Upgrade JetStack Cert-Manager to v0.15.2 (#6414)
* Upgrade JetStack Cert-Manager to v0.15.2 * Add README.md table of contents
This commit is contained in:
parent
50598d9d47
commit
9cc70e9e70
20 changed files with 6786 additions and 3552 deletions
|
@ -136,7 +136,7 @@ Note: Upstart/SysV init based OS types are not supported.
|
|||
- [ambassador](https://github.com/datawire/ambassador): v1.5
|
||||
- [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
|
||||
- [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
|
||||
- [cert-manager](https://github.com/jetstack/cert-manager) v0.11.1
|
||||
- [cert-manager](https://github.com/jetstack/cert-manager) v0.15.2
|
||||
- [coredns](https://github.com/coredns/coredns) v1.6.7
|
||||
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.32.0
|
||||
|
||||
|
|
|
@ -546,9 +546,13 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
|
|||
ingress_ambassador_image_tag: "v1.2.8"
|
||||
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
|
||||
alb_ingress_image_tag: "v1.1.8"
|
||||
cert_manager_version: "v0.11.1"
|
||||
cert_manager_version: "v0.15.2"
|
||||
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
|
||||
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
||||
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
|
||||
cert_manager_cainjector_image_tag: "{{ cert_manager_version }}"
|
||||
cert_manager_webhook_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-webhook"
|
||||
cert_manager_webhook_image_tag: "{{ cert_manager_version }}"
|
||||
addon_resizer_version: "1.8.9"
|
||||
addon_resizer_image_repo: "{{ kube_image_repo }}/addon-resizer"
|
||||
addon_resizer_image_tag: "{{ addon_resizer_version }}"
|
||||
|
@ -1078,6 +1082,24 @@ downloads:
|
|||
groups:
|
||||
- kube-node
|
||||
|
||||
cert_manager_cainjector:
|
||||
enabled: "{{ cert_manager_enabled }}"
|
||||
container: true
|
||||
repo: "{{ cert_manager_cainjector_image_repo }}"
|
||||
tag: "{{ cert_manager_cainjector_image_tag }}"
|
||||
sha256: "{{ cert_manager_cainjector_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
|
||||
cert_manager_webhook:
|
||||
enabled: "{{ cert_manager_enabled }}"
|
||||
container: true
|
||||
repo: "{{ cert_manager_webhook_image_repo }}"
|
||||
tag: "{{ cert_manager_webhook_image_tag }}"
|
||||
sha256: "{{ cert_manager_webhook_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube-node
|
||||
|
||||
csi_attacher:
|
||||
enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
|
||||
container: true
|
||||
|
|
|
@ -1,17 +1,179 @@
|
|||
Deployment files
|
||||
================
|
||||
# Installation Guide
|
||||
|
||||
This directory contains example deployment manifests for cert-manager that can
|
||||
be used in place of the official Helm chart.
|
||||
- [Installation Guide](#installation-guide)
|
||||
- [Kubernetes TLS Root CA Certificate/Key Secret](#kubernetes-tls-root-ca-certificatekey-secret)
|
||||
- [Securing Ingress Resources](#securing-ingress-resources)
|
||||
- [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key)
|
||||
- [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit)
|
||||
- [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file)
|
||||
- [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file)
|
||||
- [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key)
|
||||
|
||||
This is useful if you are deploying cert-manager into an environment without
|
||||
Helm, or want to inspect a 'bare minimum' deployment.
|
||||
Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
|
||||
|
||||
Where do these come from?
|
||||
-------------------------
|
||||
The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively.
|
||||
|
||||
The manifests in these subdirectories are generated from the Helm chart
|
||||
automatically. The `values.yaml` files used to configure cert-manager can be
|
||||
found in [`hack/deploy`](../../hack/deploy/).
|
||||
Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future.
|
||||
|
||||
They are automatically generated by running `./hack/update-deploy-gen.sh`.
|
||||
## Kubernetes TLS Root CA Certificate/Key Secret
|
||||
|
||||
If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
|
||||
|
||||
If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
|
||||
|
||||
e.g.
|
||||
|
||||
```shell
|
||||
$ cat ca.pem | base64 -w 0
|
||||
LS0tLS1CRUdJTiBDRVJU...
|
||||
|
||||
$ cat ca-key.pem | base64 -w 0
|
||||
LS0tLS1CRUdJTiBSU0Eg...
|
||||
```
|
||||
|
||||
For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
|
||||
|
||||
Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and setting `cert_manager_enabled` to true.
|
||||
|
||||
```ini
|
||||
# Cert manager deployment
|
||||
cert_manager_enabled: true
|
||||
```
|
||||
|
||||
If you don't have a TLS Root CA certificate and key available, you can create these by following the steps outlined in section [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key) using the Cloudflare PKI/TLS `cfssl` toolkit. TLS Root CA certificates and keys can also be created using `ssh-keygen` and OpenSSL, if `cfssl` is not available.
|
||||
|
||||
## Securing Ingress Resources
|
||||
|
||||
A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
|
||||
|
||||
To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and set `ingress_nginx_enabled` to true.
