Upgrade JetStack Cert-Manager to v0.15.2 (#6414)

* Upgrade JetStack Cert-Manager to v0.15.2

* Add README.md table of contents
This commit is contained in:
Barry Melbourne 2020-08-06 07:26:55 +01:00 committed by GitHub
parent 50598d9d47
commit 9cc70e9e70
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 6786 additions and 3552 deletions

View file

@ -136,7 +136,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [ambassador](https://github.com/datawire/ambassador): v1.5 - [ambassador](https://github.com/datawire/ambassador): v1.5
- [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11 - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
- [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11 - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
- [cert-manager](https://github.com/jetstack/cert-manager) v0.11.1 - [cert-manager](https://github.com/jetstack/cert-manager) v0.15.2
- [coredns](https://github.com/coredns/coredns) v1.6.7 - [coredns](https://github.com/coredns/coredns) v1.6.7
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.32.0 - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.32.0

View file

@ -546,9 +546,13 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
ingress_ambassador_image_tag: "v1.2.8" ingress_ambassador_image_tag: "v1.2.8"
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
alb_ingress_image_tag: "v1.1.8" alb_ingress_image_tag: "v1.1.8"
cert_manager_version: "v0.11.1" cert_manager_version: "v0.15.2"
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller" cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
cert_manager_controller_image_tag: "{{ cert_manager_version }}" cert_manager_controller_image_tag: "{{ cert_manager_version }}"
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
cert_manager_cainjector_image_tag: "{{ cert_manager_version }}"
cert_manager_webhook_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-webhook"
cert_manager_webhook_image_tag: "{{ cert_manager_version }}"
addon_resizer_version: "1.8.9" addon_resizer_version: "1.8.9"
addon_resizer_image_repo: "{{ kube_image_repo }}/addon-resizer" addon_resizer_image_repo: "{{ kube_image_repo }}/addon-resizer"
addon_resizer_image_tag: "{{ addon_resizer_version }}" addon_resizer_image_tag: "{{ addon_resizer_version }}"
@ -1078,6 +1082,24 @@ downloads:
groups: groups:
- kube-node - kube-node
cert_manager_cainjector:
enabled: "{{ cert_manager_enabled }}"
container: true
repo: "{{ cert_manager_cainjector_image_repo }}"
tag: "{{ cert_manager_cainjector_image_tag }}"
sha256: "{{ cert_manager_cainjector_digest_checksum|default(None) }}"
groups:
- kube-node
cert_manager_webhook:
enabled: "{{ cert_manager_enabled }}"
container: true
repo: "{{ cert_manager_webhook_image_repo }}"
tag: "{{ cert_manager_webhook_image_tag }}"
sha256: "{{ cert_manager_webhook_digest_checksum|default(None) }}"
groups:
- kube-node
csi_attacher: csi_attacher:
enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}" enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
container: true container: true

View file

@ -1,17 +1,179 @@
Deployment files # Installation Guide
================
This directory contains example deployment manifests for cert-manager that can - [Installation Guide](#installation-guide)
be used in place of the official Helm chart. - [Kubernetes TLS Root CA Certificate/Key Secret](#kubernetes-tls-root-ca-certificatekey-secret)
- [Securing Ingress Resources](#securing-ingress-resources)
- [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key)
- [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit)
- [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file)
- [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file)
- [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key)
This is useful if you are deploying cert-manager into an environment without Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Lets Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
Helm, or want to inspect a 'bare minimum' deployment.
Where do these come from? The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively.
-------------------------
The manifests in these subdirectories are generated from the Helm chart Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future.
automatically. The `values.yaml` files used to configure cert-manager can be
found in [`hack/deploy`](../../hack/deploy/).
They are automatically generated by running `./hack/update-deploy-gen.sh`. ## Kubernetes TLS Root CA Certificate/Key Secret
If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
e.g.
```shell
$ cat ca.pem | base64 -w 0
LS0tLS1CRUdJTiBDRVJU...
$ cat ca-key.pem | base64 -w 0
LS0tLS1CRUdJTiBSU0Eg...
```
For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and setting `cert_manager_enabled` to true.
```ini
# Cert manager deployment
cert_manager_enabled: true
```
If you don't have a TLS Root CA certificate and key available, you can create these by following the steps outlined in section [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key) using the Cloudflare PKI/TLS `cfssl` toolkit. TLS Root CA certificates and keys can also be created using `ssh-keygen` and OpenSSL, if `cfssl` is not available.
## Securing Ingress Resources
A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and set `ingress_nginx_enabled` to true.
```ini
# Nginx ingress controller deployment
ingress_nginx_enabled: true
```
For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
```yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: prometheus-k8s
namespace: monitoring
labels:
prometheus: k8s
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: ca-issuer
spec:
tls:
- hosts:
- prometheus.example.com
secretName: prometheus-dashboard-certs
rules:
- host: prometheus.example.com
http:
paths:
- path: /
backend:
serviceName: prometheus-k8s
servicePort: web
```
Once deployed to your K8s cluster, every 3 months cert-manager will automatically rotate the Prometheus `prometheus.example.com` TLS client certificate and key, and store these as the Kubernetes `prometheus-dashboard-certs` secret.
For further information, read the official [Cert-Manager Ingress](https://cert-manager.io/docs/usage/ingress/) doc.
### Create New TLS Root CA Certificate and Key
#### Install Cloudflare PKI/TLS `cfssl` Toolkit.
e.g. For Ubuntu/Debian distibutions, the toolkit is part of the `golang-cfssl` package.
```shell
$ sudo apt-get install -y golang-cfssl
```
#### Create Root Certificate Authority (CA) Configuration File
The default TLS certificate expiry time period is `8760h` which is 5 years from the date the certificate is created.
```shell
$ cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
EOF
```
#### Create Certficate Signing Request (CSR) Configuration File
The TLS certificate `names` details can be updated to your own specific requirements.
```shell
$ cat > ca-csr.json <<EOF
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}
EOF
```
#### Create TLS Root CA Certificate and Key
```shell
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ca.pem
ca-key.pem
```
Check the TLS Root CA certificate has the correct `Not Before` and `Not After` dates, and ensure it is indeed a valid Certificate Authority with the X509v3 extension `CA:TRUE`.
```shell
$ openssl x509 -text -noout -in ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6a:d4:d8:48:7f:98:4f:54:68:9a:e1:73:02:fa:d0:41:79:25:08:49
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
Validity
Not Before: Jul 10 15:21:00 2020 GMT
Not After : Jul 9 15:21:00 2025 GMT
Subject: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
Subject Public Key Info:
...
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
D4:38:B5:E2:26:49:5E:0D:E3:DC:D9:70:73:3B:C4:19:6A:43:4A:F2
...
```

View file

@ -28,19 +28,30 @@
when: when:
- inventory_hostname == groups['kube-master'][0] - inventory_hostname == groups['kube-master'][0]
- name: Cert Manager | Templates list
set_fact:
cert_manager_templates:
- { name: 00-namespace, file: 00-namespace.yml, type: ns }
- { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
- { name: crd-certificate, file: crd-certificate.yml, type: crd }
- { name: crd-challenge, file: crd-challenge.yml, type: crd }
- { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
- { name: crd-issuer, file: crd-issuer.yml, type: crd }
- { name: crd-order, file: crd-order.yml, type: crd }
- { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
- { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
- { name: role-cert-manager, file: role-cert-manager.yml, type: role }
- { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
- { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
- { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
- { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
- { name: secret-cert-manager, file: secret-cert-manager.yml, type: secret }
- name: Cert Manager | Create manifests - name: Cert Manager | Create manifests
template: template:
src: "{{ item.file }}.j2" src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}" dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
with_items: with_items: "{{ cert_manager_templates }}"
- { name: 00-namespace, file: 00-namespace.yml, type: ns }
- { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
- { name: crd-certificate, file: crd-certificate.yml, type: crd }
- { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
- { name: crd-issuer, file: crd-issuer.yml, type: crd }
- { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
- { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
- { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
register: cert_manager_manifests register: cert_manager_manifests
when: when:
- inventory_hostname == groups['kube-master'][0] - inventory_hostname == groups['kube-master'][0]
@ -48,7 +59,6 @@
- name: Cert Manager | Apply manifests - name: Cert Manager | Apply manifests
kube: kube:
name: "{{ item.item.name }}" name: "{{ item.item.name }}"
namespace: "{{ cert_manager_namespace }}"
kubectl: "{{ bin_dir }}/kubectl" kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}" resource: "{{ item.item.type }}"
filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}" filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
@ -56,3 +66,24 @@
with_items: "{{ cert_manager_manifests.results }}" with_items: "{{ cert_manager_manifests.results }}"
when: when:
- inventory_hostname == groups['kube-master'][0] - inventory_hostname == groups['kube-master'][0]
- name: Cert Manager | Wait for Webhook pods become ready
shell: "{{ bin_dir }}/kubectl wait po --namespace={{ cert_manager_namespace }} --selector app=webhook --for=condition=Ready --timeout=600s"
register: cert_manager_webhook_pods_ready
when: inventory_hostname == groups['kube-master'][0]
- name: Cert Manager | Create ClusterIssuer manifest
template:
src: "clusterissuer-cert-manager.yml.j2"
dest: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
register: cert_manager_clusterissuer_manifest
when:
- inventory_hostname == groups['kube-master'][0] and cert_manager_webhook_pods_ready is succeeded
- name: Cert Manager | Apply ClusterIssuer manifest
kube:
name: "clusterissuer-cert-manager"
kubectl: "{{ bin_dir }}/kubectl"
filename: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
state: "latest"
when: inventory_hostname == groups['kube-master'][0] and cert_manager_clusterissuer_manifest is succeeded

