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". type: string fieldPath: description: Path of the field to select in the specified API version. type: string required: - fieldPath type: object x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string description: Specifies the output format of the exposed resources, defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - resource type: object x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key type: object x-kubernetes-map-type: atomic type: object required: - name type: object type: array overrideLabels: additionalProperties: type: string type: object overrideReplicas: description: |- OverrideReplicas defines the number of replicas for the operand deployment. If not specified, the default replicas from the deployment manifest will be used. format: int32 minimum: 1 type: integer overrideResources: description: |- CertManagerResourceRequirements describes the compute resource requirements for the cert-manager operands, namely the controller, webhook and cainjector. properties: limits: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: |- Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: |- Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object overrideScheduling: description: |- CertManagerScheduling describes the scheduling configurations for the cert-manager operands, namely the controller, webhook and cainjector. properties: nodeSelector: additionalProperties: type: string description: |- NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object x-kubernetes-map-type: atomic tolerations: description: |- Tolerations are attached to the pod to tolerate any taint that matches the taint's key, value and effect using the toleration's matching operator. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ items: description: |- The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . properties: effect: description: |- Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: description: |- Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: description: |- Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. type: string tolerationSeconds: description: |- TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: description: |- Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array x-kubernetes-list-type: atomic type: object type: object controllerConfig: description: |- ControllerConfig specifies further customization options for the controller's deployment spec. Possible customizations include the following, For OverrideArgs, This field appends values to .spec.template.spec.containers[...].args. The container that will be selected will be based on image present on the spec. Possible values are, Eg: - "--acme-http01-solver-nameservers="8.8.8.8:53,1.1.1.1:53" - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - "--dns01-recursive-nameservers-only" For OverrideEnvs, This field appends values to .spec.template.spec.containers[...].env. The container that will be selected will be based on image present on the spec. Possible values are, Eg: - "HTTP_PROXY": "http://proxy:8080" properties: overrideArgs: items: type: string type: array overrideEnv: items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: |- Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. properties: key: description: The key to select. type: string name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key type: object x-kubernetes-map-type: atomic fieldRef: description: |- Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". type: string fieldPath: description: Path of the field to select in the specified API version. type: string required: - fieldPath type: object x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string description: Specifies the output format of the exposed resources, defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - resource type: object x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key type: object x-kubernetes-map-type: atomic type: object required: - name type: object type: array overrideLabels: additionalProperties: type: string type: object overrideReplicas: description: |- OverrideReplicas defines the number of replicas for the operand deployment. If not specified, the default replicas from the deployment manifest will be used. format: int32 minimum: 1 type: integer overrideResources: description: |- CertManagerResourceRequirements describes the compute resource requirements for the cert-manager operands, namely the controller, webhook and cainjector. properties: limits: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: |- Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: |- Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object overrideScheduling: description: |- CertManagerScheduling describes the scheduling configurations for the cert-manager operands, namely the controller, webhook and cainjector. properties: nodeSelector: additionalProperties: type: string description: |- NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object x-kubernetes-map-type: atomic tolerations: description: |- Tolerations are attached to the pod to tolerate any taint that matches the taint's key, value and effect using the toleration's matching operator. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ items: description: |- The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . properties: effect: description: |- Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: description: |- Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: description: |- Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. type: string tolerationSeconds: description: |- TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: description: |- Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array x-kubernetes-list-type: atomic type: object type: object defaultNetworkPolicy: description: |- DefaultNetworkPolicy enables the default network policy for cert-manager components. When set to "true", the operator will create default network policies to secure communication between cert-manager controller, webhook, and cainjector components. When set to "false" or empty, no default network policies are created. Valid values are: "true", "false", or empty (default: false). This field is immutable once set to "true" for security reasons. Network policies cannot be disabled once enabled to prevent accidental security degradation. Users should carefully plan their network policy requirements before enabling this field. enum: - "true" - "false" - "" type: string x-kubernetes-validations: - message: defaultNetworkPolicy cannot be changed from 'true' to 'false' once set rule: oldSelf != 'true' || self == 'true' logLevel: default: Normal description: |- logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands. Valid values are: "Normal", "Debug", "Trace", "TraceAll". Defaults to "Normal". enum: - "" - Normal - Debug - Trace - TraceAll type: string managementState: description: managementState indicates whether and how the operator should manage the component pattern: ^(Managed|Unmanaged|Force|Removed)$ type: string networkPolicies: description: |- NetworkPolicies specifies the egress network policy configuration to be applied to cert-manager pods/operands when DefaultNetworkPolicy is "true". By default, enabling network policies creates a deny-all policy that blocks all outgoing traffic from cert-manager components. Ingress rules are automatically handled by the operator based on the current running ports. Use this field to provide the necessary egress policy rules that allow required outbound traffic for cert-manager to function properly (e.g., API server communication, external issuer access, etc.). Each NetworkPolicy in this slice will be created as a separate Kubernetes NetworkPolicy resource. Multiple policies can be defined to organize egress rules logically (e.g., separate policies for different types of outbound traffic or different security zones). This field is only effective when DefaultNetworkPolicy is set to "true". If DefaultNetworkPolicy is "true" but this field is not provided, cert-manager components will be isolated with deny-all egress policies. This field is immutable once DefaultNetworkPolicy is set to "true" for security reasons. items: description: |- NetworkPolicy represents a custom network policy configuration for operator-managed components. It includes a name for identification and the network policy rules to be enforced. properties: componentName: description: ComponentName