[cert-manager] Upgrade to v1.8.0 (#8688)
This commit is contained in:
parent
29109575f5
commit
0481dd946f
3 changed files with 170 additions and 59 deletions
|
@ -914,7 +914,7 @@ ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/contro
|
||||||
ingress_nginx_controller_image_tag: "v1.1.1"
|
ingress_nginx_controller_image_tag: "v1.1.1"
|
||||||
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
|
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
|
||||||
alb_ingress_image_tag: "v1.1.9"
|
alb_ingress_image_tag: "v1.1.9"
|
||||||
cert_manager_version: "v1.7.2"
|
cert_manager_version: "v1.8.0"
|
||||||
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
|
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
|
||||||
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
||||||
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
|
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Copyright 2022 The cert-manager Authors.
|
# Copyright 2021 The cert-manager Authors.
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
|
@ -12,14 +12,11 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
---
|
# Source: cert-manager/templates/crd-templates.yaml
|
||||||
# Source: cert-manager/templates/templates.out
|
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
name: certificaterequests.cert-manager.io
|
name: certificaterequests.cert-manager.io
|
||||||
annotations:
|
|
||||||
cert-manager.io/inject-ca-from-secret: '{{ cert_manager_namespace }}/cert-manager-webhook-ca'
|
|
||||||
labels:
|
labels:
|
||||||
app: 'cert-manager'
|
app: 'cert-manager'
|
||||||
app.kubernetes.io/name: 'cert-manager'
|
app.kubernetes.io/name: 'cert-manager'
|
||||||
|
@ -205,6 +202,9 @@ spec:
|
||||||
type:
|
type:
|
||||||
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
|
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
|
||||||
type: string
|
type: string
|
||||||
|
x-kubernetes-list-map-keys:
|
||||||
|
- type
|
||||||
|
x-kubernetes-list-type: map
|
||||||
failureTime:
|
failureTime:
|
||||||
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
|
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
|
||||||
type: string
|
type: string
|
||||||
|
@ -212,13 +212,11 @@ spec:
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
---
|
---
|
||||||
# Source: cert-manager/templates/templates.out
|
# Source: cert-manager/templates/crd-templates.yaml
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
name: certificates.cert-manager.io
|
name: certificates.cert-manager.io
|
||||||
annotations:
|
|
||||||
cert-manager.io/inject-ca-from-secret: '{{ cert_manager_namespace }}/cert-manager-webhook-ca'
|
|
||||||
labels:
|
labels:
|
||||||
app: 'cert-manager'
|
app: 'cert-manager'
|
||||||
app.kubernetes.io/name: 'cert-manager'
|
app.kubernetes.io/name: 'cert-manager'
|
||||||
|
@ -408,6 +406,9 @@ spec:
|
||||||
rotationPolicy:
|
rotationPolicy:
|
||||||
description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
|
description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
|
||||||
type: string
|
type: string
|
||||||
|
enum:
|
||||||
|
- Never
|
||||||
|
- Always
|
||||||
size:
|
size:
|
||||||
description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
|
description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
|
||||||
type: integer
|
type: integer
|
||||||
|
@ -550,6 +551,12 @@ spec:
|
||||||
type:
|
type:
|
||||||
description: Type of the condition, known values are (`Ready`, `Issuing`).
|
description: Type of the condition, known values are (`Ready`, `Issuing`).
|
||||||
type: string
|
type: string
|
||||||
|
x-kubernetes-list-map-keys:
|
||||||
|
- type
|
||||||
|
x-kubernetes-list-type: map
|
||||||
|
failedIssuanceAttempts:
|
||||||
|
description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1).
