Upgrade Jetstack Cert-Manager v1.0.4 (#6937)

2020-11-30 14:52:50 +00:00 · 2020-11-30 14:52:50 +00:00 · f6a5948f58
parent f6eed8091e
commit f6a5948f58
14 changed files with 10371 additions and 3458 deletions
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@ -507,7 +507,7 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
 ingress_ambassador_image_tag: "v1.2.9"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
-cert_manager_version: "v0.16.1"
+cert_manager_version: "v1.0.4"
 cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
 cert_manager_controller_image_tag: "{{ cert_manager_version }}"
 cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
@ -16,278 +16,483 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager-cainjector
  labels:
    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
 rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["get", "create", "update", "patch"]
-  - apiGroups: ["admissionregistration.k8s.io"]
-    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: ["apiregistration.k8s.io"]
-    resources: ["apiservices"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: ["auditregistration.k8s.io"]
-    resources: ["auditsinks"]
-    verbs: ["get", "list", "watch", "update"]
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - get
+  - create
+  - update
+  - patch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - auditregistration.k8s.io
+  resources:
+  - auditsinks
+  verbs:
+  - get
+  - list
+  - watch
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
  name: cert-manager-controller-issuers
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["issuers", "issuers/status"]
-    verbs: ["update"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["issuers"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - issuers
+  - issuers/status
+  verbs:
+  - update
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
  name: cert-manager-controller-clusterissuers
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["clusterissuers", "clusterissuers/status"]
-    verbs: ["update"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["clusterissuers"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - clusterissuers/status
+  verbs:
+  - update
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
  name: cert-manager-controller-certificates
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
-    verbs: ["update"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
-    verbs: ["get", "list", "watch"]
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
-    verbs: ["update"]
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["orders"]
-    verbs: ["create", "delete", "get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificates/status
+  - certificaterequests
+  - certificaterequests/status
+  verbs:
+  - update
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - clusterissuers
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates/finalizers
+  - certificaterequests/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
  name: cert-manager-controller-orders
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["orders", "orders/status"]
-    verbs: ["update"]
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["orders", "challenges"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["clusterissuers", "issuers"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["challenges"]
-    verbs: ["create", "delete"]
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["orders/finalizers"]
-    verbs: ["update"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders
+  - orders/status
+  verbs:
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders
+  - challenges
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
  name: cert-manager-controller-challenges
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  # Use to update challenge resource status
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["challenges", "challenges/status"]
-    verbs: ["update"]
-  # Used to watch challenge resources
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["challenges"]
-    verbs: ["get", "list", "watch"]
-  # Used to watch challenges, issuer and clusterissuer resources
-  - apiGroups: ["cert-manager.io"]
-    resources: ["issuers", "clusterissuers"]
-    verbs: ["get", "list", "watch"]
-  # Need to be able to retrieve ACME account private key to complete challenges
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch"]
-  # Used to create events
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
-  # HTTP01 rules
-  - apiGroups: [""]
-    resources: ["pods", "services"]
-    verbs: ["get", "list", "watch", "create", "delete"]
-  - apiGroups: ["extensions"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch", "create", "delete", "update"]
-  # We require the ability to specify a custom hostname when we are creating
-  # new ingress resources.
-  # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
-  - apiGroups: ["route.openshift.io"]
-    resources: ["routes/custom-host"]
-    verbs: ["create"]
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["challenges/finalizers"]
-    verbs: ["update"]
-  # DNS01 rules (duplicated above)
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch"]
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges
+  - challenges/status
+  verbs:
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - issuers
+  - clusterissuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - update
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes/custom-host
+  verbs:
+  - create
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
  name: cert-manager-controller-ingress-shim
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests"]
-    verbs: ["create", "update", "delete"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["extensions"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch"]
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["extensions"]
-    resources: ["ingresses/finalizers"]
-    verbs: ["update"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  verbs:
+  - create
+  - update
+  - delete
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  - clusterissuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager-view
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: cert-manager-view
 rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests", "issuers"]
-    verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager-edit
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: cert-manager-edit
 rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests", "issuers"]
-    verbs: ["create", "delete", "deletecollection", "patch", "update"]
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
@ -16,139 +16,125 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-cainjector
  labels:
    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-cainjector
 subjects:
-  - name: cert-manager-cainjector
-    namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
+- kind: ServiceAccount
+  name: cert-manager-cainjector
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-issuers
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-issuers
 subjects:
-  - name: cert-manager
-    namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-clusterissuers
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-clusterissuers
 subjects:
-  - name: cert-manager
-    namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-certificates
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-certificates
 subjects:
-  - name: cert-manager
-    namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-orders
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-orders
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-orders
 subjects:
-  - name: cert-manager
-    namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-challenges
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-challenges
 subjects:
-  - name: cert-manager
-    namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-ingress-shim
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-ingress-shim
 subjects:
-  - name: cert-manager
-    namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
@ -13,67 +13,59 @@
 # limitations under the License.

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  name: orders.acme.cert-manager.io
  annotations:
    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/name: cert-manager
+  name: orders.acme.cert-manager.io
 spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.state
-    name: State
-    type: string
-  - JSONPath: .spec.issuerRef.name
-    name: Issuer
-    priority: 1
-    type: string
-  - JSONPath: .status.reason
-    name: Reason
-    priority: 1
-    type: string
-  - JSONPath: .metadata.creationTimestamp
-    description: CreationTimestamp is a timestamp representing the server time when
-      this object was created. It is not guaranteed to be set in happens-before order
-      across separate operations. Clients may not set this value. It is represented
-      in RFC3339 form and is in UTC.
-    name: Age
-    type: date
-  group: acme.cert-manager.io
-  preserveUnknownFields: false
  conversion:
-    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
    strategy: Webhook
-    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
-    webhookClientConfig:
-      service:
-        namespace: '{{ cert_manager_namespace }}'
-        name: 'cert-manager-webhook'
-        path: /convert
+    webhook:
+      clientConfig:
+        service:
+          name: cert-manager-webhook
+          namespace: {{ cert_manager_namespace }}
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: acme.cert-manager.io
  names:
    kind: Order
    listKind: OrderList
    plural: orders
    singular: order
  scope: Namespaced
-  subresources:
-    status: {}
  versions:
-  - name: v1alpha2
-    served: true
-    storage: true
-    "schema":
-      "openAPIV3Schema":
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
        description: Order is a type to represent an Order with an ACME server
-        type: object
-        required:
-        - metadata
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@ -88,11 +80,6 @@ spec:
          metadata:
            type: object
          spec:
-            type: object
-            required:
-            - csr
-            - dnsNames
-            - issuerRef
            properties:
              commonName:
                description: CommonName is the common name as specified on the DER
@ -104,24 +91,21 @@ spec:
                description: Certificate signing request bytes in DER encoding. This
                  will be used when finalizing the order. This field must be set on
                  the order.
-                type: string
                format: byte
+                type: string
              dnsNames:
                description: DNSNames is a list of DNS names that should be included
                  as part of the Order validation process. This field must match the
                  corresponding field on the DER encoded CSR.
-                type: array
                items:
                  type: string
+                type: array
              issuerRef:
                description: IssuerRef references a properly configured ACME-type
                  Issuer which should be used to create this Order. If the Issuer
                  does not exist, processing will be retried. If the Issuer is not
                  an 'ACME' Issuer, an error will be returned and the Order will be
                  marked as failed.
-                type: object
-                required:
-                - name
                properties:
                  group:
                    description: Group of the resource being referred to.
@ -132,37 +116,34 @@ spec:
                  name:
                    description: Name of the resource being referred to.
                    type: string
-          status:
+                required:
+                - name
+                type: object
+            required:
+            - csr
+            - dnsNames
+            - issuerRef
            type: object
+          status:
            properties:
              authorizations:
                description: Authorizations contains data returned from the ACME server
                  on what authorizations must be completed in order to validate the
                  DNS names specified on the Order.
-                type: array
                items:
                  description: ACMEAuthorization contains data returned from the ACME
                    server on an authorization that must be completed in order validate
                    a DNS name on an ACME Order resource.
-                  type: object
-                  required:
-                  - url
                  properties:
                    challenges:
                      description: Challenges specifies the challenge types offered
                        by the ACME server. One of these challenge types will be selected
                        when validating the DNS name and an appropriate Challenge
                        resource will be created to perform the ACME challenge process.
-                      type: array
                      items:
                        description: Challenge specifies a challenge offered by the
                          ACME server for an Order. An appropriate Challenge resource
                          can be created to perform the ACME challenge process.
-                        type: object
-                        required:
-                        - token
-                        - type
-                        - url
                        properties:
                          token:
                            description: Token is the token that must be presented
@ -181,6 +162,12 @@ spec:
                              be used to retrieve additional metadata about the Challenge
                              from the ACME server.
                            type: string
+                        required:
+                        - token
+                        - type
+                        - url
+                        type: object
+                      type: array
                    identifier:
                      description: Identifier is the DNS name to be validated as part
                        of this authorization
@ -194,7 +181,6 @@ spec:
                        (such as Let's Encrypt's production endpoint). If not set
                        and 'identifier' is set, the state is assumed to be pending
                        and a Challenge will be created.
-                      type: string
                      enum:
                      - valid
                      - ready
@ -203,6 +189,7 @@ spec:
                      - invalid
                      - expired
                      - errored
+                      type: string
                    url:
                      description: URL is the URL of the Authorization that must be
                        completed
@ -214,18 +201,22 @@ spec:
                        if '*.example.com' is the DNS name being validated, this field
                        will be 'true' and the 'identifier' field will be 'example.com'.
                      type: boolean
+                  required:
+                  - url
+                  type: object
+                type: array
              certificate:
                description: Certificate is a copy of the PEM encoded certificate
                  for this Order. This field will be populated after the order has
                  been successfully finalized with the ACME server, and the order
                  has transitioned to the 'valid' state.
-                type: string
                format: byte
+                type: string
              failureTime:
                description: FailureTime stores the time that this order failed. This
                  is used to influence garbage collection and back-off.
-                type: string
                format: date-time
+                type: string
              finalizeURL:
                description: FinalizeURL of the Order. This is used to obtain certificates
                  for this order once it has been completed.
@ -237,7 +228,6 @@ spec:
              state:
                description: State contains the current state of this Order resource.
                  States 'success' and 'expired' are 'final'
-                type: string
                enum:
                - valid
                - ready
@ -246,21 +236,44 @@ spec:
                - invalid
                - expired
                - errored
+                type: string
              url:
                description: URL of the Order. This will initially be empty when the
                  resource is first created. The Order controller will populate this
                  field when the Order is first processed. This field will be immutable
                  after it is initially set.
                type: string
-  - name: v1alpha3
-    served: true
-    storage: false
-    "schema":
-      "openAPIV3Schema":
-        description: Order is a type to represent an Order with an ACME server
-        type: object
+            type: object
        required:
        - metadata
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: Order is a type to represent an Order with an ACME server
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@ -275,11 +288,6 @@ spec:
          metadata:
            type: object
          spec:
-            type: object
-            required:
-            - csr
-            - dnsNames
-            - issuerRef
            properties:
              commonName:
                description: CommonName is the common name as specified on the DER
@ -291,24 +299,21 @@ spec:
                description: Certificate signing request bytes in DER encoding. This
                  will be used when finalizing the order. This field must be set on
                  the order.
-                type: string
                format: byte
+                type: string
              dnsNames:
                description: DNSNames is a list of DNS names that should be included
                  as part of the Order validation process. This field must match the
                  corresponding field on the DER encoded CSR.
-                type: array
                items:
                  type: string
+                type: array
              issuerRef:
                description: IssuerRef references a properly configured ACME-type
                  Issuer which should be used to create this Order. If the Issuer
                  does not exist, processing will be retried. If the Issuer is not
                  an 'ACME' Issuer, an error will be returned and the Order will be
                  marked as failed.
-                type: object
-                required:
-                - name
                properties:
                  group:
                    description: Group of the resource being referred to.
@ -319,37 +324,34 @@ spec:
                  name:
                    description: Name of the resource being referred to.
                    type: string
-          status:
+                required:
+                - name
+                type: object
+            required:
+            - csr
+            - dnsNames
+            - issuerRef
            type: object
+          status:
            properties:
              authorizations:
                description: Authorizations contains data returned from the ACME server
                  on what authorizations must be completed in order to validate the
                  DNS names specified on the Order.
-                type: array
                items:
                  description: ACMEAuthorization contains data returned from the ACME
                    server on an authorization that must be completed in order validate
                    a DNS name on an ACME Order resource.
-                  type: object
-                  required:
-                  - url
                  properties:
                    challenges:
                      description: Challenges specifies the challenge types offered
                        by the ACME server. One of these challenge types will be selected
                        when validating the DNS name and an appropriate Challenge
                        resource will be created to perform the ACME challenge process.