View file

@ -1,3 +1,17 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
--- ---
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
@ -5,4 +19,3 @@ metadata:
name: {{ cert_manager_namespace }} name: {{ cert_manager_namespace }}
labels: labels:
name: {{ cert_manager_namespace }} name: {{ cert_manager_namespace }}
certmanager.k8s.io/disable-validation: "true"

View file

@ -0,0 +1,23 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: ca-issuer
namespace: {{ cert_manager_namespace }}
spec:
ca:
secretName: ca-key-pair

View file

@ -1,20 +1,293 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["auditregistration.k8s.io"]
resources: ["auditsinks"]
verbs: ["get", "list", "watch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["create", "delete"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["extensions"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: cert-manager name: cert-manager-view
labels: labels:
app: cert-manager app: cert-manager
chart: cert-manager-v0.5.2 app.kubernetes.io/name: cert-manager
release: cert-manager app.kubernetes.io/instance: cert-manager
heritage: Tiller app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules: rules:
- apiGroups: ["certmanager.k8s.io"] - apiGroups: ["cert-manager.io"]
resources: ["certificates", "issuers", "clusterissuers"] resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["*"] verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["get", "list", "watch"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""] - apiGroups: [""]
resources: ["configmaps", "secrets", "events", "services", "pods"] resources: ["secrets"]
verbs: ["*"] verbs: ["get", "list", "watch"]
# Used to create events
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# HTTP01 rules
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["extensions"] - apiGroups: ["extensions"]
resources: ["ingresses"] resources: ["ingresses"]
verbs: ["*"] verbs: ["get", "list", "watch", "create", "delete", "update"]
# We require the ability to specify a custom hostname when we are creating
# new ingress resources.
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- apiGroups: ["route.openshift.io"]
resources: ["routes/custom-host"]
verbs: ["create"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-edit
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

View file

@ -1,17 +1,153 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cert-manager name: cert-manager-cainjector
labels: labels:
app: cert-manager app: cainjector
chart: cert-manager-v0.5.2 app.kubernetes.io/name: cainjector
release: cert-manager app.kubernetes.io/instance: cert-manager
heritage: Tiller app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cert-manager name: cert-manager-cainjector
subjects:
- name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-certificates
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-clusterissuers
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-challenges
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-ingress-shim
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-orders
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-issuers
subjects: subjects:
- name: cert-manager - name: cert-manager
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_namespace }}

View file

@ -1,25 +1,291 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
--- ---
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: certificates.certmanager.k8s.io name: certificaterequests.cert-manager.io
annotations: annotations:
"helm.sh/hook": crd-install cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
"api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
labels: labels:
app: cert-manager app: cert-manager
chart: cert-manager-v0.5.2 app.kubernetes.io/name: cert-manager
release: cert-manager app.kubernetes.io/instance: cert-manager
heritage: Tiller app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec: spec:
group: certmanager.k8s.io additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: cert-manager.io
preserveUnknownFields: false
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: '{{ cert_manager_namespace }}'
name: 'cert-manager-webhook'
path: /convert
names:
kind: CertificateRequest
listKind: CertificateRequestList
plural: certificaterequests
shortNames:
- cr
- crs
singular: certificaterequest
scope: Namespaced scope: Namespaced
subresources:
status: {}
versions: versions:
- name: v1alpha1 - name: v1alpha2
served: true served: true
storage: true storage: true
schema: - name: v1alpha3
openAPIV3Schema: served: true
storage: false
"validation":
"openAPIV3Schema":
description: CertificateRequest is a type to represent a Certificate Signing
Request
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: CertificateRequestSpec defines the desired state of CertificateRequest
type: object
required:
- csr
- issuerRef
properties:
csr:
description: Byte slice containing the PEM encoded CertificateSigningRequest
type: string
format: byte
duration:
description: Requested certificate default Duration
type: string
isCA:
description: IsCA will mark the resulting certificate as valid for signing.
This implies that the 'cert sign' usage is set
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
with the given name in the same namespace as the CertificateRequest
will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
with the provided name will be used. The 'name' field in this stanza
is required at all times. The group field refers to the API group
of the issuer which defaults to 'cert-manager.io' if empty.
type: object
required:
- name
properties:
group:
type: string
kind:
type: string
name:
type: string
usages:
description: Usages is the set of x509 actions that are enabled for
a given key. Defaults are ('digital signature', 'key encipherment')
if empty
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys. See:
https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Valid KeyUsage values are as follows: "signing", "digital signature",
"content commitment", "key encipherment", "key agreement", "data
encipherment", "cert sign", "crl sign", "encipher only", "decipher
only", "any", "server auth", "client auth", "code signing", "email
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
status:
description: CertificateStatus defines the observed state of CertificateRequest
and resulting signed certificate.
type: object
properties:
ca:
description: Byte slice containing the PEM encoded certificate authority
of the signed certificate.
type: string
format: byte
certificate:
description: Byte slice containing a PEM encoded signed certificate
resulting from the given certificate signing request.
type: string
format: byte
conditions:
type: array
items:
description: CertificateRequestCondition contains condition information
for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the details
of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for
the condition's last transition.
type: string
status:
description: Status of the condition, one of ('True', 'False',
'Unknown').
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, currently ('Ready', 'InvalidRequest').
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest
failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .spec.secretName
name: Secret
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: cert-manager.io
preserveUnknownFields: false
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: '{{ cert_manager_namespace }}'
name: 'cert-manager-webhook'
path: /convert
names:
kind: Certificate
listKind: CertificateList
plural: certificates
shortNames:
- cert
- certs
singular: certificate
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
"schema":
"openAPIV3Schema":
description: Certificate is a type to represent a Certificate from ACME description: Certificate is a type to represent a Certificate from ACME
type: object type: object
properties: properties:
@ -711,10 +977,3 @@ spec:
issuance by checking if the revision value in the annotation is issuance by checking if the revision value in the annotation is
greater than this field." greater than this field."
type: integer type: integer
names:
kind: Certificate
plural: certificates
shortNames:
- cert
- certs

View file

@ -1,28 +1,74 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
--- ---
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: clusterissuers.certmanager.k8s.io name: clusterissuers.cert-manager.io
annotations: annotations:
"helm.sh/hook": crd-install cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
"api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
labels: labels:
app: cert-manager app: cert-manager
chart: cert-manager-v0.5.2 app.kubernetes.io/name: cert-manager
release: cert-manager app.kubernetes.io/instance: cert-manager
heritage: Tiller app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec: spec:
group: certmanager.k8s.io additionalPrinterColumns:
scope: Cluster - JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: cert-manager.io
preserveUnknownFields: false
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: '{{ cert_manager_namespace }}'
name: 'cert-manager-webhook'
path: /convert
names: names:
kind: ClusterIssuer kind: ClusterIssuer
listKind: ClusterIssuerList
plural: clusterissuers plural: clusterissuers
singular: clusterissuer
scope: Cluster
subresources:
status: {}
versions: versions:
- name: v1alpha1 - name: v1alpha2
served: true served: true
storage: true storage: true
schema: - name: v1alpha3
openAPIV3Schema: served: true
storage: false
"validation":
"openAPIV3Schema":
type: object type: object
properties: properties:
apiVersion: apiVersion:

View file

@ -1,28 +1,74 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
--- ---
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: issuers.certmanager.k8s.io name: issuers.cert-manager.io
annotations: annotations:
"helm.sh/hook": crd-install cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
"api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
labels: labels:
app: cert-manager app: cert-manager
chart: cert-manager-v0.5.2 app.kubernetes.io/name: cert-manager
release: cert-manager app.kubernetes.io/instance: cert-manager
heritage: Tiller app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec: spec:
group: certmanager.k8s.io additionalPrinterColumns:
scope: Namespaced - JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: cert-manager.io
preserveUnknownFields: false
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: '{{ cert_manager_namespace }}'
name: 'cert-manager-webhook'
path: /convert
names: names:
kind: Issuer kind: Issuer
listKind: IssuerList
plural: issuers plural: issuers
singular: issuer
scope: Namespaced
subresources:
status: {}
versions: versions:
- name: v1alpha1 - name: v1alpha2
served: true served: true
storage: true storage: true
schema: - name: v1alpha3
openAPIV3Schema: served: true
storage: false
"validation":
"openAPIV3Schema":
type: object type: object
properties: properties:
apiVersion: apiVersion:

View file

@ -0,0 +1,253 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: orders.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.reason
name: Reason
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: acme.cert-manager.io
preserveUnknownFields: false
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: '{{ cert_manager_namespace }}'
name: 'cert-manager-webhook'
path: /convert
names:
kind: Order
listKind: OrderList
plural: orders
singular: order
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
- name: v1alpha3
served: true
storage: false
"validation":
"openAPIV3Schema":
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- csr
- issuerRef
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded
CSR. If CommonName is not specified, the first DNSName specified will
be used as the CommonName. At least one of CommonName or a DNSNames
must be set. This field must match the corresponding field on the
DER encoded CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
type: string
format: byte
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. If CommonName is not specified,
the first DNSName specified will be used as the CommonName. At least
one of CommonName or a DNSNames must be set. This field must match
the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer
which should be used to create this Order. If the Issuer does not
exist, processing will be retried. If the Issuer is not an 'ACME'
Issuer, an error will be returned and the Order will be marked as
failed.
type: object
required:
- name
properties:
group:
type: string
kind:
type: string
name:
type: string
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge resource
will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented for
this challenge. This is used to compute the 'key' that
must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. http-01, dns-01
type: string
url:
description: URL is the URL of this challenge. It can be
used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a Challenge
resource for the authorization. This will occur when working
with an ACME server that enables 'authz reuse' (such as Let's
Encrypt's production endpoint). If not set and 'identifier'
is set, the state is assumed to be pending and a Challenge will
be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is for
a wildcard DNS name. If this is true, the identifier will be
the *non-wildcard* version of the DNS name. For example, if
'*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate for
this Order. This field will be populated after the order has been
successfully finalized with the ACME server, and the order has transitioned
to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string

View file

@ -1,3 +1,62 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: cainjector
template:
metadata:
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
serviceAccountName: cert-manager-cainjector
containers:
- name: cert-manager
image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
args:
- --v=2
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@ -6,39 +65,113 @@ metadata:
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_namespace }}
labels: labels:
app: cert-manager app: cert-manager
chart: cert-manager-v0.5.2 app.kubernetes.io/name: cert-manager
release: cert-manager app.kubernetes.io/instance: cert-manager
heritage: Tiller app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: cert-manager app.kubernetes.io/name: cert-manager
release: cert-manager app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller
template: template:
metadata: metadata:
labels: labels:
app: cert-manager app: cert-manager
release: cert-manager app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-{{ cert_manager_version }}
annotations: annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
prometheus.io/port: '9402'
spec: spec:
priorityClassName: {% if cert_manager_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
serviceAccountName: cert-manager serviceAccountName: cert-manager
containers: containers:
- name: cert-manager - name: cert-manager
image: {{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }} image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
args: args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE) - --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=$(POD_NAMESPACE) - --leader-election-namespace=kube-system
ports:
- containerPort: 9402
protocol: TCP
env: env:
- name: POD_NAMESPACE - name: POD_NAMESPACE
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
resources: resources:
requests: {}
cpu: 10m ---
memory: 32Mi apiVersion: apps/v1
securityContext: kind: Deployment
runAsUser: {{ cert_manager_user }} metadata:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: webhook
template:
metadata:
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
serviceAccountName: cert-manager-webhook
containers:
- name: cert-manager
image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
args:
- --v=2
- --secure-port=10250
- --dynamic-serving-ca-secret-namespace={{ cert_manager_namespace }}
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
ports:
- name: https
containerPort: 10250
livenessProbe:
httpGet:
path: /livez
port: 6080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 6080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}