represents the different cert-manager components that can have network policies applied. enum: - CoreController type: string egress: description: |- egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). The operator will automatically handle ingress rules based on the current running ports. items: description: |- NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8 properties: ports: description: |- ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. items: description: NetworkPolicyPort describes a port to allow traffic on properties: endPort: description: |- endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string description: |- port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: default: TCP description: |- protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. type: string type: object type: array x-kubernetes-list-type: atomic to: description: |- to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list. items: description: |- NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed properties: ipBlock: description: |- ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. properties: cidr: description: |- cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: description: |- except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range items: type: string type: array x-kubernetes-list-type: atomic required: - cidr type: object namespaceSelector: description: |- namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: description: |- podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods. If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object type: array x-kubernetes-list-type: atomic type: object type: array x-kubernetes-list-type: atomic name: description: |- Name is a unique identifier for this network policy configuration. This name will be used as part of the generated NetworkPolicy resource name. maxLength: 253 minLength: 1 type: string required: - componentName - name type: object maxItems: 50 minItems: 0 type: array x-kubernetes-list-map-keys: - name - componentName x-kubernetes-list-type: map x-kubernetes-validations: - message: name and componentName fields in networkPolicies are immutable rule: oldSelf.all(op, self.exists(p, p.name == op.name && p.componentName == op.componentName)) observedConfig: description: |- observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator nullable: true type: object x-kubernetes-preserve-unknown-fields: true operatorLogLevel: default: Normal description: |- operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves. Valid values are: "Normal", "Debug", "Trace", "TraceAll". Defaults to "Normal". enum: - "" - Normal - Debug - Trace - TraceAll type: string unsupportedConfigOverrides: description: |- unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. nullable: true type: object x-kubernetes-preserve-unknown-fields: true webhookConfig: description: |- WebhookConfig specifies further customization options for the webhook's deployment spec. Possible customizations include the following, For OverrideArgs, --config string Path to a file containing a WebhookConfiguration object used to configure the webhook --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates certificates --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA --v Level number for the log level verbosity properties: overrideArgs: items: type: string type: array overrideEnv: items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: |- Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. properties: key: description: The key to select. type: string name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key type: object x-kubernetes-map-type: atomic fieldRef: description: |- Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". type: string fieldPath: description: Path of the field to select in the specified API version. type: string required: - fieldPath type: object x-kubernetes-map-type: atomic resourceFieldRef: description: |- Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string description: Specifies the output format of the exposed resources, defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - resource type: object x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key type: object x-kubernetes-map-type: atomic type: object required: - name type: object type: array overrideLabels: additionalProperties: type: string type: object overrideReplicas: description: |- OverrideReplicas defines the number of replicas for the operand deployment. If not specified, the default replicas from the deployment manifest will be used. format: int32 minimum: 1 type: integer overrideResources: description: |- CertManagerResourceRequirements describes the compute resource requirements for the cert-manager operands, namely the controller, webhook and cainjector. properties: limits: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: |- Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: |- Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object overrideScheduling: description: |- CertManagerScheduling describes the scheduling configurations for the cert-manager operands, namely the controller, webhook and cainjector. properties: nodeSelector: additionalProperties: type: string description: |- NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object x-kubernetes-map-type: atomic tolerations: description: |- Tolerations are attached to the pod to tolerate any taint that matches the taint's key, value and effect using the toleration's matching operator. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ items: description: |- The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . properties: effect: description: |- Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: description: |- Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: description: |- Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. type: string tolerationSeconds: description: |- TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: description: |- Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array x-kubernetes-list-type: atomic type: object type: object type: object status: description: CertManagerStatus defines the observed state of CertManager properties: conditions: description: conditions is a list of conditions and their status items: description: OperatorCondition is just the standard condition fields. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: type: string reason: type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - status - type type: object type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map generations: description: generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction. items: description: GenerationStatus keeps track of the generation for a given resource so that decisions about forced updates can be made. properties: group: description: group is the group of the thing you're tracking type: string hash: description: hash is an optional field set for resources without generation that are content sensitive like secrets and configmaps type: string lastGeneration: description: lastGeneration is the last generation of the workload controller involved format: int64 type: integer name: description: name is the name of the thing you're tracking type: string namespace: description: namespace is where the thing you're tracking is type: string resource: description: resource is the resource type of the thing you're tracking type: string required: - group - name - namespace - resource type: object type: array x-kubernetes-list-map-keys: - group - resource - namespace - name x-kubernetes-list-type: map latestAvailableRevision: description: latestAvailableRevision is the deploymentID of the most recent deployment format: int32 type: integer x-kubernetes-validations: - message: must only increase rule: self >= oldSelf observedGeneration: description: observedGeneration is the last generation change you've dealt with format: int64 type: integer readyReplicas: description: readyReplicas indicates how many replicas are ready and at the desired state format: int32 type: integer version: description: version is the level this availability applies to type: string type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: CertManager listKind: CertManagerList plural: certmanagers singular: certmanager conditions: - lastTransitionTime: "2025-12-04T00:56:09Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2025-12-04T00:56:09Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1alpha1