-                      type: array
                      items:
                        description: Challenge specifies a challenge offered by the
                          ACME server for an Order. An appropriate Challenge resource
                          can be created to perform the ACME challenge process.
-                        type: object
-                        required:
-                        - token
-                        - type
-                        - url
                        properties:
                          token:
                            description: Token is the token that must be presented
@ -368,6 +370,12 @@ spec:
                              be used to retrieve additional metadata about the Challenge
                              from the ACME server.
                            type: string
+                        required:
+                        - token
+                        - type
+                        - url
+                        type: object
+                      type: array
                    identifier:
                      description: Identifier is the DNS name to be validated as part
                        of this authorization
@ -381,7 +389,6 @@ spec:
                        (such as Let's Encrypt's production endpoint). If not set
                        and 'identifier' is set, the state is assumed to be pending
                        and a Challenge will be created.
-                      type: string
                      enum:
                      - valid
                      - ready
@ -390,6 +397,7 @@ spec:
                      - invalid
                      - expired
                      - errored
+                      type: string
                    url:
                      description: URL is the URL of the Authorization that must be
                        completed
@ -401,18 +409,22 @@ spec:
                        if '*.example.com' is the DNS name being validated, this field
                        will be 'true' and the 'identifier' field will be 'example.com'.
                      type: boolean
+                  required:
+                  - url
+                  type: object
+                type: array
              certificate:
                description: Certificate is a copy of the PEM encoded certificate
                  for this Order. This field will be populated after the order has
                  been successfully finalized with the ACME server, and the order
                  has transitioned to the 'valid' state.
-                type: string
                format: byte
+                type: string
              failureTime:
                description: FailureTime stores the time that this order failed. This
                  is used to influence garbage collection and back-off.
-                type: string
                format: date-time
+                type: string
              finalizeURL:
                description: FinalizeURL of the Order. This is used to obtain certificates
                  for this order once it has been completed.
@ -424,7 +436,6 @@ spec:
              state:
                description: State contains the current state of this Order resource.
                  States 'success' and 'expired' are 'final'
-                type: string
                enum:
                - valid
                - ready
@ -433,22 +444,44 @@ spec:
                - invalid
                - expired
                - errored
+                type: string
              url:
                description: URL of the Order. This will initially be empty when the
                  resource is first created. The Order controller will populate this
                  field when the Order is first processed. This field will be immutable
                  after it is initially set.
                type: string
-  - name: v1beta1
-    served: true
-    storage: false
-    "schema":
-      "openAPIV3Schema":
-        description: Order is a type to represent an Order with an ACME server
-        type: object
+            type: object
        required:
        - metadata
-        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Order is a type to represent an Order with an ACME server
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@ -463,11 +496,6 @@ spec:
          metadata:
            type: object
          spec:
-            type: object
-            required:
-            - dnsNames
-            - issuerRef
-            - request
            properties:
              commonName:
                description: CommonName is the common name as specified on the DER
@ -479,18 +507,15 @@ spec:
                description: DNSNames is a list of DNS names that should be included
                  as part of the Order validation process. This field must match the
                  corresponding field on the DER encoded CSR.
-                type: array
                items:
                  type: string
+                type: array
              issuerRef:
                description: IssuerRef references a properly configured ACME-type
                  Issuer which should be used to create this Order. If the Issuer
                  does not exist, processing will be retried. If the Issuer is not
                  an 'ACME' Issuer, an error will be returned and the Order will be
                  marked as failed.
-                type: object
-                required:
-                - name
                properties:
                  group:
                    description: Group of the resource being referred to.
@ -501,43 +526,40 @@ spec:
                  name:
                    description: Name of the resource being referred to.
                    type: string
+                required:
+                - name
+                type: object
              request:
                description: Certificate signing request bytes in DER encoding. This
                  will be used when finalizing the order. This field must be set on
                  the order.
-                type: string
                format: byte
-          status:
+                type: string
+            required:
+            - dnsNames
+            - issuerRef
+            - request
            type: object
+          status:
            properties:
              authorizations:
                description: Authorizations contains data returned from the ACME server
                  on what authorizations must be completed in order to validate the
                  DNS names specified on the Order.
-                type: array
                items:
                  description: ACMEAuthorization contains data returned from the ACME
                    server on an authorization that must be completed in order validate
                    a DNS name on an ACME Order resource.