|
||||
|
||||
```ini
|
||||
# Nginx ingress controller deployment
|
||||
ingress_nginx_enabled: true
|
||||
```
|
||||
|
||||
For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
|
||||
|
||||
```yaml
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: prometheus-k8s
|
||||
namespace: monitoring
|
||||
labels:
|
||||
prometheus: k8s
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
cert-manager.io/cluster-issuer: ca-issuer
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- prometheus.example.com
|
||||
secretName: prometheus-dashboard-certs
|
||||
rules:
|
||||
- host: prometheus.example.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
backend:
|
||||
serviceName: prometheus-k8s
|
||||
servicePort: web
|
||||
```
|
||||
|
||||
Once deployed to your K8s cluster, every 3 months cert-manager will automatically rotate the Prometheus `prometheus.example.com` TLS client certificate and key, and store these as the Kubernetes `prometheus-dashboard-certs` secret.
|
||||
|
||||
For further information, read the official [Cert-Manager Ingress](https://cert-manager.io/docs/usage/ingress/) doc.
|
||||
|
||||
### Create New TLS Root CA Certificate and Key
|
||||
|
||||
#### Install Cloudflare PKI/TLS `cfssl` Toolkit.
|
||||
|
||||
e.g. For Ubuntu/Debian distibutions, the toolkit is part of the `golang-cfssl` package.
|
||||
|
||||
```shell
|
||||
$ sudo apt-get install -y golang-cfssl
|
||||
```
|
||||
|
||||
#### Create Root Certificate Authority (CA) Configuration File
|
||||
|
||||
The default TLS certificate expiry time period is `8760h` which is 5 years from the date the certificate is created.
|
||||
|
||||
```shell
|
||||
$ cat > ca-config.json <<EOF
|
||||
{
|
||||
"signing": {
|
||||
"default": {
|
||||
"expiry": "8760h"
|
||||
},
|
||||
"profiles": {
|
||||
"kubernetes": {
|
||||
"usages": ["signing", "key encipherment", "server auth", "client auth"],
|
||||
"expiry": "8760h"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
```
|
||||
|
||||
#### Create Certficate Signing Request (CSR) Configuration File
|
||||
|
||||
The TLS certificate `names` details can be updated to your own specific requirements.
|
||||
|
||||
```shell
|
||||
$ cat > ca-csr.json <<EOF
|
||||
{
|
||||
"CN": "Kubernetes",
|
||||
"key": {
|
||||
"algo": "rsa",
|
||||
"size": 2048
|
||||
},
|
||||
"names": [
|
||||
{
|
||||
"C": "US",
|
||||
"L": "Portland",
|
||||
"O": "Kubernetes",
|
||||
"OU": "CA",
|
||||
"ST": "Oregon"
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
```
|
||||
|
||||
#### Create TLS Root CA Certificate and Key
|
||||
|
||||
```shell
|
||||
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
|
||||
ca.pem
|
||||
ca-key.pem
|
||||
```
|
||||
|
||||
Check the TLS Root CA certificate has the correct `Not Before` and `Not After` dates, and ensure it is indeed a valid Certificate Authority with the X509v3 extension `CA:TRUE`.
|
||||
|
||||
```shell
|
||||
$ openssl x509 -text -noout -in ca.pem
|
||||
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number:
|
||||
6a:d4:d8:48:7f:98:4f:54:68:9a:e1:73:02:fa:d0:41:79:25:08:49
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
|
||||
Validity
|
||||
Not Before: Jul 10 15:21:00 2020 GMT
|
||||
Not After : Jul 9 15:21:00 2025 GMT
|
||||
Subject: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
|
||||
Subject Public Key Info:
|
||||
...
|
||||
X509v3 extensions:
|
||||
X509v3 Key Usage: critical
|
||||
Certificate Sign, CRL Sign
|
||||
X509v3 Basic Constraints: critical
|
||||
CA:TRUE
|
||||
X509v3 Subject Key Identifier:
|
||||
D4:38:B5:E2:26:49:5E:0D:E3:DC:D9:70:73:3B:C4:19:6A:43:4A:F2
|
||||
...
