Upgrade JetStack Cert-Manager to v0.15.2 (#6414)
* Upgrade JetStack Cert-Manager to v0.15.2 * Add README.md table of contents
This commit is contained in:
parent
50598d9d47
commit
9cc70e9e70
20 changed files with 6786 additions and 3552 deletions
|
@ -136,7 +136,7 @@ Note: Upstart/SysV init based OS types are not supported.
|
||||||
- [ambassador](https://github.com/datawire/ambassador): v1.5
|
- [ambassador](https://github.com/datawire/ambassador): v1.5
|
||||||
- [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
|
- [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
|
||||||
- [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
|
- [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
|
||||||
- [cert-manager](https://github.com/jetstack/cert-manager) v0.11.1
|
- [cert-manager](https://github.com/jetstack/cert-manager) v0.15.2
|
||||||
- [coredns](https://github.com/coredns/coredns) v1.6.7
|
- [coredns](https://github.com/coredns/coredns) v1.6.7
|
||||||
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.32.0
|
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.32.0
|
||||||
|
|
||||||
|
|
|
@ -546,9 +546,13 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
|
||||||
ingress_ambassador_image_tag: "v1.2.8"
|
ingress_ambassador_image_tag: "v1.2.8"
|
||||||
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
|
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
|
||||||
alb_ingress_image_tag: "v1.1.8"
|
alb_ingress_image_tag: "v1.1.8"
|
||||||
cert_manager_version: "v0.11.1"
|
cert_manager_version: "v0.15.2"
|
||||||
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
|
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
|
||||||
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
||||||
|
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
|
||||||
|
cert_manager_cainjector_image_tag: "{{ cert_manager_version }}"
|
||||||
|
cert_manager_webhook_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-webhook"
|
||||||
|
cert_manager_webhook_image_tag: "{{ cert_manager_version }}"
|
||||||
addon_resizer_version: "1.8.9"
|
addon_resizer_version: "1.8.9"
|
||||||
addon_resizer_image_repo: "{{ kube_image_repo }}/addon-resizer"
|
addon_resizer_image_repo: "{{ kube_image_repo }}/addon-resizer"
|
||||||
addon_resizer_image_tag: "{{ addon_resizer_version }}"
|
addon_resizer_image_tag: "{{ addon_resizer_version }}"
|
||||||
|
@ -1078,6 +1082,24 @@ downloads:
|
||||||
groups:
|
groups:
|
||||||
- kube-node
|
- kube-node
|
||||||
|
|
||||||
|
cert_manager_cainjector:
|
||||||
|
enabled: "{{ cert_manager_enabled }}"
|
||||||
|
container: true
|
||||||
|
repo: "{{ cert_manager_cainjector_image_repo }}"
|
||||||
|
tag: "{{ cert_manager_cainjector_image_tag }}"
|
||||||
|
sha256: "{{ cert_manager_cainjector_digest_checksum|default(None) }}"
|
||||||
|
groups:
|
||||||
|
- kube-node
|
||||||
|
|
||||||
|
cert_manager_webhook:
|
||||||
|
enabled: "{{ cert_manager_enabled }}"
|
||||||
|
container: true
|
||||||
|
repo: "{{ cert_manager_webhook_image_repo }}"
|
||||||
|
tag: "{{ cert_manager_webhook_image_tag }}"
|
||||||
|
sha256: "{{ cert_manager_webhook_digest_checksum|default(None) }}"
|
||||||
|
groups:
|
||||||
|
- kube-node
|
||||||
|
|
||||||
csi_attacher:
|
csi_attacher:
|
||||||
enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
|
enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
|
||||||
container: true
|
container: true
|
||||||
|
|
|
@ -1,17 +1,179 @@
|
||||||
Deployment files
|
# Installation Guide
|
||||||
================
|
|
||||||
|
|
||||||
This directory contains example deployment manifests for cert-manager that can
|
- [Installation Guide](#installation-guide)
|
||||||
be used in place of the official Helm chart.
|
- [Kubernetes TLS Root CA Certificate/Key Secret](#kubernetes-tls-root-ca-certificatekey-secret)
|
||||||
|
- [Securing Ingress Resources](#securing-ingress-resources)
|
||||||
|
- [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key)
|
||||||
|
- [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit)
|
||||||
|
- [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file)
|
||||||
|
- [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file)
|
||||||
|
- [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key)
|
||||||
|
|
||||||
This is useful if you are deploying cert-manager into an environment without
|
Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
|
||||||
Helm, or want to inspect a 'bare minimum' deployment.
|
|
||||||
|
|
||||||
Where do these come from?
|
The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively.
|
||||||
-------------------------
|
|
||||||
|
|
||||||
The manifests in these subdirectories are generated from the Helm chart
|
Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future.
|
||||||
automatically. The `values.yaml` files used to configure cert-manager can be
|
|
||||||
found in [`hack/deploy`](../../hack/deploy/).
|
|
||||||
|
|
||||||
They are automatically generated by running `./hack/update-deploy-gen.sh`.
|
## Kubernetes TLS Root CA Certificate/Key Secret
|
||||||
|
|
||||||
|
If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
|
||||||
|
|
||||||
|
If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
|
||||||
|
|
||||||
|
e.g.
|
||||||
|
|
||||||
|
```shell
|
||||||
|
$ cat ca.pem | base64 -w 0
|
||||||
|
LS0tLS1CRUdJTiBDRVJU...
|
||||||
|
|
||||||
|
$ cat ca-key.pem | base64 -w 0
|
||||||
|
LS0tLS1CRUdJTiBSU0Eg...
|
||||||
|
```
|
||||||
|
|
||||||
|
For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
|
||||||
|
|
||||||
|
Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and setting `cert_manager_enabled` to true.
|
||||||
|
|
||||||
|
```ini
|
||||||
|
# Cert manager deployment
|
||||||
|
cert_manager_enabled: true
|
||||||
|
```
|
||||||
|
|
||||||
|
If you don't have a TLS Root CA certificate and key available, you can create these by following the steps outlined in section [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key) using the Cloudflare PKI/TLS `cfssl` toolkit. TLS Root CA certificates and keys can also be created using `ssh-keygen` and OpenSSL, if `cfssl` is not available.
|
||||||
|
|
||||||
|
## Securing Ingress Resources
|
||||||
|
|
||||||
|
A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
|
||||||
|
|
||||||
|
To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and set `ingress_nginx_enabled` to true.
|
||||||
|
|
||||||
|
```ini
|
||||||
|
# Nginx ingress controller deployment
|
||||||
|
ingress_nginx_enabled: true
|
||||||
|
```
|
||||||
|
|
||||||
|
For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: networking.k8s.io/v1beta1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: prometheus-k8s
|
||||||
|
namespace: monitoring
|
||||||
|
labels:
|
||||||
|
prometheus: k8s
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/ingress.class: "nginx"
|
||||||
|
cert-manager.io/cluster-issuer: ca-issuer
|
||||||
|
spec:
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- prometheus.example.com
|
||||||
|
secretName: prometheus-dashboard-certs
|
||||||
|
rules:
|
||||||
|
- host: prometheus.example.com
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
backend:
|
||||||
|
serviceName: prometheus-k8s
|
||||||
|
servicePort: web
|
||||||
|
```
|
||||||
|
|
||||||
|
Once deployed to your K8s cluster, every 3 months cert-manager will automatically rotate the Prometheus `prometheus.example.com` TLS client certificate and key, and store these as the Kubernetes `prometheus-dashboard-certs` secret.
|
||||||
|
|
||||||
|
For further information, read the official [Cert-Manager Ingress](https://cert-manager.io/docs/usage/ingress/) doc.
|
||||||
|
|
||||||
|
### Create New TLS Root CA Certificate and Key
|
||||||
|
|
||||||
|
#### Install Cloudflare PKI/TLS `cfssl` Toolkit.
|
||||||
|
|
||||||
|
e.g. For Ubuntu/Debian distibutions, the toolkit is part of the `golang-cfssl` package.
|
||||||
|
|
||||||
|
```shell
|
||||||
|
$ sudo apt-get install -y golang-cfssl
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Create Root Certificate Authority (CA) Configuration File
|
||||||
|
|
||||||
|
The default TLS certificate expiry time period is `8760h` which is 5 years from the date the certificate is created.
|
||||||
|
|
||||||
|
```shell
|
||||||
|
$ cat > ca-config.json <<EOF
|
||||||
|
{
|
||||||
|
"signing": {
|
||||||
|
"default": {
|
||||||
|
"expiry": "8760h"
|
||||||
|
},
|
||||||
|
"profiles": {
|
||||||
|
"kubernetes": {
|
||||||
|
"usages": ["signing", "key encipherment", "server auth", "client auth"],
|
||||||
|
"expiry": "8760h"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Create Certficate Signing Request (CSR) Configuration File
|
||||||
|
|
||||||
|
The TLS certificate `names` details can be updated to your own specific requirements.
|
||||||
|
|
||||||
|
```shell
|
||||||
|
$ cat > ca-csr.json <<EOF
|
||||||
|
{
|
||||||
|
"CN": "Kubernetes",
|
||||||
|
"key": {
|
||||||
|
"algo": "rsa",
|
||||||
|
"size": 2048
|
||||||
|
},
|
||||||
|
"names": [
|
||||||
|
{
|
||||||
|
"C": "US",
|
||||||
|
"L": "Portland",
|
||||||
|
"O": "Kubernetes",
|
||||||
|
"OU": "CA",
|
||||||
|
"ST": "Oregon"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Create TLS Root CA Certificate and Key
|
||||||
|
|
||||||
|
```shell
|
||||||
|
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
|
||||||
|
ca.pem
|
||||||
|
ca-key.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
Check the TLS Root CA certificate has the correct `Not Before` and `Not After` dates, and ensure it is indeed a valid Certificate Authority with the X509v3 extension `CA:TRUE`.
|
||||||
|
|
||||||
|
```shell
|
||||||
|
$ openssl x509 -text -noout -in ca.pem
|
||||||
|
|
||||||
|
Certificate:
|
||||||
|
Data:
|
||||||
|
Version: 3 (0x2)
|
||||||
|
Serial Number:
|
||||||
|
6a:d4:d8:48:7f:98:4f:54:68:9a:e1:73:02:fa:d0:41:79:25:08:49
|
||||||
|
Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
Issuer: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
|
||||||
|
Validity
|
||||||
|
Not Before: Jul 10 15:21:00 2020 GMT
|
||||||
|
Not After : Jul 9 15:21:00 2025 GMT
|
||||||
|
Subject: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
|
||||||
|
Subject Public Key Info:
|
||||||
|
...
|
||||||
|
X509v3 extensions:
|
||||||
|
X509v3 Key Usage: critical
|
||||||
|
Certificate Sign, CRL Sign
|
||||||
|
X509v3 Basic Constraints: critical
|
||||||
|
CA:TRUE
|
||||||
|
X509v3 Subject Key Identifier:
|
||||||
|
D4:38:B5:E2:26:49:5E:0D:E3:DC:D9:70:73:3B:C4:19:6A:43:4A:F2
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
|
@ -28,19 +28,30 @@
|
||||||
when:
|
when:
|
||||||
- inventory_hostname == groups['kube-master'][0]
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
|
|
||||||
|
- name: Cert Manager | Templates list
|
||||||
|
set_fact:
|
||||||
|
cert_manager_templates:
|
||||||
|
- { name: 00-namespace, file: 00-namespace.yml, type: ns }
|
||||||
|
- { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
|
||||||
|
- { name: crd-certificate, file: crd-certificate.yml, type: crd }
|
||||||
|
- { name: crd-challenge, file: crd-challenge.yml, type: crd }
|
||||||
|
- { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
|
||||||
|
- { name: crd-issuer, file: crd-issuer.yml, type: crd }
|
||||||
|
- { name: crd-order, file: crd-order.yml, type: crd }
|
||||||
|
- { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
|
||||||
|
- { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
|
||||||
|
- { name: role-cert-manager, file: role-cert-manager.yml, type: role }
|
||||||
|
- { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
|
||||||
|
- { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
|
||||||
|
- { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
|
||||||
|
- { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
|
||||||
|
- { name: secret-cert-manager, file: secret-cert-manager.yml, type: secret }
|
||||||
|
|
||||||
- name: Cert Manager | Create manifests
|
- name: Cert Manager | Create manifests
|
||||||
template:
|
template:
|
||||||
src: "{{ item.file }}.j2"
|
src: "{{ item.file }}.j2"
|
||||||
dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
|
dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
|
||||||
with_items:
|
with_items: "{{ cert_manager_templates }}"
|
||||||
- { name: 00-namespace, file: 00-namespace.yml, type: ns }
|
|
||||||
- { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
|
|
||||||
- { name: crd-certificate, file: crd-certificate.yml, type: crd }
|
|
||||||
- { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
|
|
||||||
- { name: crd-issuer, file: crd-issuer.yml, type: crd }
|
|
||||||
- { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
|
|
||||||
- { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
|
|
||||||
- { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
|
|
||||||
register: cert_manager_manifests
|
register: cert_manager_manifests
|
||||||
when:
|
when:
|
||||||
- inventory_hostname == groups['kube-master'][0]
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
|
@ -48,7 +59,6 @@
|
||||||
- name: Cert Manager | Apply manifests
|
- name: Cert Manager | Apply manifests
|
||||||
kube:
|
kube:
|
||||||
name: "{{ item.item.name }}"
|
name: "{{ item.item.name }}"
|
||||||
namespace: "{{ cert_manager_namespace }}"
|
|
||||||
kubectl: "{{ bin_dir }}/kubectl"
|
kubectl: "{{ bin_dir }}/kubectl"
|
||||||
resource: "{{ item.item.type }}"
|
resource: "{{ item.item.type }}"
|
||||||
filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
|
filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
|
||||||
|
@ -56,3 +66,24 @@
|
||||||
with_items: "{{ cert_manager_manifests.results }}"
|
with_items: "{{ cert_manager_manifests.results }}"
|
||||||
when:
|
when:
|
||||||
- inventory_hostname == groups['kube-master'][0]
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
|
|
||||||
|
- name: Cert Manager | Wait for Webhook pods become ready
|
||||||
|
shell: "{{ bin_dir }}/kubectl wait po --namespace={{ cert_manager_namespace }} --selector app=webhook --for=condition=Ready --timeout=600s"
|
||||||
|
register: cert_manager_webhook_pods_ready
|
||||||
|
when: inventory_hostname == groups['kube-master'][0]
|
||||||
|
|
||||||
|
- name: Cert Manager | Create ClusterIssuer manifest
|
||||||
|
template:
|
||||||
|
src: "clusterissuer-cert-manager.yml.j2"
|
||||||
|
dest: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
|
||||||
|
register: cert_manager_clusterissuer_manifest
|
||||||
|
when:
|
||||||
|
- inventory_hostname == groups['kube-master'][0] and cert_manager_webhook_pods_ready is succeeded
|
||||||
|
|
||||||
|
- name: Cert Manager | Apply ClusterIssuer manifest
|
||||||
|
kube:
|
||||||
|
name: "clusterissuer-cert-manager"
|
||||||
|
kubectl: "{{ bin_dir }}/kubectl"
|
||||||
|
filename: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
|
||||||
|
state: "latest"
|
||||||
|
when: inventory_hostname == groups['kube-master'][0] and cert_manager_clusterissuer_manifest is succeeded
|
||||||
|
|
|
@ -1,3 +1,17 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Namespace
|
kind: Namespace
|
||||||
|
@ -5,4 +19,3 @@ metadata:
|
||||||
name: {{ cert_manager_namespace }}
|
name: {{ cert_manager_namespace }}
|
||||||
labels:
|
labels:
|
||||||
name: {{ cert_manager_namespace }}
|
name: {{ cert_manager_namespace }}
|
||||||
certmanager.k8s.io/disable-validation: "true"
|
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1alpha2
|
||||||
|
kind: ClusterIssuer
|
||||||
|
metadata:
|
||||||
|
name: ca-issuer
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
spec:
|
||||||
|
ca:
|
||||||
|
secretName: ca-key-pair
|
|
@ -1,20 +1,293 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-cainjector
|
||||||
|
labels:
|
||||||
|
app: cainjector
|
||||||
|
app.kubernetes.io/name: cainjector
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: cainjector
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["get", "create", "update", "patch"]
|
||||||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
|
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
- apiGroups: ["apiregistration.k8s.io"]
|
||||||
|
resources: ["apiservices"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
- apiGroups: ["apiextensions.k8s.io"]
|
||||||
|
resources: ["customresourcedefinitions"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
- apiGroups: ["auditregistration.k8s.io"]
|
||||||
|
resources: ["auditsinks"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-orders
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["orders", "orders/status"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["orders", "challenges"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["clusterissuers", "issuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["challenges"]
|
||||||
|
verbs: ["create", "delete"]
|
||||||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||||
|
# admission controller enabled:
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["orders/finalizers"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-ingress-shim
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificaterequests"]
|
||||||
|
verbs: ["create", "update", "delete"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["extensions"]
|
||||||
|
resources: ["ingresses"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||||
|
# admission controller enabled:
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||||
|
- apiGroups: ["extensions"]
|
||||||
|
resources: ["ingresses/finalizers"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: cert-manager
|
name: cert-manager-view
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
chart: cert-manager-v0.5.2
|
app.kubernetes.io/name: cert-manager
|
||||||
release: cert-manager
|
app.kubernetes.io/instance: cert-manager
|
||||||
heritage: Tiller
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: ["certmanager.k8s.io"]
|
- apiGroups: ["cert-manager.io"]
|
||||||
resources: ["certificates", "issuers", "clusterissuers"]
|
resources: ["certificates", "certificaterequests", "issuers"]
|
||||||
verbs: ["*"]
|
verbs: ["get", "list", "watch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-challenges
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rules:
|
||||||
|
# Use to update challenge resource status
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["challenges", "challenges/status"]
|
||||||
|
verbs: ["update"]
|
||||||
|
# Used to watch challenge resources
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["challenges"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
# Used to watch challenges, issuer and clusterissuer resources
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["issuers", "clusterissuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
# Need to be able to retrieve ACME account private key to complete challenges
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["configmaps", "secrets", "events", "services", "pods"]
|
resources: ["secrets"]
|
||||||
verbs: ["*"]
|
verbs: ["get", "list", "watch"]
|
||||||
|
# Used to create events
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
# HTTP01 rules
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods", "services"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "delete"]
|
||||||
- apiGroups: ["extensions"]
|
- apiGroups: ["extensions"]
|
||||||
resources: ["ingresses"]
|
resources: ["ingresses"]
|
||||||
verbs: ["*"]
|
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||||
|
# We require the ability to specify a custom hostname when we are creating
|
||||||
|
# new ingress resources.
|
||||||
|
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
||||||
|
- apiGroups: ["route.openshift.io"]
|
||||||
|
resources: ["routes/custom-host"]
|
||||||
|
verbs: ["create"]
|
||||||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||||
|
# admission controller enabled:
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["challenges/finalizers"]
|
||||||
|
verbs: ["update"]
|
||||||
|
# DNS01 rules (duplicated above)
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-issuers
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["issuers", "issuers/status"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["issuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-clusterissuers
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["clusterissuers", "clusterissuers/status"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["clusterissuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-edit
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||||
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificaterequests", "issuers"]
|
||||||
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-certificates
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||||
|
# admission controller enabled:
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||||
|
- apiGroups: ["cert-manager.io"]
|
||||||
|
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
||||||
|
verbs: ["update"]
|
||||||
|
- apiGroups: ["acme.cert-manager.io"]
|
||||||
|
resources: ["orders"]
|
||||||
|
verbs: ["create", "delete", "get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
|
|
@ -1,17 +1,153 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: cert-manager
|
name: cert-manager-cainjector
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cainjector
|
||||||
chart: cert-manager-v0.5.2
|
app.kubernetes.io/name: cainjector
|
||||||
release: cert-manager
|
app.kubernetes.io/instance: cert-manager
|
||||||
heritage: Tiller
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: cainjector
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
roleRef:
|
roleRef:
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
name: cert-manager
|
name: cert-manager-cainjector
|
||||||
|
subjects:
|
||||||
|
- name: cert-manager-cainjector
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-certificates
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cert-manager-controller-certificates
|
||||||
|
subjects:
|
||||||
|
- name: cert-manager
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-clusterissuers
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cert-manager-controller-clusterissuers
|
||||||
|
subjects:
|
||||||
|
- name: cert-manager
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-challenges
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cert-manager-controller-challenges
|
||||||
|
subjects:
|
||||||
|
- name: cert-manager
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-ingress-shim
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cert-manager-controller-ingress-shim
|
||||||
|
subjects:
|
||||||
|
- name: cert-manager
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-orders
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cert-manager-controller-orders
|
||||||
|
subjects:
|
||||||
|
- name: cert-manager
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
kind: ServiceAccount
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-controller-issuers
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cert-manager-controller-issuers
|
||||||
subjects:
|
subjects:
|
||||||
- name: cert-manager
|
- name: cert-manager
|
||||||
namespace: {{ cert_manager_namespace }}
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
|
|
@ -1,25 +1,291 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
name: certificates.certmanager.k8s.io
|
name: certificaterequests.cert-manager.io
|
||||||
annotations:
|
annotations:
|
||||||
"helm.sh/hook": crd-install
|
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||||
"api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
|
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
chart: cert-manager-v0.5.2
|
app.kubernetes.io/name: cert-manager
|
||||||
release: cert-manager
|
app.kubernetes.io/instance: cert-manager
|
||||||
heritage: Tiller
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
spec:
|
spec:
|
||||||
group: certmanager.k8s.io
|
additionalPrinterColumns:
|
||||||
|
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
||||||
|
name: Ready
|
||||||
|
type: string
|
||||||
|
- JSONPath: .spec.issuerRef.name
|
||||||
|
name: Issuer
|
||||||
|
priority: 1
|
||||||
|
type: string
|
||||||
|
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
||||||
|
name: Status
|
||||||
|
priority: 1
|
||||||
|
type: string
|
||||||
|
- JSONPath: .metadata.creationTimestamp
|
||||||
|
description: CreationTimestamp is a timestamp representing the server time when
|
||||||
|
this object was created. It is not guaranteed to be set in happens-before order
|
||||||
|
across separate operations. Clients may not set this value. It is represented
|
||||||
|
in RFC3339 form and is in UTC.
|
||||||
|
name: Age
|
||||||
|
type: date
|
||||||
|
group: cert-manager.io
|
||||||
|
preserveUnknownFields: false
|
||||||
|
conversion:
|
||||||
|
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||||
|
strategy: Webhook
|
||||||
|
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||||
|
webhookClientConfig:
|
||||||
|
service:
|
||||||
|
namespace: '{{ cert_manager_namespace }}'
|
||||||
|
name: 'cert-manager-webhook'
|
||||||
|
path: /convert
|
||||||
|
names:
|
||||||
|
kind: CertificateRequest
|
||||||
|
listKind: CertificateRequestList
|
||||||
|
plural: certificaterequests
|
||||||
|
shortNames:
|
||||||
|
- cr
|
||||||
|
- crs
|
||||||
|
singular: certificaterequest
|
||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
|
subresources:
|
||||||
|
status: {}
|
||||||
versions:
|
versions:
|
||||||
- name: v1alpha1
|
- name: v1alpha2
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
schema:
|
- name: v1alpha3
|
||||||
openAPIV3Schema:
|
served: true
|
||||||
|
storage: false
|
||||||
|
"validation":
|
||||||
|
"openAPIV3Schema":
|
||||||
|
description: CertificateRequest is a type to represent a Certificate Signing
|
||||||
|
Request
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
apiVersion:
|
||||||
|
description: 'APIVersion defines the versioned schema of this representation
|
||||||
|
of an object. Servers should convert recognized schemas to the latest
|
||||||
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||||
|
type: string
|
||||||
|
kind:
|
||||||
|
description: 'Kind is a string value representing the REST resource this
|
||||||
|
object represents. Servers may infer this from the endpoint the client
|
||||||
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||||
|
type: string
|
||||||
|
metadata:
|
||||||
|
type: object
|
||||||
|
spec:
|
||||||
|
description: CertificateRequestSpec defines the desired state of CertificateRequest
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- csr
|
||||||
|
- issuerRef
|
||||||
|
properties:
|
||||||
|
csr:
|
||||||
|
description: Byte slice containing the PEM encoded CertificateSigningRequest
|
||||||
|
type: string
|
||||||
|
format: byte
|
||||||
|
duration:
|
||||||
|
description: Requested certificate default Duration
|
||||||
|
type: string
|
||||||
|
isCA:
|
||||||
|
description: IsCA will mark the resulting certificate as valid for signing.
|
||||||
|
This implies that the 'cert sign' usage is set
|
||||||
|
type: boolean
|
||||||
|
issuerRef:
|
||||||
|
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
|
||||||
|
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
||||||
|
with the given name in the same namespace as the CertificateRequest
|
||||||
|
will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
||||||
|
with the provided name will be used. The 'name' field in this stanza
|
||||||
|
is required at all times. The group field refers to the API group
|
||||||
|
of the issuer which defaults to 'cert-manager.io' if empty.
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
properties:
|
||||||
|
group:
|
||||||
|
type: string
|
||||||
|
kind:
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
type: string
|
||||||
|
usages:
|
||||||
|
description: Usages is the set of x509 actions that are enabled for
|
||||||
|
a given key. Defaults are ('digital signature', 'key encipherment')
|
||||||
|
if empty
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
description: 'KeyUsage specifies valid usage contexts for keys. See:
|
||||||
|
https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
||||||
|
Valid KeyUsage values are as follows: "signing", "digital signature",
|
||||||
|
"content commitment", "key encipherment", "key agreement", "data
|
||||||
|
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
||||||
|
only", "any", "server auth", "client auth", "code signing", "email
|
||||||
|
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
||||||
|
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
||||||
|
sgc"'
|
||||||
|
type: string
|
||||||
|
enum:
|
||||||
|
- signing
|
||||||
|
- digital signature
|
||||||
|
- content commitment
|
||||||
|
- key encipherment
|
||||||
|
- key agreement
|
||||||
|
- data encipherment
|
||||||
|
- cert sign
|
||||||
|
- crl sign
|
||||||
|
- encipher only
|
||||||
|
- decipher only
|
||||||
|
- any
|
||||||
|
- server auth
|
||||||
|
- client auth
|
||||||
|
- code signing
|
||||||
|
- email protection
|
||||||
|
- s/mime
|
||||||
|
- ipsec end system
|
||||||
|
- ipsec tunnel
|
||||||
|
- ipsec user
|
||||||
|
- timestamping
|
||||||
|
- ocsp signing
|
||||||
|
- microsoft sgc
|
||||||
|
- netscape sgc
|
||||||
|
status:
|
||||||
|
description: CertificateStatus defines the observed state of CertificateRequest
|
||||||
|
and resulting signed certificate.
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
ca:
|
||||||
|
description: Byte slice containing the PEM encoded certificate authority
|
||||||
|
of the signed certificate.
|
||||||
|
type: string
|
||||||
|
format: byte
|
||||||
|
certificate:
|
||||||
|
description: Byte slice containing a PEM encoded signed certificate
|
||||||
|
resulting from the given certificate signing request.
|
||||||
|
type: string
|
||||||
|
format: byte
|
||||||
|
conditions:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
description: CertificateRequestCondition contains condition information
|
||||||
|
for a CertificateRequest.
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- status
|
||||||
|
- type
|
||||||
|
properties:
|
||||||
|
lastTransitionTime:
|
||||||
|
description: LastTransitionTime is the timestamp corresponding
|
||||||
|
to the last status change of this condition.
|
||||||
|
type: string
|
||||||
|
format: date-time
|
||||||
|
message:
|
||||||
|
description: Message is a human readable description of the details
|
||||||
|
of the last transition, complementing reason.
|
||||||
|
type: string
|
||||||
|
reason:
|
||||||
|
description: Reason is a brief machine readable explanation for
|
||||||
|
the condition's last transition.
|
||||||
|
type: string
|
||||||
|
status:
|
||||||
|
description: Status of the condition, one of ('True', 'False',
|
||||||
|
'Unknown').
|
||||||
|
type: string
|
||||||
|
enum:
|
||||||
|
- "True"
|
||||||
|
- "False"
|
||||||
|
- Unknown
|
||||||
|
type:
|
||||||
|
description: Type of the condition, currently ('Ready', 'InvalidRequest').
|
||||||
|
type: string
|
||||||
|
failureTime:
|
||||||
|
description: FailureTime stores the time that this CertificateRequest
|
||||||
|
failed. This is used to influence garbage collection and back-off.
|
||||||
|
type: string
|
||||||
|
format: date-time
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: certificates.cert-manager.io
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
spec:
|
||||||
|
additionalPrinterColumns:
|
||||||
|
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
||||||
|
name: Ready
|
||||||
|
type: string
|
||||||
|
- JSONPath: .spec.secretName
|
||||||
|
name: Secret
|
||||||
|
type: string
|
||||||
|
- JSONPath: .spec.issuerRef.name
|
||||||
|
name: Issuer
|
||||||
|
priority: 1
|
||||||
|
type: string
|
||||||
|
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
||||||
|
name: Status
|
||||||
|
priority: 1
|
||||||
|
type: string
|
||||||
|
- JSONPath: .metadata.creationTimestamp
|
||||||
|
description: CreationTimestamp is a timestamp representing the server time when
|
||||||
|
this object was created. It is not guaranteed to be set in happens-before order
|
||||||
|
across separate operations. Clients may not set this value. It is represented
|
||||||
|
in RFC3339 form and is in UTC.
|
||||||
|
name: Age
|
||||||
|
type: date
|
||||||
|
group: cert-manager.io
|
||||||
|
preserveUnknownFields: false
|
||||||
|
conversion:
|
||||||
|
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||||
|
strategy: Webhook
|
||||||
|
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||||
|
webhookClientConfig:
|
||||||
|
service:
|
||||||
|
namespace: '{{ cert_manager_namespace }}'
|
||||||
|
name: 'cert-manager-webhook'
|
||||||
|
path: /convert
|
||||||
|
names:
|
||||||
|
kind: Certificate
|
||||||
|
listKind: CertificateList
|
||||||
|
plural: certificates
|
||||||
|
shortNames:
|
||||||
|
- cert
|
||||||
|
- certs
|
||||||
|
singular: certificate
|
||||||
|
scope: Namespaced
|
||||||
|
subresources:
|
||||||
|
status: {}
|
||||||
|
versions:
|
||||||
|
- name: v1alpha2
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
"schema":
|
||||||
|
"openAPIV3Schema":
|
||||||
description: Certificate is a type to represent a Certificate from ACME
|
description: Certificate is a type to represent a Certificate from ACME
|
||||||
type: object
|
type: object
|
||||||
properties:
|
properties:
|
||||||
|
@ -711,10 +977,3 @@ spec:
|
||||||
issuance by checking if the revision value in the annotation is
|
issuance by checking if the revision value in the annotation is
|
||||||
greater than this field."
|
greater than this field."
|
||||||
type: integer
|
type: integer
|
||||||
names:
|
|
||||||
kind: Certificate
|
|
||||||
plural: certificates
|
|
||||||
shortNames:
|
|
||||||
- cert
|
|
||||||
- certs
|
|
||||||
|
|
||||||
|
|
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -0,0 +1,253 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: orders.acme.cert-manager.io
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
spec:
|
||||||
|
additionalPrinterColumns:
|
||||||
|
- JSONPath: .status.state
|
||||||
|
name: State
|
||||||
|
type: string
|
||||||
|
- JSONPath: .spec.issuerRef.name
|
||||||
|
name: Issuer
|
||||||
|
priority: 1
|
||||||
|
type: string
|
||||||
|
- JSONPath: .status.reason
|
||||||
|
name: Reason
|
||||||
|
priority: 1
|
||||||
|
type: string
|
||||||
|
- JSONPath: .metadata.creationTimestamp
|
||||||
|
description: CreationTimestamp is a timestamp representing the server time when
|
||||||
|
this object was created. It is not guaranteed to be set in happens-before order
|
||||||
|
across separate operations. Clients may not set this value. It is represented
|
||||||
|
in RFC3339 form and is in UTC.
|
||||||
|
name: Age
|
||||||
|
type: date
|
||||||
|
group: acme.cert-manager.io
|
||||||
|
preserveUnknownFields: false
|
||||||
|
conversion:
|
||||||
|
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||||
|
strategy: Webhook
|
||||||
|
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||||
|
webhookClientConfig:
|
||||||
|
service:
|
||||||
|
namespace: '{{ cert_manager_namespace }}'
|
||||||
|
name: 'cert-manager-webhook'
|
||||||
|
path: /convert
|
||||||
|
names:
|
||||||
|
kind: Order
|
||||||
|
listKind: OrderList
|
||||||
|
plural: orders
|
||||||
|
singular: order
|
||||||
|
scope: Namespaced
|
||||||
|
subresources:
|
||||||
|
status: {}
|
||||||
|
versions:
|
||||||
|
- name: v1alpha2
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
- name: v1alpha3
|
||||||
|
served: true
|
||||||
|
storage: false
|
||||||
|
"validation":
|
||||||
|
"openAPIV3Schema":
|
||||||
|
description: Order is a type to represent an Order with an ACME server
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- metadata
|
||||||
|
properties:
|
||||||
|
apiVersion:
|
||||||
|
description: 'APIVersion defines the versioned schema of this representation
|
||||||
|
of an object. Servers should convert recognized schemas to the latest
|
||||||
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||||
|
type: string
|
||||||
|
kind:
|
||||||
|
description: 'Kind is a string value representing the REST resource this
|
||||||
|
object represents. Servers may infer this from the endpoint the client
|
||||||
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||||
|
type: string
|
||||||
|
metadata:
|
||||||
|
type: object
|
||||||
|
spec:
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- csr
|
||||||
|
- issuerRef
|
||||||
|
properties:
|
||||||
|
commonName:
|
||||||
|
description: CommonName is the common name as specified on the DER encoded
|
||||||
|
CSR. If CommonName is not specified, the first DNSName specified will
|
||||||
|
be used as the CommonName. At least one of CommonName or a DNSNames
|
||||||
|
must be set. This field must match the corresponding field on the
|
||||||
|
DER encoded CSR.
|
||||||
|
type: string
|
||||||
|
csr:
|
||||||
|
description: Certificate signing request bytes in DER encoding. This
|
||||||
|
will be used when finalizing the order. This field must be set on
|
||||||
|
the order.
|
||||||
|
type: string
|
||||||
|
format: byte
|
||||||
|
dnsNames:
|
||||||
|
description: DNSNames is a list of DNS names that should be included
|
||||||
|
as part of the Order validation process. If CommonName is not specified,
|
||||||
|
the first DNSName specified will be used as the CommonName. At least
|
||||||
|
one of CommonName or a DNSNames must be set. This field must match
|
||||||
|
the corresponding field on the DER encoded CSR.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
issuerRef:
|
||||||
|
description: IssuerRef references a properly configured ACME-type Issuer
|
||||||
|
which should be used to create this Order. If the Issuer does not
|
||||||
|
exist, processing will be retried. If the Issuer is not an 'ACME'
|
||||||
|
Issuer, an error will be returned and the Order will be marked as
|
||||||
|
failed.
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
properties:
|
||||||
|
group:
|
||||||
|
type: string
|
||||||
|
kind:
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
type: string
|
||||||
|
status:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
authorizations:
|
||||||
|
description: Authorizations contains data returned from the ACME server
|
||||||
|
on what authorizations must be completed in order to validate the
|
||||||
|
DNS names specified on the Order.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
description: ACMEAuthorization contains data returned from the ACME
|
||||||
|
server on an authorization that must be completed in order validate
|
||||||
|
a DNS name on an ACME Order resource.
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- url
|
||||||
|
properties:
|
||||||
|
challenges:
|
||||||
|
description: Challenges specifies the challenge types offered
|
||||||
|
by the ACME server. One of these challenge types will be selected
|
||||||
|
when validating the DNS name and an appropriate Challenge resource
|
||||||
|
will be created to perform the ACME challenge process.
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
description: Challenge specifies a challenge offered by the
|
||||||
|
ACME server for an Order. An appropriate Challenge resource
|
||||||
|
can be created to perform the ACME challenge process.
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- token
|
||||||
|
- type
|
||||||
|
- url
|
||||||
|
properties:
|
||||||
|
token:
|
||||||
|
description: Token is the token that must be presented for
|
||||||
|
this challenge. This is used to compute the 'key' that
|
||||||
|
must also be presented.
|
||||||
|
type: string
|
||||||
|
type:
|
||||||
|
description: Type is the type of challenge being offered,
|
||||||
|
e.g. http-01, dns-01
|
||||||
|
type: string
|
||||||
|
url:
|
||||||
|
description: URL is the URL of this challenge. It can be
|
||||||
|
used to retrieve additional metadata about the Challenge
|
||||||
|
from the ACME server.
|
||||||
|
type: string
|
||||||
|
identifier:
|
||||||
|
description: Identifier is the DNS name to be validated as part
|
||||||
|
of this authorization
|
||||||
|
type: string
|
||||||
|
initialState:
|
||||||
|
description: InitialState is the initial state of the ACME authorization
|
||||||
|
when first fetched from the ACME server. If an Authorization
|
||||||
|
is already 'valid', the Order controller will not create a Challenge
|
||||||
|
resource for the authorization. This will occur when working
|
||||||
|
with an ACME server that enables 'authz reuse' (such as Let's
|
||||||
|
Encrypt's production endpoint). If not set and 'identifier'
|
||||||
|
is set, the state is assumed to be pending and a Challenge will
|
||||||
|
be created.
|
||||||
|
type: string
|
||||||
|
enum:
|
||||||
|
- valid
|
||||||
|
- ready
|
||||||
|
- pending
|
||||||
|
- processing
|
||||||
|
- invalid
|
||||||
|
- expired
|
||||||
|
- errored
|
||||||
|
url:
|
||||||
|
description: URL is the URL of the Authorization that must be
|
||||||
|
completed
|
||||||
|
type: string
|
||||||
|
wildcard:
|
||||||
|
description: Wildcard will be true if this authorization is for
|
||||||
|
a wildcard DNS name. If this is true, the identifier will be
|
||||||
|
the *non-wildcard* version of the DNS name. For example, if
|
||||||
|
'*.example.com' is the DNS name being validated, this field
|
||||||
|
will be 'true' and the 'identifier' field will be 'example.com'.
|
||||||
|
type: boolean
|
||||||
|
certificate:
|
||||||
|
description: Certificate is a copy of the PEM encoded certificate for
|
||||||
|
this Order. This field will be populated after the order has been
|
||||||
|
successfully finalized with the ACME server, and the order has transitioned
|
||||||
|
to the 'valid' state.
|
||||||
|
type: string
|
||||||
|
format: byte
|
||||||
|
failureTime:
|
||||||
|
description: FailureTime stores the time that this order failed. This
|
||||||
|
is used to influence garbage collection and back-off.
|
||||||
|
type: string
|
||||||
|
format: date-time
|
||||||
|
finalizeURL:
|
||||||
|
description: FinalizeURL of the Order. This is used to obtain certificates
|
||||||
|
for this order once it has been completed.
|
||||||
|
type: string
|
||||||
|
reason:
|
||||||
|
description: Reason optionally provides more information about a why
|
||||||
|
the order is in the current state.
|
||||||
|
type: string
|
||||||
|
state:
|
||||||
|
description: State contains the current state of this Order resource.
|
||||||
|
States 'success' and 'expired' are 'final'
|
||||||
|
type: string
|
||||||
|
enum:
|
||||||
|
- valid
|
||||||
|
- ready
|
||||||
|
- pending
|
||||||
|
- processing
|
||||||
|
- invalid
|
||||||
|
- expired
|
||||||
|
- errored
|
||||||
|
url:
|
||||||
|
description: URL of the Order. This will initially be empty when the
|
||||||
|
resource is first created. The Order controller will populate this
|
||||||
|
field when the Order is first processed. This field will be immutable
|
||||||
|
after it is initially set.