View file

@ -0,0 +1,85 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
# Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
# see cmd/cainjector/start.go#L113
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
# see cmd/cainjector/start.go#L137
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
# Used for leader election by the controller
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: cert-manager-webhook:dynamic-serving
namespace: {{ cert_manager_namespace }}
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames:
- 'cert-manager-webhook-ca'
verbs: ["get", "list", "watch", "update"]
# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]

View file

@ -0,0 +1,79 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-cainjector:leaderelection
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: {{ cert_manager_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: cert-manager-webhook:dynamic-serving
namespace: {{ cert_manager_namespace }}
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook:dynamic-serving
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}

View file

@ -1,3 +1,30 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }}
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@ -6,6 +33,21 @@ metadata:
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_namespace }}
labels: labels:
app: cert-manager app: cert-manager
chart: cert-manager-v0.5.2 app.kubernetes.io/name: cert-manager
release: cert-manager app.kubernetes.io/instance: cert-manager
heritage: Tiller app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }}

View file

@ -0,0 +1,9 @@
---
apiVersion: v1
kind: Secret
metadata:
name: ca-key-pair
namespace: {{ cert_manager_namespace }}
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvRENDQW9pZ0F3SUJBZ0lVYXRUWVNIK1lUMVJvbXVGekF2clFRWGtsQ0Vrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJd01EY3hNREUxTWpFd01Gb1hEVEkxTURjd09URTFNakV3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0MmZFNUhRSm8vNGIKRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZObzUrNTNqQ29SdFFWd1FyYU12QnozMGRJbzd6agpMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1ZOTkgzN05KVUVKV0NHTnVoUmVFNDRpcUtmSDV3Ck9iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZERsUk9jdzBSRmdieDkvWk5GS1lYR3BQcmdyR0wKWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjd3RCZkxOV0pWbGRET2dJNFpmWDBaNnNBN2lobgptQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlJnamJNblRxQ2hGa1ZROHhtaXMwckZmMVprN3ZwCjNOMWFtY2hBQVFJREFRQUJvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBZEJnTlZIUTRFRmdRVTFEaTE0aVpKWGczajNObHdjenZFR1dwRFN2SXdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQURkR1FDSFcwNkFVZUo4alM3cURPM2F1TG4xTHE0c1JCWHBoVUZ6TGRyMi9rUUlZd1BtcTRmb09RMjBwCitLTVUyanpmR0VHd3ZOU0p2QnphNHRGS1NiZHRpeFI3RmsyREdPLzc5a3ZPZ2o3UVRrUUpkUzNwaWtSc09EMlUKaytpa09qL2wyTkRSRFVXZlh4RjRjeVZTZ0VubDExUUVDa0JrUHBIYlIrUHQxYWhnMGVRMElnL0MvZC8vN2Vtegp3ZWNUZjBsQkc1UmszaURHdkxhaHdTek9jQWhSY1BxVW9idCs1bTVycmp0R3BrTFNQOTBzVko2TTZ3ZE43dGR4CkNpTktWWGRZaHBZWmUrQ1hEQ2lRR0NLVHE5NHJPbGptVmh5Z0FKWjlBOERVOWVZRmVOci9oOW84c2JYNFlzcU0KV3YwREkyQldlQ3k3MmlXZXErNHkwTENKSzQ4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdDJmRTVIUUpvLzRiRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZOCm81KzUzakNvUnRRVndRcmFNdkJ6MzBkSW83empMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1YKTk5IMzdOSlVFSldDR051aFJlRTQ0aXFLZkg1d09iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZApEbFJPY3cwUkZnYng5L1pORktZWEdwUHJnckdMWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjCnd0QmZMTldKVmxkRE9nSTRaZlgwWjZzQTdpaG5tQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlIKZ2piTW5UcUNoRmtWUTh4bWlzMHJGZjFaazd2cDNOMWFtY2hBQVFJREFRQUJBb0lCQUJZd2R0RFEvUzJiRzduKwpTQ0F4SEJnZVdrN21wVXNjZ0dqdVpQbWhVQm55K0ZjVXNNMEFFU1BCclVwTWRJbFRmOHl6N01EeHhlY1Jma2J2ClFuZExkVExodFBUZEIyaUVNdVNtQTVyS3A1cFkxdjB2cVJrbjRpQUQzbW5YUE5NM0YwNzJEY1RITXRRWEZBclgKbzNWN2N5b0JveXZXV0RNaXpHREJ0Q2YrbnhFeFFzS0lLUGFxRzlDVWZlSU95RVgzRXJ6QWo3b3lnSXFLZGozbgpFbVBzbThrWDVROW9iOUZwd3FKNkxMTzcxTklQZnpaOUNLSXpSYzBNU3grL3hPYmdKSlJCNmtZTXpjWkloQ1JBClNNclBsYXZLMEVzMHpoTnIyc05aZHBlSmRzWGk5YURwZjhMOTEvdFpJeEpSMEdSUXpEZXhBN2FWdk8vVUo0N0YKOXNXUVBUVUNnWUVBeXNvTm01VHdkNWZqRzk3NXVRa3pGQUgrRGVCNXBlNTBOMkpyN01neWZsVm8zZlJrSTFKKwpsZXlyUnRIempKSzlqeEVtdVJ0YnIvUWZ3MGRUNnhRSnVJSmk3Vmlld3NPNUgzeWtwdytkbm9jVUhVVDhFWEpVCnpLSzRmSGo1SjFrNHBmaHlnNFBJZ0YxMFF1anhJRlc3Q0R3UERJRStuZm5ZczBJZ1U3SkV0OU1DZ1lFQTU0ZWsKTUltWWMyeHhoYTM1U25qd0ZCeEVwSUF3ZGdvdXBROWVsMHhmVVRkdTJsUnA1NHVZaVFVWURhNjJ6RE1kL21QagppSTdqaGl6TEU4VmU4OWh6QXljeTNIRVJPSHNETkhQVG5WN0phcmp3T29aWWIvRnM2NkxtazZMY05BbGI3TER6Cm5FNGdkTEt0cWpQVnBMbmF1T3VOQitXQzY5bm9xRUZpZWxnUWVGc0NnWUIxZGk0RnBYTFlReEZZem9JbHJPOTYKTW1FL0ZueEFJZXdOUEtRNUJnbEJaaVdWRXYrQitrRzZnOWo5NzVTOEl5OUxsR3F5bytjcTl5UUN6K2tLN0pObwozWldCMTJnMmRucGZnNm8zM25LMUpaY0FFVHBVdkwzanZvbFFDQjZCclV1RHozSTlQWE5BNzJEdGROSmVvV254CnJpQWxaU09wQzlSNm1OM3l2UHJTNHdLQmdCQS9WWWRPY0pOUS9kcHFyZjdLNDlZVmNiKzFlekVkWDg2WGVJVFgKaUN6VDNnU1dQZVJReUlCOUNnWVR4NklteUNrTTYyK3V6MHFnSkJRY0dxQzBCTVlvM3duWEtXVTBSTEpPbW9BRgpvYzdLY1prNXlrVDR4VEwzK0lSTnZuUXNYL1lKS045RUlFVHdNUDJycTRkbXYzR1FuaEg2eWlndzM0SEhMTmozCkN4alhBb0dBSjBUNkN0c1c2dEVpYUI5bnc4enI3M2xkMDhraDZSL3B4VHF5c2diNERFTmptd2dndUFoMlJSZkwKYVg3eTNqSUNOTFBjWEFOYlB0QmYrQkRBTTl0UTEzMk5hYzg3N016RHRVSyswem9CWWtwWGM4Rkd4akVuTzc5RQp2MC9vT2wzR2RaWnNJSXhLblcvVlVmYjJydGY1RWgyQytOY1FpWkNXZm5kWkthMXR4WjQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

View file

@ -0,0 +1,60 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
kind: Service
metadata:
name: cert-manager
namespace: {{ cert_manager_namespace }}
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 9402
targetPort: 9402
selector:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller
---
apiVersion: v1
kind: Service
metadata:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
type: ClusterIP
ports:
- name: https
port: 443
targetPort: 10250
selector:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: webhook

View file

@ -0,0 +1,96 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }}
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- v1alpha2
- v1alpha3
operations:
- CREATE
- UPDATE
resources:
- "*/*"
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
service:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
path: /mutate
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }}
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- key: "cert-manager.io/disable-validation"
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- cert-manager
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- v1alpha2
- v1alpha3
operations:
- CREATE
- UPDATE
resources:
- "*/*"
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
service:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
path: /validate