-                  type: object
-                  required:
-                  - url
                  properties:
                    challenges:
                      description: Challenges specifies the challenge types offered
                        by the ACME server. One of these challenge types will be selected
                        when validating the DNS name and an appropriate Challenge
                        resource will be created to perform the ACME challenge process.
-                      type: array
                      items:
                        description: Challenge specifies a challenge offered by the
                          ACME server for an Order. An appropriate Challenge resource
                          can be created to perform the ACME challenge process.
-                        type: object
-                        required:
-                        - token
-                        - type
-                        - url
                        properties:
                          token:
                            description: Token is the token that must be presented
@ -556,6 +578,12 @@ spec:
                              be used to retrieve additional metadata about the Challenge
                              from the ACME server.
                            type: string
+                        required:
+                        - token
+                        - type
+                        - url
+                        type: object
+                      type: array
                    identifier:
                      description: Identifier is the DNS name to be validated as part
                        of this authorization
@ -569,7 +597,6 @@ spec:
                        (such as Let's Encrypt's production endpoint). If not set
                        and 'identifier' is set, the state is assumed to be pending
                        and a Challenge will be created.
-                      type: string
                      enum:
                      - valid
                      - ready
@ -578,6 +605,7 @@ spec:
                      - invalid
                      - expired
                      - errored
+                      type: string
                    url:
                      description: URL is the URL of the Authorization that must be
                        completed
@ -589,18 +617,22 @@ spec:
                        if '*.example.com' is the DNS name being validated, this field
                        will be 'true' and the 'identifier' field will be 'example.com'.
                      type: boolean
+                  required:
+                  - url
+                  type: object
+                type: array
              certificate:
                description: Certificate is a copy of the PEM encoded certificate
                  for this Order. This field will be populated after the order has
                  been successfully finalized with the ACME server, and the order
                  has transitioned to the 'valid' state.
-                type: string
                format: byte
+                type: string
              failureTime:
                description: FailureTime stores the time that this order failed. This
                  is used to influence garbage collection and back-off.
-                type: string
                format: date-time
+                type: string
              finalizeURL:
                description: FinalizeURL of the Order. This is used to obtain certificates
                  for this order once it has been completed.
@ -612,7 +644,6 @@ spec:
              state:
                description: State contains the current state of this Order resource.
                  States 'success' and 'expired' are 'final'
-                type: string
                enum:
                - valid
                - ready
@ -621,9 +652,234 @@ spec:
                - invalid
                - expired
                - errored
+                type: string
              url:
                description: URL of the Order. This will initially be empty when the
                  resource is first created. The Order controller will populate this
                  field when the Order is first processed. This field will be immutable
                  after it is initially set.
                type: string
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .spec.issuerRef.name
+      name: Issuer
+      priority: 1
+      type: string
+    - jsonPath: .status.reason
+      name: Reason
+      priority: 1
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: Order is a type to represent an Order with an ACME server
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              commonName:
+                description: CommonName is the common name as specified on the DER
+                  encoded CSR. If specified, this value must also be present in `dnsNames`.
+                  This field must match the corresponding field on the DER encoded
+                  CSR.
+                type: string
+              dnsNames:
+                description: DNSNames is a list of DNS names that should be included
+                  as part of the Order validation process. This field must match the
+                  corresponding field on the DER encoded CSR.
+                items:
+                  type: string
+                type: array
+              issuerRef:
+                description: IssuerRef references a properly configured ACME-type
+                  Issuer which should be used to create this Order. If the Issuer
+                  does not exist, processing will be retried. If the Issuer is not
+                  an 'ACME' Issuer, an error will be returned and the Order will be
+                  marked as failed.
+                properties:
+                  group:
+                    description: Group of the resource being referred to.
+                    type: string
+                  kind:
+                    description: Kind of the resource being referred to.
+                    type: string
+                  name:
+                    description: Name of the resource being referred to.
+                    type: string
+                required:
+                - name
+                type: object
+              request:
+                description: Certificate signing request bytes in DER encoding. This
+                  will be used when finalizing the order. This field must be set on
+                  the order.
+                format: byte
+                type: string
+            required:
+            - dnsNames
+            - issuerRef
+            - request
+            type: object
+          status:
+            properties:
+              authorizations:
+                description: Authorizations contains data returned from the ACME server
+                  on what authorizations must be completed in order to validate the
+                  DNS names specified on the Order.
