[cert-manager] Upgrade to v1.10.1 (#9512)

2022-11-29 22:17:26 +07:00 · 2022-11-29 22:17:26 +07:00 · 529faeea9e
parent 47510899c7
commit 529faeea9e
4 changed files with 1731 additions and 1643 deletions
--- a/README.md
+++ b/README.md
@ -156,7 +156,7 @@ Note: Upstart/SysV init based OS types are not supported.
  - [weave](https://github.com/weaveworks/weave) v2.8.1
  - [kube-vip](https://github.com/kube-vip/kube-vip) v0.5.5
 - Application
-  - [cert-manager](https://github.com/jetstack/cert-manager) v1.9.1
+  - [cert-manager](https://github.com/jetstack/cert-manager) v1.10.1
  - [coredns](https://github.com/coredns/coredns) v1.9.3
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.4.0
  - [krew](https://github.com/kubernetes-sigs/krew) v0.4.3
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@ -1044,7 +1044,7 @@ ingress_nginx_kube_webhook_certgen_imae_repo: "{{ kube_image_repo }}/ingress-ngi
 ingress_nginx_kube_webhook_certgen_imae_tag: "v1.3.0"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
-cert_manager_version: "v1.9.1"
+cert_manager_version: "v1.10.1"
 cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
 cert_manager_controller_image_tag: "{{ cert_manager_version }}"
 cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.crds.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.crds.yml.j2
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@ -1,4 +1,4 @@
-# Copyright 2021 The cert-manager Authors.
+# Copyright 2022 The cert-manager Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -856,8 +856,10 @@ spec:
      serviceAccountName: cert-manager-cainjector
      securityContext:
        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
      containers:
-        - name: cert-manager
+        - name: cert-manager-cainjector
          image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          args:
@ -871,7 +873,8 @@ spec:
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
-              drop: ['ALL']
+              drop:
+              - ALL
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
@ -933,10 +936,11 @@ spec:
    spec:
      serviceAccountName: cert-manager
      securityContext:
-
        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
      containers:
-        - name: cert-manager
+        - name: cert-manager-controller
          image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          args:
@ -950,7 +954,8 @@ spec:
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
-              drop: ['ALL']
+              drop:
+              - ALL
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
@ -1014,8 +1019,10 @@ spec:
      serviceAccountName: cert-manager-webhook
      securityContext:
        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
      containers:
-        - name: cert-manager
+        - name: cert-manager-webhook
          image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          args:
@ -1023,11 +1030,16 @@ spec:
          - --secure-port=10250
          - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
          - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
-          - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.$(POD_NAMESPACE),cert-manager-webhook.$(POD_NAMESPACE).svc
+          - --dynamic-serving-dns-names=cert-manager-webhook
+          - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE)
+          - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc
          ports:
          - name: https
            protocol: TCP
            containerPort: 10250
+          - name: healthcheck
+            protocol: TCP
+            containerPort: 6080
          livenessProbe:
            httpGet:
              path: /livez
@ -1051,7 +1063,8 @@ spec:
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
-              drop: ['ALL']
+              drop:
+              - ALL
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault