Upgrade JetStack Cert-Manager to v0.15.2 (#6414)

* Upgrade JetStack Cert-Manager to v0.15.2 * Add README.md table of contents
2020-08-06 07:26:55 +01:00 · 2020-08-06 07:26:55 +01:00 · 9cc70e9e70
commit 9cc70e9e70
parent 50598d9d47
20 changed files with 6786 additions and 3552 deletions
--- a/README.md
+++ b/README.md
@ -136,7 +136,7 @@ Note: Upstart/SysV init based OS types are not supported.
  - [ambassador](https://github.com/datawire/ambassador): v1.5
  - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
  - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
-  - [cert-manager](https://github.com/jetstack/cert-manager) v0.11.1
+  - [cert-manager](https://github.com/jetstack/cert-manager) v0.15.2
  - [coredns](https://github.com/coredns/coredns) v1.6.7
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.32.0
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@ -546,9 +546,13 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
 ingress_ambassador_image_tag: "v1.2.8"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.8"
-cert_manager_version: "v0.11.1"
+cert_manager_version: "v0.15.2"
 cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
 cert_manager_controller_image_tag: "{{ cert_manager_version }}"
 cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
 cert_manager_cainjector_image_tag: "{{ cert_manager_version }}"
 cert_manager_webhook_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-webhook"
 cert_manager_webhook_image_tag: "{{ cert_manager_version }}"
 addon_resizer_version: "1.8.9"
 addon_resizer_image_repo: "{{ kube_image_repo }}/addon-resizer"
 addon_resizer_image_tag: "{{ addon_resizer_version }}"
@ -1078,6 +1082,24 @@ downloads:
    groups:
    - kube-node
  cert_manager_cainjector:
    enabled: "{{ cert_manager_enabled }}"
    container: true
    repo: "{{ cert_manager_cainjector_image_repo }}"
    tag: "{{ cert_manager_cainjector_image_tag }}"
    sha256: "{{ cert_manager_cainjector_digest_checksum|default(None) }}"
    groups:
    - kube-node
  cert_manager_webhook:
    enabled: "{{ cert_manager_enabled }}"
    container: true
    repo: "{{ cert_manager_webhook_image_repo }}"
    tag: "{{ cert_manager_webhook_image_tag }}"
    sha256: "{{ cert_manager_webhook_digest_checksum|default(None) }}"
    groups:
    - kube-node
  csi_attacher:
    enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
    container: true
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/README.md
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/README.md
@ -1,17 +1,179 @@
-Deployment files
+# Installation Guide
 ================
-This directory contains example deployment manifests for cert-manager that can
+- [Installation Guide](#installation-guide)
-be used in place of the official Helm chart.
+  - [Kubernetes TLS Root CA Certificate/Key Secret](#kubernetes-tls-root-ca-certificatekey-secret)
  - [Securing Ingress Resources](#securing-ingress-resources)
    - [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key)
      - [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit)
      - [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file)
      - [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file)
      - [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key)
-This is useful if you are deploying cert-manager into an environment without
+Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
 Helm, or want to inspect a 'bare minimum' deployment.
-Where do these come from?
+The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively.
 -------------------------
-The manifests in these subdirectories are generated from the Helm chart
+Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future.
 automatically. The `values.yaml` files used to configure cert-manager can be
 found in [`hack/deploy`](../../hack/deploy/).
-They are automatically generated by running `./hack/update-deploy-gen.sh`.
+## Kubernetes TLS Root CA Certificate/Key Secret
 If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
 If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
 e.g.
 ```shell
 $ cat ca.pem | base64 -w 0
 LS0tLS1CRUdJTiBDRVJU...
 $ cat ca-key.pem | base64 -w 0
 LS0tLS1CRUdJTiBSU0Eg...
 ```
 For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
 Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and setting `cert_manager_enabled` to true.
 ```ini
 # Cert manager deployment
 cert_manager_enabled: true
 ```
 If you don't have a TLS Root CA certificate and key available, you can create these by following the steps outlined in section [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key) using the Cloudflare PKI/TLS `cfssl` toolkit. TLS Root CA certificates and keys can also be created using `ssh-keygen` and OpenSSL, if `cfssl` is not available.
 ## Securing Ingress Resources
 A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
 To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and set `ingress_nginx_enabled` to true.