|
||||||
|
type: integer
|
||||||
lastFailureTime:
|
lastFailureTime:
|
||||||
description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
|
description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
|
||||||
type: string
|
type: string
|
||||||
|
@ -575,13 +582,11 @@ spec:
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
---
|
---
|
||||||
# Source: cert-manager/templates/templates.out
|
# Source: cert-manager/templates/crd-templates.yaml
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
name: challenges.acme.cert-manager.io
|
name: challenges.acme.cert-manager.io
|
||||||
annotations:
|
|
||||||
cert-manager.io/inject-ca-from-secret: '{{ cert_manager_namespace }}/cert-manager-webhook-ca'
|
|
||||||
labels:
|
labels:
|
||||||
app: 'cert-manager'
|
app: 'cert-manager'
|
||||||
app.kubernetes.io/name: 'cert-manager'
|
app.kubernetes.io/name: 'cert-manager'
|
||||||
|
@ -956,10 +961,49 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
properties:
|
properties:
|
||||||
labels:
|
labels:
|
||||||
description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
|
description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
|
||||||
type: object
|
type: object
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
|
parentRefs:
|
||||||
|
description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
properties:
|
||||||
|
group:
|
||||||
|
description: "Group is the group of the referent. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
default: gateway.networking.k8s.io
|
||||||
|
maxLength: 253
|
||||||
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||||
|
kind:
|
||||||
|
description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)"
|
||||||
|
type: string
|
||||||
|
default: Gateway
|
||||||
|
maxLength: 63
|
||||||
|
minLength: 1
|
||||||
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
||||||
|
name:
|
||||||
|
description: "Name is the name of the referent. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
maxLength: 253
|
||||||
|
minLength: 1
|
||||||
|
namespace:
|
||||||
|
description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
maxLength: 63
|
||||||
|
minLength: 1
|
||||||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
||||||
|
sectionName:
|
||||||
|
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
maxLength: 253
|
||||||
|
minLength: 1
|
||||||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||||
serviceType:
|
serviceType:
|
||||||
description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
||||||
type: string
|
type: string
|
||||||
|
@ -1573,13 +1617,11 @@ spec:
|
||||||
subresources:
|
subresources:
|
||||||
status: {}
|
status: {}
|
||||||
---
|
---
|
||||||
# Source: cert-manager/templates/templates.out
|
# Source: cert-manager/templates/crd-templates.yaml
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
name: clusterissuers.cert-manager.io
|
name: clusterissuers.cert-manager.io
|
||||||
annotations:
|
|
||||||
cert-manager.io/inject-ca-from-secret: '{{ cert_manager_namespace }}/cert-manager-webhook-ca'
|
|
||||||
labels:
|
labels:
|
||||||
app: 'cert-manager'
|
app: 'cert-manager'
|
||||||
app.kubernetes.io/name: 'cert-manager'
|
app.kubernetes.io/name: 'cert-manager'
|
||||||
|
@ -1989,10 +2031,49 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
properties:
|
properties:
|
||||||
labels:
|
labels:
|
||||||
description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
|
description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
|
||||||
type: object
|
type: object
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
|
parentRefs:
|
||||||
|
description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
properties:
|
||||||
|
group:
|
||||||
|
description: "Group is the group of the referent. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
default: gateway.networking.k8s.io
|
||||||
|
maxLength: 253
|
||||||
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||||
|
kind:
|
||||||
|
description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)"
|
||||||
|
type: string
|
||||||
|
default: Gateway
|
||||||
|
maxLength: 63
|
||||||
|
minLength: 1
|
||||||
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
||||||
|
name:
|
||||||
|
description: "Name is the name of the referent. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
maxLength: 253
|
||||||
|
minLength: 1
|
||||||
|
namespace:
|
||||||
|
description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
maxLength: 63
|
||||||
|
minLength: 1
|
||||||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
||||||
|
sectionName:
|
||||||
|
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
maxLength: 253
|
||||||
|
minLength: 1
|
||||||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||||
serviceType:
|
serviceType:
|
||||||
description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
||||||
type: string
|
type: string
|
||||||
|
@ -2780,10 +2861,13 @@ spec:
|
||||||
type:
|
type:
|
||||||
description: Type of the condition, known values are (`Ready`).
|
description: Type of the condition, known values are (`Ready`).