|
||||
```
|
||||
|
|
|
@ -28,19 +28,30 @@
|
|||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Cert Manager | Templates list
|
||||
set_fact:
|
||||
cert_manager_templates:
|
||||
- { name: 00-namespace, file: 00-namespace.yml, type: ns }
|
||||
- { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
|
||||
- { name: crd-certificate, file: crd-certificate.yml, type: crd }
|
||||
- { name: crd-challenge, file: crd-challenge.yml, type: crd }
|
||||
- { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
|
||||
- { name: crd-issuer, file: crd-issuer.yml, type: crd }
|
||||
- { name: crd-order, file: crd-order.yml, type: crd }
|
||||
- { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
|
||||
- { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
|
||||
- { name: role-cert-manager, file: role-cert-manager.yml, type: role }
|
||||
- { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
|
||||
- { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
|
||||
- { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
|
||||
- { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
|
||||
- { name: secret-cert-manager, file: secret-cert-manager.yml, type: secret }
|
||||
|
||||
- name: Cert Manager | Create manifests
|
||||
template:
|
||||
src: "{{ item.file }}.j2"
|
||||
dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
|
||||
with_items:
|
||||
- { name: 00-namespace, file: 00-namespace.yml, type: ns }
|
||||
- { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
|
||||
- { name: crd-certificate, file: crd-certificate.yml, type: crd }
|
||||
- { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
|
||||
- { name: crd-issuer, file: crd-issuer.yml, type: crd }
|
||||
- { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
|
||||
- { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
|
||||
- { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
|
||||
with_items: "{{ cert_manager_templates }}"
|
||||
register: cert_manager_manifests
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
|
@ -48,7 +59,6 @@
|
|||
- name: Cert Manager | Apply manifests
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ cert_manager_namespace }}"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
|
||||
|
@ -56,3 +66,24 @@
|
|||
with_items: "{{ cert_manager_manifests.results }}"
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Cert Manager | Wait for Webhook pods become ready
|
||||
shell: "{{ bin_dir }}/kubectl wait po --namespace={{ cert_manager_namespace }} --selector app=webhook --for=condition=Ready --timeout=600s"
|
||||
register: cert_manager_webhook_pods_ready
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Cert Manager | Create ClusterIssuer manifest
|
||||
template:
|
||||
src: "clusterissuer-cert-manager.yml.j2"
|
||||
dest: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
|
||||
register: cert_manager_clusterissuer_manifest
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0] and cert_manager_webhook_pods_ready is succeeded
|
||||
|
||||
- name: Cert Manager | Apply ClusterIssuer manifest
|
||||
kube:
|
||||
name: "clusterissuer-cert-manager"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
filename: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
|
||||
state: "latest"
|
||||
when: inventory_hostname == groups['kube-master'][0] and cert_manager_clusterissuer_manifest is succeeded
|
||||
|
|
|
@ -1,3 +1,17 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
|
@ -5,4 +19,3 @@ metadata:
|
|||
name: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
name: {{ cert_manager_namespace }}
|
||||
certmanager.k8s.io/disable-validation: "true"
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: ca-issuer
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
spec:
|
||||
ca:
|
||||
secretName: ca-key-pair
|
|
@ -1,20 +1,293 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-cainjector
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: cainjector
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["get", "create", "update", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["apiregistration.k8s.io"]
|
||||
resources: ["apiservices"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["auditregistration.k8s.io"]
|
||||
resources: ["auditsinks"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-orders
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rules:
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "orders/status"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["create", "delete"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-ingress-shim
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests"]
|
||||
verbs: ["create", "update", "delete"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["extensions"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["extensions"]
|
||||
resources: ["ingresses/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager
|
||||
name: cert-manager-view
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-v0.5.2
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
rules:
|
||||
- apiGroups: ["certmanager.k8s.io"]
|
||||
resources: ["certificates", "issuers", "clusterissuers"]
|
||||
verbs: ["*"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-challenges
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rules:
|
||||
# Use to update challenge resource status
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "challenges/status"]
|
||||
verbs: ["update"]
|
||||
# Used to watch challenge resources
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to watch challenges, issuer and clusterissuer resources
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Need to be able to retrieve ACME account private key to complete challenges
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps", "secrets", "events", "services", "pods"]
|
||||
verbs: ["*"]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to create events
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
# HTTP01 rules
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "services"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: ["extensions"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["*"]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
# We require the ability to specify a custom hostname when we are creating
|
||||
# new ingress resources.
|
||||
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
||||
- apiGroups: ["route.openshift.io"]
|
||||
resources: ["routes/custom-host"]
|
||||
verbs: ["create"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges/finalizers"]
|
||||
verbs: ["update"]
|
||||
# DNS01 rules (duplicated above)
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-issuers
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "issuers/status"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-clusterissuers
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "clusterissuers/status"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-edit
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-certificates
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders"]
|
||||
verbs: ["create", "delete", "get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
|
|
@ -1,17 +1,153 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager
|
||||
name: cert-manager-cainjector
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-v0.5.2
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: cainjector
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager
|
||||
name: cert-manager-cainjector
|
||||
subjects:
|
||||
- name: cert-manager-cainjector
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
kind: ServiceAccount
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-certificates
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-certificates
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
kind: ServiceAccount
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-clusterissuers
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-clusterissuers
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
kind: ServiceAccount
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-challenges
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-challenges
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
kind: ServiceAccount
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-ingress-shim
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-ingress-shim
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
kind: ServiceAccount
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-orders
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-orders
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
kind: ServiceAccount
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-issuers
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-issuers
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
|
|
|
@ -1,25 +1,291 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: certificates.certmanager.k8s.io
|
||||
name: certificaterequests.cert-manager.io
|
||||
annotations:
|
||||
"helm.sh/hook": crd-install
|
||||
"api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-v0.5.2
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
group: certmanager.k8s.io
|
||||
additionalPrinterColumns:
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
||||
name: Ready
|
||||
type: string
|
||||
- JSONPath: .spec.issuerRef.name
|
||||
name: Issuer
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
||||
name: Status
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .metadata.creationTimestamp
|
||||
description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
name: Age
|
||||
type: date
|
||||
group: cert-manager.io
|
||||
preserveUnknownFields: false
|
||||
conversion:
|
||||
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||
strategy: Webhook
|
||||
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||
webhookClientConfig:
|
||||
service:
|
||||
namespace: '{{ cert_manager_namespace }}'
|
||||
name: 'cert-manager-webhook'
|
||||
path: /convert
|
||||
names:
|
||||
kind: CertificateRequest
|
||||
listKind: CertificateRequestList
|
||||
plural: certificaterequests
|
||||
shortNames:
|
||||
- cr
|
||||
- crs
|
||||
singular: certificaterequest
|
||||
scope: Namespaced
|
||||
subresources:
|
||||
status: {}
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
- name: v1alpha2
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
- name: v1alpha3
|
||||
served: true
|
||||
storage: false
|
||||
"validation":
|
||||
"openAPIV3Schema":
|
||||
description: CertificateRequest is a type to represent a Certificate Signing
|
||||
Request
|
||||
type: object
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: CertificateRequestSpec defines the desired state of CertificateRequest
|
||||
type: object
|
||||
required:
|
||||
- csr
|
||||
- issuerRef
|
||||
properties:
|
||||
csr:
|
||||
description: Byte slice containing the PEM encoded CertificateSigningRequest
|
||||
type: string
|
||||
format: byte
|
||||
duration:
|
||||
description: Requested certificate default Duration
|
||||
type: string
|
||||
isCA:
|
||||
description: IsCA will mark the resulting certificate as valid for signing.