|
||||||
|
type: string
|
|
@ -1,3 +1,62 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-cainjector
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
labels:
|
||||||
|
app: cainjector
|
||||||
|
app.kubernetes.io/name: cainjector
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: cainjector
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: cainjector
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/component: cainjector
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: cainjector
|
||||||
|
app.kubernetes.io/name: cainjector
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: cainjector
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: cert-manager-cainjector
|
||||||
|
containers:
|
||||||
|
- name: cert-manager
|
||||||
|
image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
|
||||||
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
args:
|
||||||
|
- --v=2
|
||||||
|
- --leader-election-namespace=kube-system
|
||||||
|
env:
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
resources:
|
||||||
|
{}
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
|
@ -6,39 +65,113 @@ metadata:
|
||||||
namespace: {{ cert_manager_namespace }}
|
namespace: {{ cert_manager_namespace }}
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
chart: cert-manager-v0.5.2
|
app.kubernetes.io/name: cert-manager
|
||||||
release: cert-manager
|
app.kubernetes.io/instance: cert-manager
|
||||||
heritage: Tiller
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: cert-manager
|
app.kubernetes.io/name: cert-manager
|
||||||
release: cert-manager
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
release: cert-manager
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
annotations:
|
annotations:
|
||||||
|
prometheus.io/path: "/metrics"
|
||||||
|
prometheus.io/scrape: 'true'
|
||||||
|
prometheus.io/port: '9402'
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: {% if cert_manager_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
|
|
||||||
serviceAccountName: cert-manager
|
serviceAccountName: cert-manager
|
||||||
containers:
|
containers:
|
||||||
- name: cert-manager
|
- name: cert-manager
|
||||||
image: {{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}
|
image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
args:
|
args:
|
||||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
- --v=2
|
||||||
- --leader-election-namespace=$(POD_NAMESPACE)
|
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||||
|
- --leader-election-namespace=kube-system
|
||||||
|
ports:
|
||||||
|
- containerPort: 9402
|
||||||
|
protocol: TCP
|
||||||
env:
|
env:
|
||||||
- name: POD_NAMESPACE
|
- name: POD_NAMESPACE
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.namespace
|
fieldPath: metadata.namespace
|
||||||
resources:
|
resources:
|
||||||
requests:
|
{}
|
||||||
cpu: 10m
|
---
|
||||||
memory: 32Mi
|
apiVersion: apps/v1
|
||||||
securityContext:
|
kind: Deployment
|
||||||
runAsUser: {{ cert_manager_user }}
|
metadata:
|
||||||
|
name: cert-manager-webhook
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
labels:
|
||||||
|
app: webhook
|
||||||
|
app.kubernetes.io/name: webhook
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: webhook
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: webhook
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/component: webhook
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: webhook
|
||||||
|
app.kubernetes.io/name: webhook
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: webhook
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: cert-manager-webhook
|
||||||
|
containers:
|
||||||
|
- name: cert-manager
|
||||||
|
image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
|
||||||
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
args:
|
||||||
|
- --v=2
|
||||||
|
- --secure-port=10250
|
||||||
|
- --dynamic-serving-ca-secret-namespace={{ cert_manager_namespace }}
|
||||||
|
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
|
||||||
|
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
|
||||||
|
ports:
|
||||||
|
- name: https
|
||||||
|
containerPort: 10250
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /livez
|
||||||
|
port: 6080
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 60
|
||||||
|
periodSeconds: 10
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz
|
||||||
|
port: 6080
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 5
|
||||||
|
env:
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
resources:
|
||||||
|
{}
|
||||||
|
|
|
@ -0,0 +1,85 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-cainjector:leaderelection
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
app: cainjector
|
||||||
|
app.kubernetes.io/name: cainjector
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: cainjector
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rules:
|
||||||
|
# Used for leader election by the controller
|
||||||
|
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
|
||||||
|
# see cmd/cainjector/start.go#L113
|
||||||
|
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||||
|
# see cmd/cainjector/start.go#L137
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["configmaps"]
|
||||||
|
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||||
|
verbs: ["get", "update", "patch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["configmaps"]
|
||||||
|
verbs: ["create"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: cert-manager:leaderelection
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rules:
|
||||||
|
# Used for leader election by the controller
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["configmaps"]
|
||||||
|
resourceNames: ["cert-manager-controller"]
|
||||||
|
verbs: ["get", "update", "patch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["configmaps"]
|
||||||
|
verbs: ["create"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-webhook:dynamic-serving
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
labels:
|
||||||
|
app: webhook
|
||||||
|
app.kubernetes.io/name: webhook
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: webhook
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
resourceNames:
|
||||||
|
- 'cert-manager-webhook-ca'
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
# It's not possible to grant CREATE permission on a single resourceName.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["create"]
|
|
@ -0,0 +1,79 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-cainjector:leaderelection
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
app: cainjector
|
||||||
|
app.kubernetes.io/name: cainjector
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: cainjector
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: cert-manager-cainjector:leaderelection
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: cert-manager-cainjector
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager:leaderelection
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: cert-manager:leaderelection
|
||||||
|
subjects:
|
||||||
|
- apiGroup: ""
|
||||||
|
kind: ServiceAccount
|
||||||
|
name: cert-manager
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-webhook:dynamic-serving
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
labels:
|
||||||
|
app: webhook
|
||||||
|
app.kubernetes.io/name: webhook
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: webhook
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: cert-manager-webhook:dynamic-serving
|
||||||
|
subjects:
|
||||||
|
- apiGroup: ""
|
||||||
|
kind: ServiceAccount
|
||||||
|
name: cert-manager-webhook
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
|
@ -1,3 +1,30 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-cainjector
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
labels:
|
||||||
|
app: cainjector
|
||||||
|