|
||||||
type: string
|
type: string
|
||||||
|
x-kubernetes-list-map-keys:
|
||||||
|
- type
|
||||||
|
x-kubernetes-list-type: map
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
---
|
---
|
||||||
# Source: cert-manager/templates/templates.out
|
# Source: cert-manager/templates/crd-templates.yaml
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -3199,10 +3283,49 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
properties:
|
properties:
|
||||||
labels:
|
labels:
|
||||||
description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
|
description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
|
||||||
type: object
|
type: object
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
type: string
|
type: string
|
||||||
|
parentRefs:
|
||||||
|
description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
properties:
|
||||||
|
group:
|
||||||
|
description: "Group is the group of the referent. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
default: gateway.networking.k8s.io
|
||||||
|
maxLength: 253
|
||||||
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||||
|
kind:
|
||||||
|
description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)"
|
||||||
|
type: string
|
||||||
|
default: Gateway
|
||||||
|
maxLength: 63
|
||||||
|
minLength: 1
|
||||||
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
||||||
|
name:
|
||||||
|
description: "Name is the name of the referent. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
maxLength: 253
|
||||||
|
minLength: 1
|
||||||
|
namespace:
|
||||||
|
description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
maxLength: 63
|
||||||
|
minLength: 1
|
||||||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
||||||
|
sectionName:
|
||||||
|
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
|
||||||
|
type: string
|
||||||
|
maxLength: 253
|
||||||
|
minLength: 1
|
||||||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||||||
serviceType:
|
serviceType:
|
||||||
description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
||||||
type: string
|
type: string
|
||||||
|
@ -3990,10 +4113,13 @@ spec:
|
||||||
type:
|
type:
|
||||||
description: Type of the condition, known values are (`Ready`).
|
description: Type of the condition, known values are (`Ready`).
|
||||||
type: string
|
type: string
|
||||||
|
x-kubernetes-list-map-keys:
|
||||||
|
- type
|
||||||
|
x-kubernetes-list-type: map
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
---
|
---
|
||||||
# Source: cert-manager/templates/templates.out
|
# Source: cert-manager/templates/crd-templates.yaml
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
@ -103,9 +103,6 @@ rules:
|
||||||
- apiGroups: ["apiextensions.k8s.io"]
|
- apiGroups: ["apiextensions.k8s.io"]
|
||||||
resources: ["customresourcedefinitions"]
|
resources: ["customresourcedefinitions"]
|
||||||
verbs: ["get", "list", "watch", "update"]
|
verbs: ["get", "list", "watch", "update"]
|
||||||
- apiGroups: ["auditregistration.k8s.io"]
|
|
||||||
resources: ["auditsinks"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
---
|
---
|
||||||
# Source: cert-manager/templates/rbac.yaml
|
# Source: cert-manager/templates/rbac.yaml
|
||||||
# Issuer controller role
|
# Issuer controller role
|
||||||
|
@ -122,7 +119,7 @@ metadata:
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: ["cert-manager.io"]
|
- apiGroups: ["cert-manager.io"]
|
||||||
resources: ["issuers", "issuers/status"]
|
resources: ["issuers", "issuers/status"]
|
||||||
verbs: ["update"]
|
verbs: ["update", "patch"]
|
||||||
- apiGroups: ["cert-manager.io"]
|
- apiGroups: ["cert-manager.io"]
|
||||||
resources: ["issuers"]
|
resources: ["issuers"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
|
@ -148,7 +145,7 @@ metadata:
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: ["cert-manager.io"]
|
- apiGroups: ["cert-manager.io"]
|
||||||
resources: ["clusterissuers", "clusterissuers/status"]
|
resources: ["clusterissuers", "clusterissuers/status"]
|
||||||
verbs: ["update"]
|
verbs: ["update", "patch"]
|
||||||
- apiGroups: ["cert-manager.io"]
|
- apiGroups: ["cert-manager.io"]
|
||||||
resources: ["clusterissuers"]
|
resources: ["clusterissuers"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
|
@ -174,7 +171,7 @@ metadata:
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: ["cert-manager.io"]
|
- apiGroups: ["cert-manager.io"]
|
||||||
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
||||||
verbs: ["update"]
|
verbs: ["update", "patch"]
|
||||||
- apiGroups: ["cert-manager.io"]
|
- apiGroups: ["cert-manager.io"]
|
||||||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
|
@ -209,7 +206,7 @@ metadata:
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: ["acme.cert-manager.io"]
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
resources: ["orders", "orders/status"]
|
resources: ["orders", "orders/status"]
|
||||||
verbs: ["update"]
|
verbs: ["update", "patch"]
|
||||||
- apiGroups: ["acme.cert-manager.io"]
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
resources: ["orders", "challenges"]
|
resources: ["orders", "challenges"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
|
@ -248,7 +245,7 @@ rules:
|
||||||
# Use to update challenge resource status
|
# Use to update challenge resource status
|
||||||
- apiGroups: ["acme.cert-manager.io"]
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
resources: ["challenges", "challenges/status"]
|
resources: ["challenges", "challenges/status"]
|
||||||
verbs: ["update"]
|
verbs: ["update", "patch"]
|
||||||
# Used to watch challenge resources
|
# Used to watch challenge resources
|
||||||
- apiGroups: ["acme.cert-manager.io"]
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
resources: ["challenges"]
|
resources: ["challenges"]
|
||||||
|
@ -272,7 +269,7 @@ rules:
|
||||||
- apiGroups: ["networking.k8s.io"]
|
- apiGroups: ["networking.k8s.io"]
|
||||||
resources: ["ingresses"]
|
resources: ["ingresses"]
|
||||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||||
- apiGroups: [ "networking.x-k8s.io" ]
|
- apiGroups: [ "gateway.networking.k8s.io" ]
|
||||||
resources: [ "httproutes" ]
|
resources: [ "httproutes" ]
|
||||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||||
# We require the ability to specify a custom hostname when we are creating
|
# We require the ability to specify a custom hostname when we are creating
|
||||||
|
@ -320,10 +317,10 @@ rules:
|
||||||
- apiGroups: ["networking.k8s.io"]
|
- apiGroups: ["networking.k8s.io"]
|
||||||
resources: ["ingresses/finalizers"]
|
resources: ["ingresses/finalizers"]
|
||||||
verbs: ["update"]
|
verbs: ["update"]
|
||||||
- apiGroups: ["networking.x-k8s.io"]
|
- apiGroups: ["gateway.networking.k8s.io"]
|
||||||
resources: ["gateways", "httproutes"]
|
resources: ["gateways", "httproutes"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
- apiGroups: ["networking.x-k8s.io"]
|
- apiGroups: ["gateway.networking.k8s.io"]
|
||||||
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
||||||
verbs: ["update"]
|
verbs: ["update"]
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
|
@ -369,6 +366,9 @@ rules:
|
||||||
- apiGroups: ["cert-manager.io"]
|
- apiGroups: ["cert-manager.io"]
|
||||||
resources: ["certificates", "certificaterequests", "issuers"]
|
resources: ["certificates", "certificaterequests", "issuers"]
|
||||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates/status"]
|
||||||
|
verbs: ["update"]
|
||||||
- apiGroups: ["acme.cert-manager.io"]
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
resources: ["challenges", "orders"]
|
resources: ["challenges", "orders"]
|
||||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||||
|
@ -411,7 +411,7 @@ rules:
|
||||||
verbs: ["get", "list", "watch", "update"]
|
verbs: ["get", "list", "watch", "update"]
|
||||||
- apiGroups: ["certificates.k8s.io"]
|
- apiGroups: ["certificates.k8s.io"]
|
||||||
resources: ["certificatesigningrequests/status"]
|
resources: ["certificatesigningrequests/status"]
|
||||||
verbs: ["update"]
|
verbs: ["update", "patch"]
|
||||||
- apiGroups: ["certificates.k8s.io"]
|
- apiGroups: ["certificates.k8s.io"]
|
||||||
resources: ["signers"]
|
resources: ["signers"]
|
||||||
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
||||||
|
@ -656,14 +656,6 @@ rules:
|
||||||
# see cmd/cainjector/start.go#L113
|
# see cmd/cainjector/start.go#L113
|
||||||
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||||