|
||||
This implies that the 'cert sign' usage is set
|
||||
type: boolean
|
||||
issuerRef:
|
||||
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
|
||||
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
||||
with the given name in the same namespace as the CertificateRequest
|
||||
will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
||||
with the provided name will be used. The 'name' field in this stanza
|
||||
is required at all times. The group field refers to the API group
|
||||
of the issuer which defaults to 'cert-manager.io' if empty.
|
||||
type: object
|
||||
required:
|
||||
- name
|
||||
properties:
|
||||
group:
|
||||
type: string
|
||||
kind:
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
usages:
|
||||
description: Usages is the set of x509 actions that are enabled for
|
||||
a given key. Defaults are ('digital signature', 'key encipherment')
|
||||
if empty
|
||||
type: array
|
||||
items:
|
||||
description: 'KeyUsage specifies valid usage contexts for keys. See:
|
||||
https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
||||
Valid KeyUsage values are as follows: "signing", "digital signature",
|
||||
"content commitment", "key encipherment", "key agreement", "data
|
||||
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
||||
only", "any", "server auth", "client auth", "code signing", "email
|
||||
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
||||
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
||||
sgc"'
|
||||
type: string
|
||||
enum:
|
||||
- signing
|
||||
- digital signature
|
||||
- content commitment
|
||||
- key encipherment
|
||||
- key agreement
|
||||
- data encipherment
|
||||
- cert sign
|
||||
- crl sign
|
||||
- encipher only
|
||||
- decipher only
|
||||
- any
|
||||
- server auth
|
||||
- client auth
|
||||
- code signing
|
||||
- email protection
|
||||
- s/mime
|
||||
- ipsec end system
|
||||
- ipsec tunnel
|
||||
- ipsec user
|
||||
- timestamping
|
||||
- ocsp signing
|
||||
- microsoft sgc
|
||||
- netscape sgc
|
||||
status:
|
||||
description: CertificateStatus defines the observed state of CertificateRequest
|
||||
and resulting signed certificate.
|
||||
type: object
|
||||
properties:
|
||||
ca:
|
||||
description: Byte slice containing the PEM encoded certificate authority
|
||||
of the signed certificate.
|
||||
type: string
|
||||
format: byte
|
||||
certificate:
|
||||
description: Byte slice containing a PEM encoded signed certificate
|
||||
resulting from the given certificate signing request.
|
||||
type: string
|
||||
format: byte
|
||||
conditions:
|
||||
type: array
|
||||
items:
|
||||
description: CertificateRequestCondition contains condition information
|
||||
for a CertificateRequest.
|
||||
type: object
|
||||
required:
|
||||
- status
|
||||
- type
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: LastTransitionTime is the timestamp corresponding
|
||||
to the last status change of this condition.
|
||||
type: string
|
||||
format: date-time
|
||||
message:
|
||||
description: Message is a human readable description of the details
|
||||
of the last transition, complementing reason.
|
||||
type: string
|
||||
reason:
|
||||
description: Reason is a brief machine readable explanation for
|
||||
the condition's last transition.
|
||||
type: string
|
||||
status:
|
||||
description: Status of the condition, one of ('True', 'False',
|
||||
'Unknown').
|
||||
type: string
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type:
|
||||
description: Type of the condition, currently ('Ready', 'InvalidRequest').
|
||||
type: string
|
||||
failureTime:
|
||||
description: FailureTime stores the time that this CertificateRequest
|
||||
failed. This is used to influence garbage collection and back-off.
|
||||
type: string
|
||||
format: date-time
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: certificates.cert-manager.io
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
additionalPrinterColumns:
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
||||
name: Ready
|
||||
type: string
|
||||
- JSONPath: .spec.secretName
|
||||
name: Secret
|
||||
type: string
|
||||
- JSONPath: .spec.issuerRef.name
|
||||
name: Issuer
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
||||
name: Status
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .metadata.creationTimestamp
|
||||
description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
name: Age
|
||||
type: date
|
||||
group: cert-manager.io
|
||||
preserveUnknownFields: false
|
||||
conversion:
|
||||
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||
strategy: Webhook
|
||||
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||
webhookClientConfig:
|
||||
service:
|
||||
namespace: '{{ cert_manager_namespace }}'
|
||||
name: 'cert-manager-webhook'
|
||||
path: /convert
|
||||
names:
|
||||
kind: Certificate
|
||||
listKind: CertificateList
|
||||
plural: certificates
|
||||
shortNames:
|
||||
- cert
|
||||
- certs
|
||||
singular: certificate
|
||||
scope: Namespaced
|
||||
subresources:
|
||||
status: {}
|
||||
versions:
|
||||
- name: v1alpha2
|
||||
served: true
|
||||
storage: true
|
||||
"schema":
|
||||
"openAPIV3Schema":
|
||||
description: Certificate is a type to represent a Certificate from ACME
|
||||
type: object
|
||||
properties:
|
||||
|
@ -711,10 +977,3 @@ spec:
|
|||
issuance by checking if the revision value in the annotation is
|
||||
greater than this field."