 ```ini
 # Nginx ingress controller deployment
 ingress_nginx_enabled: true
 ```
 For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
 ```yaml
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
  name: prometheus-k8s
  namespace: monitoring
  labels:
    prometheus: k8s
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: ca-issuer
 spec:
  tls:
  - hosts:
    - prometheus.example.com
    secretName: prometheus-dashboard-certs
  rules:
  - host: prometheus.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: prometheus-k8s
          servicePort: web
 ```
 Once deployed to your K8s cluster, every 3 months cert-manager will automatically rotate the Prometheus `prometheus.example.com` TLS client certificate and key, and store these as the Kubernetes `prometheus-dashboard-certs` secret.
 For further information, read the official [Cert-Manager Ingress](https://cert-manager.io/docs/usage/ingress/) doc.
 ### Create New TLS Root CA Certificate and Key
 #### Install Cloudflare PKI/TLS `cfssl` Toolkit.
 e.g. For Ubuntu/Debian distibutions, the toolkit is part of the `golang-cfssl` package.
 ```shell
 $ sudo apt-get install -y golang-cfssl
 ```
 #### Create Root Certificate Authority (CA) Configuration File
 The default TLS certificate expiry time period is `8760h` which is 5 years from the date the certificate is created.
 ```shell
 $ cat > ca-config.json <<EOF
 {
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
 }
 EOF
 ```
 #### Create Certficate Signing Request (CSR) Configuration File
 The TLS certificate `names` details can be updated to your own specific requirements.
 ```shell
 $ cat > ca-csr.json <<EOF
 {
  "CN": "Kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "CA",
      "ST": "Oregon"
    }
  ]
 }
 EOF
 ```
 #### Create TLS Root CA Certificate and Key
 ```shell
 $ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
 ca.pem
 ca-key.pem
 ```
 Check the TLS Root CA certificate has the correct `Not Before` and `Not After` dates, and ensure it is indeed a valid Certificate Authority with the X509v3 extension `CA:TRUE`.
 ```shell
 $ openssl x509 -text -noout -in ca.pem
 Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6a:d4:d8:48:7f:98:4f:54:68:9a:e1:73:02:fa:d0:41:79:25:08:49
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
        Validity
            Not Before: Jul 10 15:21:00 2020 GMT
            Not After : Jul  9 15:21:00 2025 GMT
        Subject: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
        Subject Public Key Info:
        ...
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                D4:38:B5:E2:26:49:5E:0D:E3:DC:D9:70:73:3B:C4:19:6A:43:4A:F2
                ...
 ```
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
@ -28,19 +28,30 @@
  when:
    - inventory_hostname == groups['kube-master'][0]
 - name: Cert Manager | Templates list
  set_fact:
    cert_manager_templates:
      - { name: 00-namespace, file: 00-namespace.yml, type: ns }
      - { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
      - { name: crd-certificate, file: crd-certificate.yml, type: crd }
      - { name: crd-challenge, file: crd-challenge.yml, type: crd }
      - { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
      - { name: crd-issuer, file: crd-issuer.yml, type: crd }
      - { name: crd-order, file: crd-order.yml, type: crd }
      - { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
      - { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
      - { name: role-cert-manager, file: role-cert-manager.yml, type: role }
      - { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
      - { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
      - { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
      - { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
      - { name: secret-cert-manager, file: secret-cert-manager.yml, type: secret }
 - name: Cert Manager | Create manifests
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
-  with_items:
+  with_items: "{{ cert_manager_templates }}"
    - { name: 00-namespace, file: 00-namespace.yml, type: ns }
    - { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
    - { name: crd-certificate, file: crd-certificate.yml, type: crd }
    - { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
    - { name: crd-issuer, file: crd-issuer.yml, type: crd }
    - { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
    - { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
    - { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
  register: cert_manager_manifests
  when:
    - inventory_hostname == groups['kube-master'][0]
@ -48,7 +59,6 @@
 - name: Cert Manager | Apply manifests
  kube:
    name: "{{ item.item.name }}"
    namespace: "{{ cert_manager_namespace }}"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item.item.type }}"
    filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
@ -56,3 +66,24 @@
  with_items: "{{ cert_manager_manifests.results }}"
  when:
    - inventory_hostname == groups['kube-master'][0]
 - name: Cert Manager | Wait for Webhook pods become ready
  shell: "{{ bin_dir }}/kubectl wait po --namespace={{ cert_manager_namespace }} --selector app=webhook --for=condition=Ready --timeout=600s"
  register: cert_manager_webhook_pods_ready
  when: inventory_hostname == groups['kube-master'][0]
 - name: Cert Manager | Create ClusterIssuer manifest
  template:
    src: "clusterissuer-cert-manager.yml.j2"
    dest: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
  register: cert_manager_clusterissuer_manifest
  when:
    - inventory_hostname == groups['kube-master'][0] and cert_manager_webhook_pods_ready is succeeded
 - name: Cert Manager | Apply ClusterIssuer manifest
  kube:
    name: "clusterissuer-cert-manager"
    kubectl: "{{ bin_dir }}/kubectl"
    filename: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
    state: "latest"
  when: inventory_hostname == groups['kube-master'][0] and cert_manager_clusterissuer_manifest is succeeded
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/00-namespace.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/00-namespace.yml.j2
@ -1,3 +1,17 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: v1
 kind: Namespace
@ -5,4 +19,3 @@ metadata:
  name: {{ cert_manager_namespace }}
  labels:
    name: {{ cert_manager_namespace }}
    certmanager.k8s.io/disable-validation: "true"
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterissuer-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterissuer-cert-manager.yml.j2
@ -0,0 +1,23 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: cert-manager.io/v1alpha2
 kind: ClusterIssuer
 metadata:
  name: ca-issuer
  namespace: {{ cert_manager_namespace }}
 spec:
  ca:
    secretName: ca-key-pair
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
@ -1,20 +1,293 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "create", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiregistration.k8s.io"]
    resources: ["apiservices"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["auditregistration.k8s.io"]
    resources: ["auditsinks"]
    verbs: ["get", "list", "watch", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "orders/status"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "challenges"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["create", "delete"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests"]
    verbs: ["create", "update", "delete"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["extensions"]
    resources: ["ingresses/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager
+  name: cert-manager-view
  labels:
    app: cert-manager
-    chart: cert-manager-v0.5.2
+    app.kubernetes.io/name: cert-manager
-    release: cert-manager
+    app.kubernetes.io/instance: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "issuers", "clusterissuers"]
+    resources: ["certificates", "certificaterequests", "issuers"]
-    verbs: ["*"]
+    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
  # Use to update challenge resource status
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "challenges/status"]
    verbs: ["update"]
  # Used to watch challenge resources
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["get", "list", "watch"]
  # Used to watch challenges, issuer and clusterissuer resources
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  # Need to be able to retrieve ACME account private key to complete challenges
  - apiGroups: [""]
-    resources: ["configmaps", "secrets", "events", "services", "pods"]
+    resources: ["secrets"]
-    verbs: ["*"]
+    verbs: ["get", "list", "watch"]
  # Used to create events
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  # HTTP01 rules
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
-    verbs: ["*"]
+    verbs: ["get", "list", "watch", "create", "delete", "update"]
  # We require the ability to specify a custom hostname when we are creating
  # new ingress resources.
  # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
  - apiGroups: ["route.openshift.io"]
    resources: ["routes/custom-host"]
    verbs: ["create"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges/finalizers"]
    verbs: ["update"]
  # DNS01 rules (duplicated above)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "issuers/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "clusterissuers/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cert-manager-edit
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders"]
    verbs: ["create", "delete", "get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
@ -1,17 +1,153 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager
+  name: cert-manager-cainjector
  labels:
-    app: cert-manager
+    app: cainjector
-    chart: cert-manager-v0.5.2
+    app.kubernetes.io/name: cainjector
-    release: cert-manager
+    app.kubernetes.io/instance: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: cert-manager
+  name: cert-manager-cainjector
 subjects:
  - name: cert-manager-cainjector
    namespace: {{ cert_manager_namespace }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-certificates
 subjects:
  - name: cert-manager
    namespace: {{ cert_manager_namespace }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-clusterissuers
 subjects:
  - name: cert-manager
    namespace: {{ cert_manager_namespace }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-challenges
 subjects:
  - name: cert-manager
    namespace: {{ cert_manager_namespace }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-ingress-shim
 subjects:
  - name: cert-manager
    namespace: {{ cert_manager_namespace }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-orders
 subjects:
  - name: cert-manager
    namespace: {{ cert_manager_namespace }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-issuers
 subjects:
  - name: cert-manager
    namespace: {{ cert_manager_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
@ -1,25 +1,291 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: certificates.certmanager.k8s.io
+  name: certificaterequests.cert-manager.io
  annotations:
-    "helm.sh/hook": crd-install
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
    "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
  labels:
    app: cert-manager
-    chart: cert-manager-v0.5.2
+    app.kubernetes.io/name: cert-manager
-    release: cert-manager
+    app.kubernetes.io/instance: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
-  group: certmanager.k8s.io
+  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
    name: Ready
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.conditions[?(@.type=="Ready")].message
    name: Status
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: cert-manager.io
  preserveUnknownFields: false
  conversion:
    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
    strategy: Webhook
    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
    webhookClientConfig:
      service:
        namespace: '{{ cert_manager_namespace }}'
        name: 'cert-manager-webhook'
        path: /convert
  names:
    kind: CertificateRequest
    listKind: CertificateRequestList
    plural: certificaterequests
    shortNames:
    - cr
    - crs
    singular: certificaterequest
  scope: Namespaced
  subresources:
    status: {}
  versions:
-  - name: v1alpha1
+  - name: v1alpha2
    served: true
    storage: true
-    schema:
+  - name: v1alpha3
-      openAPIV3Schema:
+    served: true
    storage: false
  "validation":
    "openAPIV3Schema":
      description: CertificateRequest is a type to represent a Certificate Signing
        Request
      type: object
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          description: CertificateRequestSpec defines the desired state of CertificateRequest
          type: object
          required:
          - csr
          - issuerRef
          properties:
            csr:
              description: Byte slice containing the PEM encoded CertificateSigningRequest
              type: string
              format: byte
            duration:
              description: Requested certificate default Duration
              type: string
            isCA:
              description: IsCA will mark the resulting certificate as valid for signing.
                This implies that the 'cert sign' usage is set
              type: boolean
            issuerRef:
              description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
                the 'kind' field is not set, or set to 'Issuer', an Issuer resource
                with the given name in the same namespace as the CertificateRequest
                will be used.  If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
                with the provided name will be used. The 'name' field in this stanza
                is required at all times. The group field refers to the API group
                of the issuer which defaults to 'cert-manager.io' if empty.
              type: object
              required:
              - name
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
            usages:
              description: Usages is the set of x509 actions that are enabled for
                a given key. Defaults are ('digital signature', 'key encipherment')
                if empty
              type: array
              items:
                description: 'KeyUsage specifies valid usage contexts for keys. See:
                  https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                  Valid KeyUsage values are as follows: "signing", "digital signature",
                  "content commitment", "key encipherment", "key agreement", "data
                  encipherment", "cert sign", "crl sign", "encipher only", "decipher
                  only", "any", "server auth", "client auth", "code signing", "email
                  protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
                  user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
                  sgc"'
                type: string
                enum:
                - signing
                - digital signature
                - content commitment
                - key encipherment
                - key agreement
                - data encipherment
                - cert sign
                - crl sign
                - encipher only
                - decipher only
                - any
                - server auth
                - client auth
                - code signing
                - email protection
                - s/mime
                - ipsec end system
                - ipsec tunnel
                - ipsec user
                - timestamping
                - ocsp signing
                - microsoft sgc
                - netscape sgc
        status:
          description: CertificateStatus defines the observed state of CertificateRequest
            and resulting signed certificate.
          type: object
          properties:
            ca:
              description: Byte slice containing the PEM encoded certificate authority
                of the signed certificate.
              type: string
              format: byte
            certificate:
              description: Byte slice containing a PEM encoded signed certificate
                resulting from the given certificate signing request.
              type: string
              format: byte
            conditions:
              type: array
              items:
                description: CertificateRequestCondition contains condition information
                  for a CertificateRequest.
                type: object
                required:
                - status
                - type
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    type: string
                    format: date-time
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    type: string
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                  type:
                    description: Type of the condition, currently ('Ready', 'InvalidRequest').
                    type: string
            failureTime:
              description: FailureTime stores the time that this CertificateRequest
                failed. This is used to influence garbage collection and back-off.
              type: string
              format: date-time
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: certificates.cert-manager.io
  annotations:
    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
    name: Ready
    type: string
  - JSONPath: .spec.secretName
    name: Secret
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.conditions[?(@.type=="Ready")].message
    name: Status
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: cert-manager.io
  preserveUnknownFields: false
  conversion:
    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
    strategy: Webhook
    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
    webhookClientConfig:
      service:
        namespace: '{{ cert_manager_namespace }}'
        name: 'cert-manager-webhook'
        path: /convert
  names:
    kind: Certificate
    listKind: CertificateList
    plural: certificates
    shortNames:
    - cert
    - certs
    singular: certificate
  scope: Namespaced
  subresources:
    status: {}
  versions:
  - name: v1alpha2
    served: true
    storage: true
    "schema":
      "openAPIV3Schema":
        description: Certificate is a type to represent a Certificate from ACME
        type: object
        properties:
@ -711,10 +977,3 @@ spec:
                  issuance by checking if the revision value in the annotation is
                  greater than this field."