# see cmd/cainjector/start.go#L137
|
# see cmd/cainjector/start.go#L137
|
||||||
# See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["configmaps"]
|
|
||||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
|
||||||
verbs: ["get", "update", "patch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["configmaps"]
|
|
||||||
verbs: ["create"]
|
|
||||||
- apiGroups: ["coordination.k8s.io"]
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
resources: ["leases"]
|
resources: ["leases"]
|
||||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||||
|
@ -685,15 +677,6 @@ metadata:
|
||||||
app.kubernetes.io/component: "controller"
|
app.kubernetes.io/component: "controller"
|
||||||
app.kubernetes.io/version: "{{ cert_manager_version }}"
|
app.kubernetes.io/version: "{{ cert_manager_version }}"
|
||||||
rules:
|
rules:
|
||||||
# Used for leader election by the controller
|
|
||||||
# See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["configmaps"]
|
|
||||||
resourceNames: ["cert-manager-controller"]
|
|
||||||
verbs: ["get", "update", "patch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["configmaps"]
|
|
||||||
verbs: ["create"]
|
|
||||||
- apiGroups: ["coordination.k8s.io"]
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
resources: ["leases"]
|
resources: ["leases"]
|
||||||
resourceNames: ["cert-manager-controller"]
|
resourceNames: ["cert-manager-controller"]
|
||||||
|
@ -809,10 +792,10 @@ metadata:
|
||||||
spec:
|
spec:
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
ports:
|
ports:
|
||||||
- protocol: TCP
|
- protocol: TCP
|
||||||
port: 9402
|
port: 9402
|
||||||
name: tcp-prometheus-servicemonitor
|
name: tcp-prometheus-servicemonitor
|
||||||
targetPort: 9402
|
targetPort: 9402
|
||||||
selector:
|
selector:
|
||||||
app.kubernetes.io/name: cert-manager
|
app.kubernetes.io/name: cert-manager
|
||||||
app.kubernetes.io/instance: cert-manager
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
@ -885,8 +868,8 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.namespace
|
fieldPath: metadata.namespace
|
||||||
resources:
|
securityContext:
|
||||||
{}
|
allowPrivilegeEscalation: false
|
||||||
{% if cert_manager_tolerations %}
|
{% if cert_manager_tolerations %}
|
||||||
tolerations:
|
tolerations:
|
||||||
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
|
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
|
||||||
|
@ -945,6 +928,7 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: cert-manager
|
serviceAccountName: cert-manager
|
||||||
securityContext:
|
securityContext:
|
||||||
|
|
||||||
runAsNonRoot: true
|
runAsNonRoot: true
|
||||||
containers:
|
containers:
|
||||||
- name: cert-manager
|
- name: cert-manager
|
||||||
|
@ -956,14 +940,15 @@ spec:
|
||||||
- --leader-election-namespace={{ cert_manager_leader_election_namespace }}
|
- --leader-election-namespace={{ cert_manager_leader_election_namespace }}
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 9402
|
- containerPort: 9402
|
||||||
|
name: http-metrics
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
env:
|
env:
|
||||||
- name: POD_NAMESPACE
|
- name: POD_NAMESPACE
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.namespace
|
fieldPath: metadata.namespace
|
||||||
resources:
|
|
||||||
{}
|
|
||||||
{% if cert_manager_tolerations %}
|
{% if cert_manager_tolerations %}
|
||||||
tolerations:
|
tolerations:
|
||||||
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
|
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
|
||||||
|
@ -1053,13 +1038,13 @@ spec:
|
||||||
timeoutSeconds: 1
|
timeoutSeconds: 1
|
||||||
successThreshold: 1
|
successThreshold: 1
|
||||||
failureThreshold: 3
|
failureThreshold: 3
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
env:
|
env:
|
||||||
- name: POD_NAMESPACE
|
- name: POD_NAMESPACE
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.namespace
|
fieldPath: metadata.namespace
|
||||||
resources:
|
|
||||||
{}
|
|
||||||
{% if cert_manager_tolerations %}
|
{% if cert_manager_tolerations %}
|
||||||
tolerations:
|
tolerations:
|
||||||
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
|
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
|
||||||
|
|
Loading…
Reference in a new issue