|
||||
type: integer
|
||||
names:
|
||||
kind: Certificate
|
||||
plural: certificates
|
||||
shortNames:
|
||||
- cert
|
||||
- certs
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -1,28 +1,74 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: clusterissuers.certmanager.k8s.io
|
||||
name: clusterissuers.cert-manager.io
|
||||
annotations:
|
||||
"helm.sh/hook": crd-install
|
||||
"api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-v0.5.2
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
group: certmanager.k8s.io
|
||||
scope: Cluster
|
||||
additionalPrinterColumns:
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
||||
name: Ready
|
||||
type: string
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
||||
name: Status
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .metadata.creationTimestamp
|
||||
description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
name: Age
|
||||
type: date
|
||||
group: cert-manager.io
|
||||
preserveUnknownFields: false
|
||||
conversion:
|
||||
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||
strategy: Webhook
|
||||
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||
webhookClientConfig:
|
||||
service:
|
||||
namespace: '{{ cert_manager_namespace }}'
|
||||
name: 'cert-manager-webhook'
|
||||
path: /convert
|
||||
names:
|
||||
kind: ClusterIssuer
|
||||
listKind: ClusterIssuerList
|
||||
plural: clusterissuers
|
||||
singular: clusterissuer
|
||||
scope: Cluster
|
||||
subresources:
|
||||
status: {}
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
- name: v1alpha2
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
- name: v1alpha3
|
||||
served: true
|
||||
storage: false
|
||||
"validation":
|
||||
"openAPIV3Schema":
|
||||
type: object
|
||||
properties:
|
||||
apiVersion:
|
||||
|
|
|
@ -1,28 +1,74 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: issuers.certmanager.k8s.io
|
||||
name: issuers.cert-manager.io
|
||||
annotations:
|
||||
"helm.sh/hook": crd-install
|
||||
"api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-v0.5.2
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
group: certmanager.k8s.io
|
||||
scope: Namespaced
|
||||
additionalPrinterColumns:
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
||||
name: Ready
|
||||
type: string
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
||||
name: Status
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .metadata.creationTimestamp
|
||||
description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
name: Age
|
||||
type: date
|
||||
group: cert-manager.io
|
||||
preserveUnknownFields: false
|
||||
conversion:
|
||||
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||
strategy: Webhook
|
||||
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||
webhookClientConfig:
|
||||
service:
|
||||
namespace: '{{ cert_manager_namespace }}'
|
||||
name: 'cert-manager-webhook'
|
||||
path: /convert
|
||||
names:
|
||||
kind: Issuer
|
||||
listKind: IssuerList
|
||||
plural: issuers
|
||||
singular: issuer
|
||||
scope: Namespaced
|
||||
subresources:
|
||||
status: {}
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
- name: v1alpha2
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
- name: v1alpha3
|
||||
served: true
|
||||
storage: false
|
||||
"validation":
|
||||
"openAPIV3Schema":
|
||||
type: object
|
||||
properties:
|
||||
apiVersion:
|
||||
|
|
|
@ -0,0 +1,253 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: orders.acme.cert-manager.io
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
additionalPrinterColumns:
|
||||
- JSONPath: .status.state
|
||||
name: State
|
||||
type: string
|
||||
- JSONPath: .spec.issuerRef.name
|
||||
name: Issuer
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .status.reason
|
||||
name: Reason
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .metadata.creationTimestamp
|
||||
description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
name: Age
|
||||
type: date
|
||||
group: acme.cert-manager.io
|
||||
preserveUnknownFields: false
|
||||
conversion:
|
||||
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||
strategy: Webhook
|
||||
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||
webhookClientConfig:
|
||||
service:
|
||||
namespace: '{{ cert_manager_namespace }}'
|
||||
name: 'cert-manager-webhook'
|
||||
path: /convert
|
||||
names:
|
||||
kind: Order
|
||||
listKind: OrderList
|
||||
plural: orders
|
||||
singular: order
|
||||
scope: Namespaced
|
||||
subresources:
|
||||
status: {}
|
||||
versions:
|
||||
- name: v1alpha2
|
||||
served: true
|
||||
storage: true
|
||||
- name: v1alpha3
|
||||
served: true
|
||||
storage: false
|
||||
"validation":
|
||||
"openAPIV3Schema":
|
||||
description: Order is a type to represent an Order with an ACME server
|
||||
type: object
|
||||
required:
|
||||
- metadata
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
type: object
|
||||
required:
|
||||
- csr
|
||||
- issuerRef
|
||||
properties:
|
||||
commonName:
|
||||
description: CommonName is the common name as specified on the DER encoded
|
||||
CSR. If CommonName is not specified, the first DNSName specified will
|
||||
be used as the CommonName. At least one of CommonName or a DNSNames
|
||||
must be set. This field must match the corresponding field on the
|
||||
DER encoded CSR.
|
||||
type: string
|
||||
csr:
|
||||
description: Certificate signing request bytes in DER encoding. This
|
||||
will be used when finalizing the order. This field must be set on
|
||||
the order.
|
||||
type: string
|
||||
format: byte
|
||||
dnsNames:
|
||||
description: DNSNames is a list of DNS names that should be included
|
||||
as part of the Order validation process. If CommonName is not specified,
|
||||
the first DNSName specified will be used as the CommonName. At least
|
||||
one of CommonName or a DNSNames must be set. This field must match
|
||||
the corresponding field on the DER encoded CSR.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
issuerRef:
|
||||
description: IssuerRef references a properly configured ACME-type Issuer
|
||||
which should be used to create this Order. If the Issuer does not
|
||||
exist, processing will be retried. If the Issuer is not an 'ACME'
|
||||
Issuer, an error will be returned and the Order will be marked as
|
||||
failed.
|
||||
type: object
|
||||
required:
|
||||
- name
|
||||
properties:
|
||||
group:
|
||||
type: string
|
||||
kind:
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
status:
|
||||
type: object
|
||||
properties:
|
||||
authorizations:
|
||||
description: Authorizations contains data returned from the ACME server
|
||||
on what authorizations must be completed in order to validate the
|
||||
DNS names specified on the Order.
|
||||
type: array
|
||||
items:
|
||||
description: ACMEAuthorization contains data returned from the ACME
|
||||
server on an authorization that must be completed in order validate
|
||||
a DNS name on an ACME Order resource.
|
||||
type: object
|
||||
required:
|
||||
- url
|
||||
properties:
|
||||
challenges:
|
||||
description: Challenges specifies the challenge types offered
|
||||
by the ACME server. One of these challenge types will be selected
|
||||
when validating the DNS name and an appropriate Challenge resource
|
||||
will be created to perform the ACME challenge process.
|
||||
type: array
|
||||
items:
|
||||
description: Challenge specifies a challenge offered by the
|
||||
ACME server for an Order. An appropriate Challenge resource
|
||||
can be created to perform the ACME challenge process.
|
||||
type: object
|
||||
required:
|
||||
- token
|
||||
- type
|
||||
- url
|
||||
properties:
|
||||
token:
|
||||
description: Token is the token that must be presented for
|
||||
this challenge. This is used to compute the 'key' that
|
||||
must also be presented.
|
||||
type: string
|
||||
type:
|
||||
description: Type is the type of challenge being offered,
|
||||
e.g. http-01, dns-01
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of this challenge. It can be
|
||||
used to retrieve additional metadata about the Challenge
|
||||
from the ACME server.
|
||||
type: string
|
||||
identifier:
|
||||
description: Identifier is the DNS name to be validated as part
|
||||
of this authorization
|
||||
type: string
|
||||
initialState:
|
||||
description: InitialState is the initial state of the ACME authorization
|
||||
when first fetched from the ACME server. If an Authorization
|
||||
is already 'valid', the Order controller will not create a Challenge
|
||||
resource for the authorization. This will occur when working
|
||||
with an ACME server that enables 'authz reuse' (such as Let's
|
||||
Encrypt's production endpoint). If not set and 'identifier'
|
||||
is set, the state is assumed to be pending and a Challenge will
|
||||
be created.
|
||||
type: string
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
url:
|
||||
description: URL is the URL of the Authorization that must be
|
||||
completed
|
||||
type: string
|
||||
wildcard:
|
||||
description: Wildcard will be true if this authorization is for
|
||||
a wildcard DNS name. If this is true, the identifier will be
|
||||
the *non-wildcard* version of the DNS name. For example, if
|
||||
'*.example.com' is the DNS name being validated, this field
|
||||
will be 'true' and the 'identifier' field will be 'example.com'.
|
||||
type: boolean
|
||||
certificate:
|
||||
description: Certificate is a copy of the PEM encoded certificate for
|
||||
this Order. This field will be populated after the order has been
|
||||
successfully finalized with the ACME server, and the order has transitioned
|
||||
to the 'valid' state.
|
||||
type: string
|
||||
format: byte
|
||||
failureTime:
|
||||
description: FailureTime stores the time that this order failed. This
|
||||
is used to influence garbage collection and back-off.
|
||||
type: string
|
||||
format: date-time
|
||||
finalizeURL:
|
||||
description: FinalizeURL of the Order. This is used to obtain certificates
|
||||
for this order once it has been completed.
|
||||
type: string
|
||||
reason:
|
||||
description: Reason optionally provides more information about a why
|
||||
the order is in the current state.
|
||||
type: string
|
||||
state:
|
||||
description: State contains the current state of this Order resource.
|
||||
States 'success' and 'expired' are 'final'
|
||||
type: string
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
url:
|
||||
description: URL of the Order. This will initially be empty when the
|
||||
resource is first created. The Order controller will populate this
|
||||
field when the Order is first processed. This field will be immutable
|
||||
after it is initially set.