                type: integer
  names:
    kind: Certificate
    plural: certificates
    shortNames:
      - cert
      - certs
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
@ -0,0 +1,253 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: orders.acme.cert-manager.io
  annotations:
    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.state
    name: State
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.reason
    name: Reason
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: acme.cert-manager.io
  preserveUnknownFields: false
  conversion:
    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
    strategy: Webhook
    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
    webhookClientConfig:
      service:
        namespace: '{{ cert_manager_namespace }}'
        name: 'cert-manager-webhook'
        path: /convert
  names:
    kind: Order
    listKind: OrderList
    plural: orders
    singular: order
  scope: Namespaced
  subresources:
    status: {}
  versions:
  - name: v1alpha2
    served: true
    storage: true
  - name: v1alpha3
    served: true
    storage: false
  "validation":
    "openAPIV3Schema":
      description: Order is a type to represent an Order with an ACME server
      type: object
      required:
      - metadata
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          type: object
          required:
          - csr
          - issuerRef
          properties:
            commonName:
              description: CommonName is the common name as specified on the DER encoded
                CSR. If CommonName is not specified, the first DNSName specified will
                be used as the CommonName. At least one of CommonName or a DNSNames
                must be set. This field must match the corresponding field on the
                DER encoded CSR.
              type: string
            csr:
              description: Certificate signing request bytes in DER encoding. This
                will be used when finalizing the order. This field must be set on
                the order.
              type: string
              format: byte
            dnsNames:
              description: DNSNames is a list of DNS names that should be included
                as part of the Order validation process. If CommonName is not specified,
                the first DNSName specified will be used as the CommonName. At least
                one of CommonName or a DNSNames must be set. This field must match
                the corresponding field on the DER encoded CSR.
              type: array
              items:
                type: string
            issuerRef:
              description: IssuerRef references a properly configured ACME-type Issuer
                which should be used to create this Order. If the Issuer does not
                exist, processing will be retried. If the Issuer is not an 'ACME'
                Issuer, an error will be returned and the Order will be marked as
                failed.
              type: object
              required:
              - name
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
        status:
          type: object
          properties:
            authorizations:
              description: Authorizations contains data returned from the ACME server
                on what authorizations must be completed in order to validate the
                DNS names specified on the Order.
              type: array
              items:
                description: ACMEAuthorization contains data returned from the ACME
                  server on an authorization that must be completed in order validate
                  a DNS name on an ACME Order resource.
                type: object
                required:
                - url
                properties:
                  challenges:
                    description: Challenges specifies the challenge types offered
                      by the ACME server. One of these challenge types will be selected
                      when validating the DNS name and an appropriate Challenge resource
                      will be created to perform the ACME challenge process.
                    type: array
                    items:
                      description: Challenge specifies a challenge offered by the
                        ACME server for an Order. An appropriate Challenge resource
                        can be created to perform the ACME challenge process.
                      type: object
                      required:
                      - token
                      - type
                      - url
                      properties:
                        token:
                          description: Token is the token that must be presented for
                            this challenge. This is used to compute the 'key' that
                            must also be presented.
                          type: string
                        type:
                          description: Type is the type of challenge being offered,
                            e.g. http-01, dns-01
                          type: string
                        url:
                          description: URL is the URL of this challenge. It can be
                            used to retrieve additional metadata about the Challenge
                            from the ACME server.
                          type: string
                  identifier:
                    description: Identifier is the DNS name to be validated as part
                      of this authorization
                    type: string
                  initialState:
                    description: InitialState is the initial state of the ACME authorization
                      when first fetched from the ACME server. If an Authorization
                      is already 'valid', the Order controller will not create a Challenge
                      resource for the authorization. This will occur when working
                      with an ACME server that enables 'authz reuse' (such as Let's
                      Encrypt's production endpoint). If not set and 'identifier'
                      is set, the state is assumed to be pending and a Challenge will
                      be created.
                    type: string
                    enum:
                    - valid
                    - ready
                    - pending
                    - processing
                    - invalid
                    - expired
                    - errored
                  url:
                    description: URL is the URL of the Authorization that must be
                      completed
                    type: string
                  wildcard:
                    description: Wildcard will be true if this authorization is for
                      a wildcard DNS name. If this is true, the identifier will be
                      the *non-wildcard* version of the DNS name. For example, if
                      '*.example.com' is the DNS name being validated, this field
                      will be 'true' and the 'identifier' field will be 'example.com'.
                    type: boolean
            certificate:
              description: Certificate is a copy of the PEM encoded certificate for
                this Order. This field will be populated after the order has been
                successfully finalized with the ACME server, and the order has transitioned
                to the 'valid' state.
              type: string
              format: byte
            failureTime:
              description: FailureTime stores the time that this order failed. This
                is used to influence garbage collection and back-off.
              type: string
              format: date-time
            finalizeURL:
              description: FinalizeURL of the Order. This is used to obtain certificates
                for this order once it has been completed.
              type: string
            reason:
              description: Reason optionally provides more information about a why
                the order is in the current state.
              type: string
            state:
              description: State contains the current state of this Order resource.