app.kubernetes.io/name: cainjector
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: cainjector
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ServiceAccount
|
kind: ServiceAccount
|
||||||
|
@ -6,6 +33,21 @@ metadata:
|
||||||
namespace: {{ cert_manager_namespace }}
|
namespace: {{ cert_manager_namespace }}
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
chart: cert-manager-v0.5.2
|
app.kubernetes.io/name: cert-manager
|
||||||
release: cert-manager
|
app.kubernetes.io/instance: cert-manager
|
||||||
heritage: Tiller
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-webhook
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
labels:
|
||||||
|
app: webhook
|
||||||
|
app.kubernetes.io/name: webhook
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: webhook
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: ca-key-pair
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
data:
|
||||||
|
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvRENDQW9pZ0F3SUJBZ0lVYXRUWVNIK1lUMVJvbXVGekF2clFRWGtsQ0Vrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJd01EY3hNREUxTWpFd01Gb1hEVEkxTURjd09URTFNakV3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0MmZFNUhRSm8vNGIKRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZObzUrNTNqQ29SdFFWd1FyYU12QnozMGRJbzd6agpMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1ZOTkgzN05KVUVKV0NHTnVoUmVFNDRpcUtmSDV3Ck9iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZERsUk9jdzBSRmdieDkvWk5GS1lYR3BQcmdyR0wKWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjd3RCZkxOV0pWbGRET2dJNFpmWDBaNnNBN2lobgptQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlJnamJNblRxQ2hGa1ZROHhtaXMwckZmMVprN3ZwCjNOMWFtY2hBQVFJREFRQUJvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBZEJnTlZIUTRFRmdRVTFEaTE0aVpKWGczajNObHdjenZFR1dwRFN2SXdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQURkR1FDSFcwNkFVZUo4alM3cURPM2F1TG4xTHE0c1JCWHBoVUZ6TGRyMi9rUUlZd1BtcTRmb09RMjBwCitLTVUyanpmR0VHd3ZOU0p2QnphNHRGS1NiZHRpeFI3RmsyREdPLzc5a3ZPZ2o3UVRrUUpkUzNwaWtSc09EMlUKaytpa09qL2wyTkRSRFVXZlh4RjRjeVZTZ0VubDExUUVDa0JrUHBIYlIrUHQxYWhnMGVRMElnL0MvZC8vN2Vtegp3ZWNUZjBsQkc1UmszaURHdkxhaHdTek9jQWhSY1BxVW9idCs1bTVycmp0R3BrTFNQOTBzVko2TTZ3ZE43dGR4CkNpTktWWGRZaHBZWmUrQ1hEQ2lRR0NLVHE5NHJPbGptVmh5Z0FKWjlBOERVOWVZRmVOci9oOW84c2JYNFlzcU0KV3YwREkyQldlQ3k3MmlXZXErNHkwTENKSzQ4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
||||||
|
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdDJmRTVIUUpvLzRiRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZOCm81KzUzakNvUnRRVndRcmFNdkJ6MzBkSW83empMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1YKTk5IMzdOSlVFSldDR051aFJlRTQ0aXFLZkg1d09iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZApEbFJPY3cwUkZnYng5L1pORktZWEdwUHJnckdMWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjCnd0QmZMTldKVmxkRE9nSTRaZlgwWjZzQTdpaG5tQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlIKZ2piTW5UcUNoRmtWUTh4bWlzMHJGZjFaazd2cDNOMWFtY2hBQVFJREFRQUJBb0lCQUJZd2R0RFEvUzJiRzduKwpTQ0F4SEJnZVdrN21wVXNjZ0dqdVpQbWhVQm55K0ZjVXNNMEFFU1BCclVwTWRJbFRmOHl6N01EeHhlY1Jma2J2ClFuZExkVExodFBUZEIyaUVNdVNtQTVyS3A1cFkxdjB2cVJrbjRpQUQzbW5YUE5NM0YwNzJEY1RITXRRWEZBclgKbzNWN2N5b0JveXZXV0RNaXpHREJ0Q2YrbnhFeFFzS0lLUGFxRzlDVWZlSU95RVgzRXJ6QWo3b3lnSXFLZGozbgpFbVBzbThrWDVROW9iOUZwd3FKNkxMTzcxTklQZnpaOUNLSXpSYzBNU3grL3hPYmdKSlJCNmtZTXpjWkloQ1JBClNNclBsYXZLMEVzMHpoTnIyc05aZHBlSmRzWGk5YURwZjhMOTEvdFpJeEpSMEdSUXpEZXhBN2FWdk8vVUo0N0YKOXNXUVBUVUNnWUVBeXNvTm01VHdkNWZqRzk3NXVRa3pGQUgrRGVCNXBlNTBOMkpyN01neWZsVm8zZlJrSTFKKwpsZXlyUnRIempKSzlqeEVtdVJ0YnIvUWZ3MGRUNnhRSnVJSmk3Vmlld3NPNUgzeWtwdytkbm9jVUhVVDhFWEpVCnpLSzRmSGo1SjFrNHBmaHlnNFBJZ0YxMFF1anhJRlc3Q0R3UERJRStuZm5ZczBJZ1U3SkV0OU1DZ1lFQTU0ZWsKTUltWWMyeHhoYTM1U25qd0ZCeEVwSUF3ZGdvdXBROWVsMHhmVVRkdTJsUnA1NHVZaVFVWURhNjJ6RE1kL21QagppSTdqaGl6TEU4VmU4OWh6QXljeTNIRVJPSHNETkhQVG5WN0phcmp3T29aWWIvRnM2NkxtazZMY05BbGI3TER6Cm5FNGdkTEt0cWpQVnBMbmF1T3VOQitXQzY5bm9xRUZpZWxnUWVGc0NnWUIxZGk0RnBYTFlReEZZem9JbHJPOTYKTW1FL0ZueEFJZXdOUEtRNUJnbEJaaVdWRXYrQitrRzZnOWo5NzVTOEl5OUxsR3F5bytjcTl5UUN6K2tLN0pObwozWldCMTJnMmRucGZnNm8zM25LMUpaY0FFVHBVdkwzanZvbFFDQjZCclV1RHozSTlQWE5BNzJEdGROSmVvV254CnJpQWxaU09wQzlSNm1OM3l2UHJTNHdLQmdCQS9WWWRPY0pOUS9kcHFyZjdLNDlZVmNiKzFlekVkWDg2WGVJVFgKaUN6VDNnU1dQZVJReUlCOUNnWVR4NklteUNrTTYyK3V6MHFnSkJRY0dxQzBCTVlvM3duWEtXVTBSTEpPbW9BRgpvYzdLY1prNXlrVDR4VEwzK0lSTnZuUXNYL1lKS045RUlFVHdNUDJycTRkbXYzR1FuaEg2eWlndzM0SEhMTmozCkN4alhBb0dBSjBUNkN0c1c2dEVpYUI5bnc4enI3M2xkMDhraDZSL3B4VHF5c2diNERFTmptd2dndUFoMlJSZkwKYVg3eTNqSUNOTFBjWEFOYlB0QmYrQkRBTTl0UTEzMk5hYzg3N016RHRVSyswem9CWWtwWGM4Rkd4akVuTzc5RQp2MC9vT2wzR2RaWnNJSXhLblcvVlVmYjJydGY1RWgyQytOY1FpWkNXZm5kWkthMXR4WjQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
|
|
@ -0,0 +1,60 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: cert-manager
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
labels:
|
||||||
|
app: cert-manager
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 9402
|
||||||
|
targetPort: 9402
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: cert-manager
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/component: controller
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-webhook
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
labels:
|
||||||
|
app: webhook
|
||||||
|
app.kubernetes.io/name: webhook
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: webhook
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- name: https
|
||||||
|
port: 443
|
||||||
|
targetPort: 10250
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: webhook
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/component: webhook
|
|
@ -0,0 +1,96 @@
|
||||||
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||||
|
kind: MutatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-webhook
|
||||||
|
labels:
|
||||||
|
app: webhook
|
||||||
|
app.kubernetes.io/name: webhook
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: webhook
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
|
||||||
|
webhooks:
|
||||||
|
- name: webhook.cert-manager.io
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- "cert-manager.io"
|
||||||
|
- "acme.cert-manager.io"
|
||||||
|
apiVersions:
|
||||||
|
- v1alpha2
|
||||||
|
- v1alpha3
|
||||||
|
operations:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
resources:
|
||||||
|
- "*/*"
|
||||||
|
failurePolicy: Fail
|
||||||
|
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||||
|
sideEffects: None
|
||||||
|
clientConfig:
|
||||||
|
service:
|
||||||
|
name: cert-manager-webhook
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
path: /mutate
|
||||||
|
---
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||||
|
kind: ValidatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-webhook
|
||||||
|
labels:
|
||||||
|
app: webhook
|
||||||
|
app.kubernetes.io/name: webhook
|
||||||
|
app.kubernetes.io/instance: cert-manager
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/component: webhook
|
||||||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
|
||||||
|
webhooks:
|
||||||
|
- name: webhook.cert-manager.io
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: "cert-manager.io/disable-validation"
|
||||||
|
operator: "NotIn"
|
||||||
|
values:
|
||||||
|
- "true"
|
||||||
|
- key: "name"
|
||||||
|
operator: "NotIn"
|
||||||
|
values:
|
||||||
|
- cert-manager
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- "cert-manager.io"
|
||||||
|
- "acme.cert-manager.io"
|
||||||
|
apiVersions:
|
||||||
|
- v1alpha2
|
||||||
|
- v1alpha3
|
||||||
|
operations:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
resources:
|
||||||
|
- "*/*"
|
||||||
|
failurePolicy: Fail
|
||||||
|
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||||
|
sideEffects: None
|
||||||
|
clientConfig:
|
||||||
|
service:
|
||||||
|
name: cert-manager-webhook
|
||||||
|
namespace: {{ cert_manager_namespace }}
|
||||||
|
path: /validate
|
Loading…
Reference in a new issue