|
||||
type: string
|
|
@ -1,3 +1,62 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: cert-manager-cainjector
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: cainjector
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: cainjector
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: cainjector
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
serviceAccountName: cert-manager-cainjector
|
||||
containers:
|
||||
- name: cert-manager
|
||||
image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
args:
|
||||
- --v=2
|
||||
- --leader-election-namespace=kube-system
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
resources:
|
||||
{}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
@ -6,39 +65,113 @@ metadata:
|
|||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-v0.5.2
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: cert-manager
|
||||
release: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
release: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
annotations:
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/scrape: 'true'
|
||||
prometheus.io/port: '9402'
|
||||
spec:
|
||||
priorityClassName: {% if cert_manager_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
|
||||
serviceAccountName: cert-manager
|
||||
containers:
|
||||
- name: cert-manager
|
||||
image: {{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}
|
||||
image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
args:
|
||||
- --v=2
|
||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||
- --leader-election-namespace=$(POD_NAMESPACE)
|
||||
- --leader-election-namespace=kube-system
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 32Mi
|
||||
securityContext:
|
||||
runAsUser: {{ cert_manager_user }}
|
||||
{}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: webhook
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: webhook
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: webhook
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
serviceAccountName: cert-manager-webhook
|
||||
containers:
|
||||
- name: cert-manager
|
||||
image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
args:
|
||||
- --v=2
|
||||
- --secure-port=10250
|
||||
- --dynamic-serving-ca-secret-namespace={{ cert_manager_namespace }}
|
||||
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
|
||||
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
|
||||
ports:
|
||||
- name: https
|
||||
containerPort: 10250
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /livez
|
||||
port: 6080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 6080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
resources:
|
||||
{}
|
||||
|
|
|
@ -0,0 +1,85 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: cert-manager-cainjector:leaderelection
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: cainjector
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rules:
|
||||
# Used for leader election by the controller
|
||||
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
|
||||
# see cmd/cainjector/start.go#L113
|
||||
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||
# see cmd/cainjector/start.go#L137
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: cert-manager:leaderelection
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rules:
|
||||
# Used for leader election by the controller
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
resourceNames: ["cert-manager-controller"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: cert-manager-webhook:dynamic-serving
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: webhook
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames:
|
||||
- 'cert-manager-webhook-ca'
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
# It's not possible to grant CREATE permission on a single resourceName.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["create"]
|
|
@ -0,0 +1,79 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: cert-manager-cainjector:leaderelection
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: cainjector
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager-cainjector:leaderelection
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-manager-cainjector
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: cert-manager:leaderelection
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager:leaderelection
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: cert-manager-webhook:dynamic-serving
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: webhook
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager-webhook:dynamic-serving
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
|
@ -1,3 +1,30 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: cert-manager-cainjector
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: cainjector
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
|
@ -6,6 +33,21 @@ metadata:
|
|||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: cert-manager
|
||||
chart: cert-manager-v0.5.2
|
||||
release: cert-manager
|
||||
heritage: Tiller
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: webhook
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: ca-key-pair
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
data:
|
||||