                States 'success' and 'expired' are 'final'
              type: string
              enum:
              - valid
              - ready
              - pending
              - processing
              - invalid
              - expired
              - errored
            url:
              description: URL of the Order. This will initially be empty when the
                resource is first created. The Order controller will populate this
                field when the Order is first processed. This field will be immutable
                after it is initially set.
              type: string
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
@ -1,3 +1,62 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager-cainjector
  namespace: {{ cert_manager_namespace }}
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: cainjector
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: cainjector
  template:
    metadata:
      labels:
        app: cainjector
        app.kubernetes.io/name: cainjector
        app.kubernetes.io/instance: cert-manager
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: cainjector
        helm.sh/chart: cert-manager-{{ cert_manager_version }}
    spec:
      serviceAccountName: cert-manager-cainjector
      containers:
        - name: cert-manager
          image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          args:
          - --v=2
          - --leader-election-namespace=kube-system
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
 ---
 apiVersion: apps/v1
 kind: Deployment
@ -6,39 +65,113 @@ metadata:
  namespace: {{ cert_manager_namespace }}
  labels:
    app: cert-manager
-    chart: cert-manager-v0.5.2
+    app.kubernetes.io/name: cert-manager
-    release: cert-manager
+    app.kubernetes.io/instance: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: cert-manager
+      app.kubernetes.io/name: cert-manager
-      release: cert-manager
+      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: controller
  template:
    metadata:
      labels:
        app: cert-manager
-        release: cert-manager
+        app.kubernetes.io/name: cert-manager
        app.kubernetes.io/instance: cert-manager
        app.kubernetes.io/component: controller
        app.kubernetes.io/managed-by: Helm
        helm.sh/chart: cert-manager-{{ cert_manager_version }}
      annotations:
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
    spec:
      priorityClassName: {% if cert_manager_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
      serviceAccountName: cert-manager
      containers:
        - name: cert-manager
-          image: {{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}
+          image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          args:
-            - --cluster-resource-namespace=$(POD_NAMESPACE)
+          - --v=2
-            - --leader-election-namespace=$(POD_NAMESPACE)
+          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --leader-election-namespace=kube-system
          ports:
          - containerPort: 9402
            protocol: TCP
          env:
-            - name: POD_NAMESPACE
+          - name: POD_NAMESPACE
-              valueFrom:
+            valueFrom:
-                fieldRef:
+              fieldRef:
-                  fieldPath: metadata.namespace
+                fieldPath: metadata.namespace
          resources:
-            requests:
+            {}
-              cpu: 10m
+---
-              memory: 32Mi
+apiVersion: apps/v1
-          securityContext:
+kind: Deployment
-            runAsUser: {{ cert_manager_user }}
+metadata:
  name: cert-manager-webhook
  namespace: {{ cert_manager_namespace }}
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: webhook
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: webhook
  template:
    metadata:
      labels:
        app: webhook
        app.kubernetes.io/name: webhook
        app.kubernetes.io/instance: cert-manager
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: webhook
        helm.sh/chart: cert-manager-{{ cert_manager_version }}
    spec:
      serviceAccountName: cert-manager-webhook
      containers:
        - name: cert-manager
          image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          args:
          - --v=2
          - --secure-port=10250
          - --dynamic-serving-ca-secret-namespace={{ cert_manager_namespace }}
          - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
          - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
          ports:
          - name: https
            containerPort: 10250
          livenessProbe:
            httpGet:
              path: /livez
              port: 6080
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 6080
              scheme: HTTP
            initialDelaySeconds: 5
            periodSeconds: 5
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2
@ -0,0 +1,85 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
  # Used for leader election by the controller
  # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
  #   see cmd/cainjector/start.go#L113
  # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
  #   see cmd/cainjector/start.go#L137
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
    verbs: ["get", "update", "patch"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager:leaderelection
  namespace: kube-system
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
  # Used for leader election by the controller
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["cert-manager-controller"]
    verbs: ["get", "update", "patch"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager-webhook:dynamic-serving
  namespace: {{ cert_manager_namespace }}
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  resourceNames:
  - 'cert-manager-webhook-ca'
  verbs: ["get", "list", "watch", "update"]