+                items:
+                  description: ACMEAuthorization contains data returned from the ACME
+                    server on an authorization that must be completed in order validate
+                    a DNS name on an ACME Order resource.
+                  properties:
+                    challenges:
+                      description: Challenges specifies the challenge types offered
+                        by the ACME server. One of these challenge types will be selected
+                        when validating the DNS name and an appropriate Challenge
+                        resource will be created to perform the ACME challenge process.
+                      items:
+                        description: Challenge specifies a challenge offered by the
+                          ACME server for an Order. An appropriate Challenge resource
+                          can be created to perform the ACME challenge process.
+                        properties:
+                          token:
+                            description: Token is the token that must be presented
+                              for this challenge. This is used to compute the 'key'
+                              that must also be presented.
+                            type: string
+                          type:
+                            description: Type is the type of challenge being offered,
+                              e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
+                              the raw value retrieved from the ACME server. Only 'http-01'
+                              and 'dns-01' are supported by cert-manager, other values
+                              will be ignored.
+                            type: string
+                          url:
+                            description: URL is the URL of this challenge. It can
+                              be used to retrieve additional metadata about the Challenge
+                              from the ACME server.
+                            type: string
+                        required:
+                        - token
+                        - type
+                        - url
+                        type: object
+                      type: array
+                    identifier:
+                      description: Identifier is the DNS name to be validated as part
+                        of this authorization
+                      type: string
+                    initialState:
+                      description: InitialState is the initial state of the ACME authorization
+                        when first fetched from the ACME server. If an Authorization
+                        is already 'valid', the Order controller will not create a
+                        Challenge resource for the authorization. This will occur
+                        when working with an ACME server that enables 'authz reuse'
+                        (such as Let's Encrypt's production endpoint). If not set
+                        and 'identifier' is set, the state is assumed to be pending
+                        and a Challenge will be created.
+                      enum:
+                      - valid
+                      - ready
+                      - pending
+                      - processing
+                      - invalid
+                      - expired
+                      - errored
+                      type: string
+                    url:
+                      description: URL is the URL of the Authorization that must be
+                        completed
+                      type: string
+                    wildcard:
+                      description: Wildcard will be true if this authorization is
+                        for a wildcard DNS name. If this is true, the identifier will
+                        be the *non-wildcard* version of the DNS name. For example,
+                        if '*.example.com' is the DNS name being validated, this field
+                        will be 'true' and the 'identifier' field will be 'example.com'.
+                      type: boolean
+                  required:
+                  - url
+                  type: object
+                type: array
+              certificate:
+                description: Certificate is a copy of the PEM encoded certificate
+                  for this Order. This field will be populated after the order has
+                  been successfully finalized with the ACME server, and the order
+                  has transitioned to the 'valid' state.
+                format: byte
+                type: string
+              failureTime:
+                description: FailureTime stores the time that this order failed. This
+                  is used to influence garbage collection and back-off.
+                format: date-time
+                type: string
+              finalizeURL:
+                description: FinalizeURL of the Order. This is used to obtain certificates
+                  for this order once it has been completed.
+                type: string
+              reason:
+                description: Reason optionally provides more information about a why
+                  the order is in the current state.
+                type: string
+              state:
+                description: State contains the current state of this Order resource.
+                  States 'success' and 'expired' are 'final'
+                enum:
+                - valid
+                - ready
+                - pending
+                - processing
+                - invalid
+                - expired
+                - errored
+                type: string
+              url:
+                description: URL of the Order. This will initially be empty when the
+                  resource is first created. The Order controller will populate this
+                  field when the Order is first processed. This field will be immutable
+                  after it is initially set.