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvRENDQW9pZ0F3SUJBZ0lVYXRUWVNIK1lUMVJvbXVGekF2clFRWGtsQ0Vrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJd01EY3hNREUxTWpFd01Gb1hEVEkxTURjd09URTFNakV3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0MmZFNUhRSm8vNGIKRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZObzUrNTNqQ29SdFFWd1FyYU12QnozMGRJbzd6agpMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1ZOTkgzN05KVUVKV0NHTnVoUmVFNDRpcUtmSDV3Ck9iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZERsUk9jdzBSRmdieDkvWk5GS1lYR3BQcmdyR0wKWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjd3RCZkxOV0pWbGRET2dJNFpmWDBaNnNBN2lobgptQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlJnamJNblRxQ2hGa1ZROHhtaXMwckZmMVprN3ZwCjNOMWFtY2hBQVFJREFRQUJvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBZEJnTlZIUTRFRmdRVTFEaTE0aVpKWGczajNObHdjenZFR1dwRFN2SXdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQURkR1FDSFcwNkFVZUo4alM3cURPM2F1TG4xTHE0c1JCWHBoVUZ6TGRyMi9rUUlZd1BtcTRmb09RMjBwCitLTVUyanpmR0VHd3ZOU0p2QnphNHRGS1NiZHRpeFI3RmsyREdPLzc5a3ZPZ2o3UVRrUUpkUzNwaWtSc09EMlUKaytpa09qL2wyTkRSRFVXZlh4RjRjeVZTZ0VubDExUUVDa0JrUHBIYlIrUHQxYWhnMGVRMElnL0MvZC8vN2Vtegp3ZWNUZjBsQkc1UmszaURHdkxhaHdTek9jQWhSY1BxVW9idCs1bTVycmp0R3BrTFNQOTBzVko2TTZ3ZE43dGR4CkNpTktWWGRZaHBZWmUrQ1hEQ2lRR0NLVHE5NHJPbGptVmh5Z0FKWjlBOERVOWVZRmVOci9oOW84c2JYNFlzcU0KV3YwREkyQldlQ3k3MmlXZXErNHkwTENKSzQ4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
||||
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdDJmRTVIUUpvLzRiRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZOCm81KzUzakNvUnRRVndRcmFNdkJ6MzBkSW83empMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1YKTk5IMzdOSlVFSldDR051aFJlRTQ0aXFLZkg1d09iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZApEbFJPY3cwUkZnYng5L1pORktZWEdwUHJnckdMWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjCnd0QmZMTldKVmxkRE9nSTRaZlgwWjZzQTdpaG5tQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlIKZ2piTW5UcUNoRmtWUTh4bWlzMHJGZjFaazd2cDNOMWFtY2hBQVFJREFRQUJBb0lCQUJZd2R0RFEvUzJiRzduKwpTQ0F4SEJnZVdrN21wVXNjZ0dqdVpQbWhVQm55K0ZjVXNNMEFFU1BCclVwTWRJbFRmOHl6N01EeHhlY1Jma2J2ClFuZExkVExodFBUZEIyaUVNdVNtQTVyS3A1cFkxdjB2cVJrbjRpQUQzbW5YUE5NM0YwNzJEY1RITXRRWEZBclgKbzNWN2N5b0JveXZXV0RNaXpHREJ0Q2YrbnhFeFFzS0lLUGFxRzlDVWZlSU95RVgzRXJ6QWo3b3lnSXFLZGozbgpFbVBzbThrWDVROW9iOUZwd3FKNkxMTzcxTklQZnpaOUNLSXpSYzBNU3grL3hPYmdKSlJCNmtZTXpjWkloQ1JBClNNclBsYXZLMEVzMHpoTnIyc05aZHBlSmRzWGk5YURwZjhMOTEvdFpJeEpSMEdSUXpEZXhBN2FWdk8vVUo0N0YKOXNXUVBUVUNnWUVBeXNvTm01VHdkNWZqRzk3NXVRa3pGQUgrRGVCNXBlNTBOMkpyN01neWZsVm8zZlJrSTFKKwpsZXlyUnRIempKSzlqeEVtdVJ0YnIvUWZ3MGRUNnhRSnVJSmk3Vmlld3NPNUgzeWtwdytkbm9jVUhVVDhFWEpVCnpLSzRmSGo1SjFrNHBmaHlnNFBJZ0YxMFF1anhJRlc3Q0R3UERJRStuZm5ZczBJZ1U3SkV0OU1DZ1lFQTU0ZWsKTUltWWMyeHhoYTM1U25qd0ZCeEVwSUF3ZGdvdXBROWVsMHhmVVRkdTJsUnA1NHVZaVFVWURhNjJ6RE1kL21QagppSTdqaGl6TEU4VmU4OWh6QXljeTNIRVJPSHNETkhQVG5WN0phcmp3T29aWWIvRnM2NkxtazZMY05BbGI3TER6Cm5FNGdkTEt0cWpQVnBMbmF1T3VOQitXQzY5bm9xRUZpZWxnUWVGc0NnWUIxZGk0RnBYTFlReEZZem9JbHJPOTYKTW1FL0ZueEFJZXdOUEtRNUJnbEJaaVdWRXYrQitrRzZnOWo5NzVTOEl5OUxsR3F5bytjcTl5UUN6K2tLN0pObwozWldCMTJnMmRucGZnNm8zM25LMUpaY0FFVHBVdkwzanZvbFFDQjZCclV1RHozSTlQWE5BNzJEdGROSmVvV254CnJpQWxaU09wQzlSNm1OM3l2UHJTNHdLQmdCQS9WWWRPY0pOUS9kcHFyZjdLNDlZVmNiKzFlekVkWDg2WGVJVFgKaUN6VDNnU1dQZVJReUlCOUNnWVR4NklteUNrTTYyK3V6MHFnSkJRY0dxQzBCTVlvM3duWEtXVTBSTEpPbW9BRgpvYzdLY1prNXlrVDR4VEwzK0lSTnZuUXNYL1lKS045RUlFVHdNUDJycTRkbXYzR1FuaEg2eWlndzM0SEhMTmozCkN4alhBb0dBSjBUNkN0c1c2dEVpYUI5bnc4enI3M2xkMDhraDZSL3B4VHF5c2diNERFTmptd2dndUFoMlJSZkwKYVg3eTNqSUNOTFBjWEFOYlB0QmYrQkRBTTl0UTEzMk5hYzg3N016RHRVSyswem9CWWtwWGM4Rkd4akVuTzc5RQp2MC9vT2wzR2RaWnNJSXhLblcvVlVmYjJydGY1RWgyQytOY1FpWkNXZm5kWkthMXR4WjQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
|
|
@ -0,0 +1,60 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: controller
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9402
|
||||
targetPort: 9402
|
||||
selector:
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: webhook
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 10250
|
||||
selector:
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: webhook
|
|
@ -0,0 +1,96 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: webhook
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
- "acme.cert-manager.io"
|
||||
apiVersions:
|
||||
- v1alpha2
|
||||
- v1alpha3
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- "*/*"
|
||||
failurePolicy: Fail
|
||||
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
service:
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
path: /mutate
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/component: webhook
|
||||
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
namespaceSelector:
|
||||
matchExpressions:
|
||||
- key: "cert-manager.io/disable-validation"
|
||||
operator: "NotIn"
|
||||
values:
|
||||
- "true"
|
||||
- key: "name"
|
||||
operator: "NotIn"
|
||||
values:
|
||||
- cert-manager
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
- "acme.cert-manager.io"
|
||||
apiVersions:
|
||||
- v1alpha2
|
||||
- v1alpha3
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- "*/*"
|
||||
failurePolicy: Fail
|
||||
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
service:
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
path: /validate
|
Loading…
Reference in a new issue