 # It's not possible to grant CREATE permission on a single resourceName.
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2
@ -0,0 +1,79 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-cainjector:leaderelection
 subjects:
  - kind: ServiceAccount
    name: cert-manager-cainjector
    namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager:leaderelection
  namespace: kube-system
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager:leaderelection
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager
    namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager-webhook:dynamic-serving
  namespace: {{ cert_manager_namespace }}
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-webhook:dynamic-serving
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: {{ cert_manager_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
@ -1,3 +1,30 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager-cainjector
  namespace: {{ cert_manager_namespace }}
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@ -6,6 +33,21 @@ metadata:
  namespace: {{ cert_manager_namespace }}
  labels:
    app: cert-manager
-    chart: cert-manager-v0.5.2
+    app.kubernetes.io/name: cert-manager
-    release: cert-manager
+    app.kubernetes.io/instance: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager-webhook
  namespace: {{ cert_manager_namespace }}
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2
@ -0,0 +1,9 @@
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: ca-key-pair
  namespace: {{ cert_manager_namespace }}
 data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvRENDQW9pZ0F3SUJBZ0lVYXRUWVNIK1lUMVJvbXVGekF2clFRWGtsQ0Vrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJd01EY3hNREUxTWpFd01Gb1hEVEkxTURjd09URTFNakV3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0MmZFNUhRSm8vNGIKRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZObzUrNTNqQ29SdFFWd1FyYU12QnozMGRJbzd6agpMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1ZOTkgzN05KVUVKV0NHTnVoUmVFNDRpcUtmSDV3Ck9iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZERsUk9jdzBSRmdieDkvWk5GS1lYR3BQcmdyR0wKWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjd3RCZkxOV0pWbGRET2dJNFpmWDBaNnNBN2lobgptQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlJnamJNblRxQ2hGa1ZROHhtaXMwckZmMVprN3ZwCjNOMWFtY2hBQVFJREFRQUJvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBZEJnTlZIUTRFRmdRVTFEaTE0aVpKWGczajNObHdjenZFR1dwRFN2SXdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQURkR1FDSFcwNkFVZUo4alM3cURPM2F1TG4xTHE0c1JCWHBoVUZ6TGRyMi9rUUlZd1BtcTRmb09RMjBwCitLTVUyanpmR0VHd3ZOU0p2QnphNHRGS1NiZHRpeFI3RmsyREdPLzc5a3ZPZ2o3UVRrUUpkUzNwaWtSc09EMlUKaytpa09qL2wyTkRSRFVXZlh4RjRjeVZTZ0VubDExUUVDa0JrUHBIYlIrUHQxYWhnMGVRMElnL0MvZC8vN2Vtegp3ZWNUZjBsQkc1UmszaURHdkxhaHdTek9jQWhSY1BxVW9idCs1bTVycmp0R3BrTFNQOTBzVko2TTZ3ZE43dGR4CkNpTktWWGRZaHBZWmUrQ1hEQ2lRR0NLVHE5NHJPbGptVmh5Z0FKWjlBOERVOWVZRmVOci9oOW84c2JYNFlzcU0KV3YwREkyQldlQ3k3MmlXZXErNHkwTENKSzQ4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdDJmRTVIUUpvLzRiRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZOCm81KzUzakNvUnRRVndRcmFNdkJ6MzBkSW83empMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1YKTk5IMzdOSlVFSldDR051aFJlRTQ0aXFLZkg1d09iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZApEbFJPY3cwUkZnYng5L1pORktZWEdwUHJnckdMWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjCnd0QmZMTldKVmxkRE9nSTRaZlgwWjZzQTdpaG5tQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlIKZ2piTW5UcUNoRmtWUTh4bWlzMHJGZjFaazd2cDNOMWFtY2hBQVFJREFRQUJBb0lCQUJZd2R0RFEvUzJiRzduKwpTQ0F4SEJnZVdrN21wVXNjZ0dqdVpQbWhVQm55K0ZjVXNNMEFFU1BCclVwTWRJbFRmOHl6N01EeHhlY1Jma2J2ClFuZExkVExodFBUZEIyaUVNdVNtQTVyS3A1cFkxdjB2cVJrbjRpQUQzbW5YUE5NM0YwNzJEY1RITXRRWEZBclgKbzNWN2N5b0JveXZXV0RNaXpHREJ0Q2YrbnhFeFFzS0lLUGFxRzlDVWZlSU95RVgzRXJ6QWo3b3lnSXFLZGozbgpFbVBzbThrWDVROW9iOUZwd3FKNkxMTzcxTklQZnpaOUNLSXpSYzBNU3grL3hPYmdKSlJCNmtZTXpjWkloQ1JBClNNclBsYXZLMEVzMHpoTnIyc05aZHBlSmRzWGk5YURwZjhMOTEvdFpJeEpSMEdSUXpEZXhBN2FWdk8vVUo0N0YKOXNXUVBUVUNnWUVBeXNvTm01VHdkNWZqRzk3NXVRa3pGQUgrRGVCNXBlNTBOMkpyN01neWZsVm8zZlJrSTFKKwpsZXlyUnRIempKSzlqeEVtdVJ0YnIvUWZ3MGRUNnhRSnVJSmk3Vmlld3NPNUgzeWtwdytkbm9jVUhVVDhFWEpVCnpLSzRmSGo1SjFrNHBmaHlnNFBJZ0YxMFF1anhJRlc3Q0R3UERJRStuZm5ZczBJZ1U3SkV0OU1DZ1lFQTU0ZWsKTUltWWMyeHhoYTM1U25qd0ZCeEVwSUF3ZGdvdXBROWVsMHhmVVRkdTJsUnA1NHVZaVFVWURhNjJ6RE1kL21QagppSTdqaGl6TEU4VmU4OWh6QXljeTNIRVJPSHNETkhQVG5WN0phcmp3T29aWWIvRnM2NkxtazZMY05BbGI3TER6Cm5FNGdkTEt0cWpQVnBMbmF1T3VOQitXQzY5bm9xRUZpZWxnUWVGc0NnWUIxZGk0RnBYTFlReEZZem9JbHJPOTYKTW1FL0ZueEFJZXdOUEtRNUJnbEJaaVdWRXYrQitrRzZnOWo5NzVTOEl5OUxsR3F5bytjcTl5UUN6K2tLN0pObwozWldCMTJnMmRucGZnNm8zM25LMUpaY0FFVHBVdkwzanZvbFFDQjZCclV1RHozSTlQWE5BNzJEdGROSmVvV254CnJpQWxaU09wQzlSNm1OM3l2UHJTNHdLQmdCQS9WWWRPY0pOUS9kcHFyZjdLNDlZVmNiKzFlekVkWDg2WGVJVFgKaUN6VDNnU1dQZVJReUlCOUNnWVR4NklteUNrTTYyK3V6MHFnSkJRY0dxQzBCTVlvM3duWEtXVTBSTEpPbW9BRgpvYzdLY1prNXlrVDR4VEwzK0lSTnZuUXNYL1lKS045RUlFVHdNUDJycTRkbXYzR1FuaEg2eWlndzM0SEhMTmozCkN4alhBb0dBSjBUNkN0c1c2dEVpYUI5bnc4enI3M2xkMDhraDZSL3B4VHF5c2diNERFTmptd2dndUFoMlJSZkwKYVg3eTNqSUNOTFBjWEFOYlB0QmYrQkRBTTl0UTEzMk5hYzg3N016RHRVSyswem9CWWtwWGM4Rkd4akVuTzc5RQp2MC9vT2wzR2RaWnNJSXhLblcvVlVmYjJydGY1RWgyQytOY1FpWkNXZm5kWkthMXR4WjQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2
@ -0,0 +1,60 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: cert-manager
  namespace: {{ cert_manager_namespace }}
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
  type: ClusterIP
  ports:
    - protocol: TCP
      port: 9402
      targetPort: 9402
  selector:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/component: controller
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: cert-manager-webhook
  namespace: {{ cert_manager_namespace }}
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
  type: ClusterIP
  ports:
  - name: https
    port: 443
    targetPort: 10250
  selector:
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/component: webhook
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2
@ -0,0 +1,96 @@
 # Copyright YEAR The Jetstack cert-manager contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
  annotations:
    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
 webhooks:
  - name: webhook.cert-manager.io
    rules:
      - apiGroups:
          - "cert-manager.io"
          - "acme.cert-manager.io"
        apiVersions:
          - v1alpha2
          - v1alpha3
        operations:
          - CREATE
          - UPDATE
        resources:
          - "*/*"
    failurePolicy: Fail
    # Only include 'sideEffects' field in Kubernetes 1.12+
    sideEffects: None
    clientConfig:
      service:
        name: cert-manager-webhook
        namespace: {{ cert_manager_namespace }}
        path: /mutate
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
  annotations:
    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
 webhooks:
  - name: webhook.cert-manager.io
    namespaceSelector:
      matchExpressions:
      - key: "cert-manager.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "cert-manager.io"
          - "acme.cert-manager.io"
        apiVersions:
          - v1alpha2
          - v1alpha3
        operations:
          - CREATE
          - UPDATE
        resources:
          - "*/*"
    failurePolicy: Fail
    # Only include 'sideEffects' field in Kubernetes 1.12+
    sideEffects: None
    clientConfig:
      service:
        name: cert-manager-webhook
        namespace: {{ cert_manager_namespace }}
        path: /validate