+                type: string
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
@ -16,162 +16,153 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: cert-manager-cainjector
-  namespace: {{ cert_manager_namespace }}
  labels:
    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
+  namespace: {{ cert_manager_namespace }}
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app.kubernetes.io/name: cainjector
-      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: cainjector
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/name: cainjector
  template:
    metadata:
      labels:
        app: cainjector
-        app.kubernetes.io/name: cainjector
-        app.kubernetes.io/instance: cert-manager
-        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: cainjector
-        helm.sh/chart: cert-manager-{{ cert_manager_version }}
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/name: cainjector
    spec:
-      serviceAccountName: cert-manager-cainjector
      containers:
-        - name: cert-manager
-          image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          args:
-          - --v=2
-          - --leader-election-namespace=kube-system
-          env:
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          resources:
-            {}
+      - args:
+        - --v=2
+        - --leader-election-namespace=kube-system
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
+        imagePullPolicy: {{ k8s_image_pull_policy }}
+        name: cert-manager
+        resources: {}
+      serviceAccountName: cert-manager-cainjector
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: cert-manager
-  namespace: {{ cert_manager_namespace }}
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app.kubernetes.io/name: cert-manager
-      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/name: cert-manager
  template:
    metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "9402"
+        prometheus.io/scrape: "true"
      labels:
        app: cert-manager
-        app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/instance: cert-manager
        app.kubernetes.io/component: controller
-        app.kubernetes.io/managed-by: Helm
-        helm.sh/chart: cert-manager-{{ cert_manager_version }}
-      annotations:
-        prometheus.io/path: "/metrics"
-        prometheus.io/scrape: 'true'
-        prometheus.io/port: '9402'
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/name: cert-manager
    spec:
-      serviceAccountName: cert-manager
      containers:
-        - name: cert-manager
-          image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          args:
-          - --v=2
-          - --cluster-resource-namespace=$(POD_NAMESPACE)
-          - --leader-election-namespace=kube-system
-          ports:
-          - containerPort: 9402
-            protocol: TCP
-          env:
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          resources:
-            {}
+      - args:
+        - --v=2
+        - --cluster-resource-namespace=$(POD_NAMESPACE)
+        - --leader-election-namespace=kube-system
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
+        imagePullPolicy: {{ k8s_image_pull_policy }}
+        name: cert-manager
+        ports:
+        - containerPort: 9402
+          protocol: TCP
+        resources: {}
+      serviceAccountName: cert-manager
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: cert-manager-webhook
-  namespace: {{ cert_manager_namespace }}
  labels:
    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+  namespace: {{ cert_manager_namespace }}
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app.kubernetes.io/name: webhook
-      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: webhook
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/name: webhook
  template:
    metadata:
      labels:
        app: webhook
-        app.kubernetes.io/name: webhook
-        app.kubernetes.io/instance: cert-manager
-        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: webhook
-        helm.sh/chart: cert-manager-{{ cert_manager_version }}
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/name: webhook
    spec:
-      serviceAccountName: cert-manager-webhook
      containers:
-        - name: cert-manager
-          image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          args:
-          - --v=2
-          - --secure-port=10250
-          - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
-          - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
-          - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
-          ports:
-          - name: https
-            containerPort: 10250
-          livenessProbe:
-            httpGet:
-              path: /livez
-              port: 6080
-              scheme: HTTP
-            initialDelaySeconds: 60
-            periodSeconds: 10
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: 6080
-              scheme: HTTP
-            initialDelaySeconds: 5
-            periodSeconds: 5
-          env:
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          resources:
-            {}
+      - args:
+        - --v=2
+        - --secure-port=10250
+        - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
+        - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
+        - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.{{ cert_manager_namespace }},cert-manager-webhook.{{ cert_manager_namespace }}.svc
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
+        imagePullPolicy: {{ k8s_image_pull_policy }}
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /livez
+            port: 6080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: cert-manager
+        ports:
+        - containerPort: 10250
+          name: https
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 6080
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources: {}
+      serviceAccountName: cert-manager-webhook
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2
@ -16,70 +16,85 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: cert-manager-cainjector:leaderelection
-  namespace: kube-system
  labels:
    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
 rules:
-  # Used for leader election by the controller
-  # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
-  #   see cmd/cainjector/start.go#L113
-  # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
-  #   see cmd/cainjector/start.go#L137
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
-    verbs: ["get", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["create"]
+- apiGroups:
+  - ""
+  resourceNames:
+  - cert-manager-cainjector-leader-election
+  - cert-manager-cainjector-leader-election-core
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: cert-manager:leaderelection
-  namespace: kube-system
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager:leaderelection
+  namespace: kube-system
 rules:
-  # Used for leader election by the controller
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["cert-manager-controller"]
-    verbs: ["get", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["create"]
+- apiGroups:
+  - ""
+  resourceNames:
+  - cert-manager-controller
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: cert-manager-webhook:dynamic-serving
-  namespace: {{ cert_manager_namespace }}
  labels:
    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook:dynamic-serving
+  namespace: {{ cert_manager_namespace }}
 rules:
- apiGroups: [""]
-  resources: ["secrets"]
+- apiGroups:
+  - ""
  resourceNames:
-  - 'cert-manager-webhook-ca'
-  verbs: ["get", "list", "watch", "update"]
-# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create"]
+  - cert-manager-webhook-ca
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2
@ -16,58 +16,52 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: cert-manager-cainjector:leaderelection
-  namespace: kube-system
  labels:
    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-cainjector:leaderelection
 subjects:
-  - kind: ServiceAccount
-    name: cert-manager-cainjector
-    namespace: {{ cert_manager_namespace }}
+- kind: ServiceAccount
+  name: cert-manager-cainjector
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: cert-manager:leaderelection
-  namespace: kube-system
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager:leaderelection
+  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager:leaderelection
 subjects:
-  - apiGroup: ""
-    kind: ServiceAccount
-    name: cert-manager
-    namespace: {{ cert_manager_namespace }}
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: cert-manager-webhook:dynamic-serving
-  namespace: {{ cert_manager_namespace }}
  labels:
    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook:dynamic-serving
+  namespace: {{ cert_manager_namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
@ -16,38 +16,32 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: cert-manager-cainjector
-  namespace: {{ cert_manager_namespace }}
  labels:
    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: cert-manager
-  namespace: {{ cert_manager_namespace }}
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: cert-manager-webhook
-  namespace: {{ cert_manager_namespace }}
  labels:
    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+  namespace: {{ cert_manager_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2
@ -16,45 +16,41 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: cert-manager
-  namespace: {{ cert_manager_namespace }}
  labels:
    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 spec:
-  type: ClusterIP
  ports:
-    - protocol: TCP
-      port: 9402
-      targetPort: 9402
+  - port: 9402
+    protocol: TCP
+    targetPort: 9402
  selector:
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  type: ClusterIP
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: cert-manager-webhook
-  namespace: {{ cert_manager_namespace }}
  labels:
    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+  namespace: {{ cert_manager_namespace }}
 spec:
-  type: ClusterIP
  ports:
  - name: https
    port: 443
    targetPort: 10250
  selector:
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  type: ClusterIP
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2
@ -13,82 +13,82 @@
 # limitations under the License.

 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  name: cert-manager-webhook
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
  labels:
    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
-  annotations:
-    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
 webhooks:
-  - name: webhook.cert-manager.io
-    rules:
-      - apiGroups:
-          - "cert-manager.io"
-          - "acme.cert-manager.io"
-        apiVersions:
-          - "*"
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - "*/*"
-    failurePolicy: Fail
-    # Only include 'sideEffects' field in Kubernetes 1.12+
-    sideEffects: None
-    clientConfig:
-      service:
-        name: cert-manager-webhook
-        namespace: {{ cert_manager_namespace }}
-        path: /mutate
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: cert-manager-webhook
+      namespace: {{ cert_manager_namespace }}
+      path: /mutate
+  failurePolicy: Fail
+  name: webhook.cert-manager.io
+  rules:
+  - apiGroups:
+    - cert-manager.io
+    - acme.cert-manager.io
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - '*/*'
+  sideEffects: None
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: cert-manager-webhook
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
  labels:
    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
-  annotations:
-    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
 webhooks:
-  - name: webhook.cert-manager.io
-    namespaceSelector:
-      matchExpressions:
-      - key: "cert-manager.io/disable-validation"
-        operator: "NotIn"
-        values:
-        - "true"
-      - key: "name"
-        operator: "NotIn"
-        values:
-        - cert-manager
-    rules:
-      - apiGroups:
-          - "cert-manager.io"
-          - "acme.cert-manager.io"
-        apiVersions:
-          - "*"
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - "*/*"
-    failurePolicy: Fail
-    # Only include 'sideEffects' field in Kubernetes 1.12+
-    sideEffects: None
-    clientConfig:
-      service:
-        name: cert-manager-webhook
-        namespace: {{ cert_manager_namespace }}
-        path: /validate
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: cert-manager-webhook
+      namespace: {{ cert_manager_namespace }}
+      path: /validate
+  failurePolicy: Fail
+  name: webhook.cert-manager.io
+  namespaceSelector:
+    matchExpressions:
+    - key: cert-manager.io/disable-validation
+      operator: NotIn
+      values:
+      - "true"
+    - key: name
+      operator: NotIn
+      values:
+      - cert-manager
+  rules:
+  - apiGroups:
+    - cert-manager.io
+    - acme.cert-manager.io
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - '*/*'
+  sideEffects: None