C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Upgrade Jetstack Cert-Manager v1.0.4 (#6937)

Browse source
This commit is contained in:
Barry Melbourne 2020-11-30 14:52:50 +00:00 committed by GitHub
parent f6eed8091e
commit f6a5948f58
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 10371 additions and 3458 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
roles/download/defaults/main.yml
View file

@ -507,7 +507,7 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
ingress_ambassador_image_tag: "v1.2.9" ingress_ambassador_image_tag: "v1.2.9"
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
alb_ingress_image_tag: "v1.1.9" alb_ingress_image_tag: "v1.1.9"
cert_manager_version: "v0.16.1" cert_manager_version: "v1.0.4"
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller" cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
cert_manager_controller_image_tag: "{{ cert_manager_version }}" cert_manager_controller_image_tag: "{{ cert_manager_version }}"
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector" cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"

639
roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
View file

@ -16,278 +16,483 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: cert-manager-cainjector
labels: labels:
app: cainjector app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
rules: rules:
- apiGroups: ["cert-manager.io"] - apiGroups:
resources: ["certificates"] - cert-manager.io
verbs: ["get", "list", "watch"] resources:
- apiGroups: [""] - certificates
resources: ["secrets"] verbs:
verbs: ["get", "list", "watch"] - get
- apiGroups: [""] - list
resources: ["events"] - watch
verbs: ["get", "create", "update", "patch"] - apiGroups:
- apiGroups: ["admissionregistration.k8s.io"] - ""
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] resources:
verbs: ["get", "list", "watch", "update"] - secrets
- apiGroups: ["apiregistration.k8s.io"] verbs:
resources: ["apiservices"] - get
verbs: ["get", "list", "watch", "update"] - list
- apiGroups: ["apiextensions.k8s.io"] - watch
resources: ["customresourcedefinitions"] - apiGroups:
verbs: ["get", "list", "watch", "update"] - ""
- apiGroups: ["auditregistration.k8s.io"] resources:
resources: ["auditsinks"] - events
verbs: ["get", "list", "watch", "update"] verbs:
- get
- create
- update
- patch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- update
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- watch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- apiGroups:
- auditregistration.k8s.io
resources:
- auditsinks
verbs:
- get
- list
- watch
- update
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-issuers name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules: rules:
- apiGroups: ["cert-manager.io"] - apiGroups:
resources: ["issuers", "issuers/status"] - cert-manager.io
verbs: ["update"] resources:
- apiGroups: ["cert-manager.io"] - issuers
resources: ["issuers"] - issuers/status
verbs: ["get", "list", "watch"] verbs:
- apiGroups: [""] - update
resources: ["secrets"] - apiGroups:
verbs: ["get", "list", "watch", "create", "update", "delete"] - cert-manager.io
- apiGroups: [""] resources:
resources: ["events"] - issuers
verbs: ["create", "patch"] verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-clusterissuers name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules: rules:
- apiGroups: ["cert-manager.io"] - apiGroups:
resources: ["clusterissuers", "clusterissuers/status"] - cert-manager.io
verbs: ["update"] resources:
- apiGroups: ["cert-manager.io"] - clusterissuers
resources: ["clusterissuers"] - clusterissuers/status
verbs: ["get", "list", "watch"] verbs:
- apiGroups: [""] - update
resources: ["secrets"] - apiGroups:
verbs: ["get", "list", "watch", "create", "update", "delete"] - cert-manager.io
- apiGroups: [""] resources:
resources: ["events"] - clusterissuers
verbs: ["create", "patch"] verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-certificates name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules: rules:
- apiGroups: ["cert-manager.io"] - apiGroups:
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] - cert-manager.io
verbs: ["update"] resources:
- apiGroups: ["cert-manager.io"] - certificates
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] - certificates/status
verbs: ["get", "list", "watch"] - certificaterequests
# We require these rules to support users with the OwnerReferencesPermissionEnforcement - certificaterequests/status
# admission controller enabled: verbs:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - update
- apiGroups: ["cert-manager.io"] - apiGroups:
resources: ["certificates/finalizers", "certificaterequests/finalizers"] - cert-manager.io
verbs: ["update"] resources:
- apiGroups: ["acme.cert-manager.io"] - certificates
resources: ["orders"] - certificaterequests
verbs: ["create", "delete", "get", "list", "watch"] - clusterissuers
- apiGroups: [""] - issuers
resources: ["secrets"] verbs:
verbs: ["get", "list", "watch", "create", "update", "delete"] - get
- apiGroups: [""] - list
resources: ["events"] - watch
verbs: ["create", "patch"] - apiGroups:
- cert-manager.io
resources:
- certificates/finalizers
- certificaterequests/finalizers
verbs:
- update
- apiGroups:
- acme.cert-manager.io
resources:
- orders
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-orders name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules: rules:
- apiGroups: ["acme.cert-manager.io"] - apiGroups:
resources: ["orders", "orders/status"] - acme.cert-manager.io
verbs: ["update"] resources:
- apiGroups: ["acme.cert-manager.io"] - orders
resources: ["orders", "challenges"] - orders/status
verbs: ["get", "list", "watch"] verbs:
- apiGroups: ["cert-manager.io"] - update
resources: ["clusterissuers", "issuers"] - apiGroups:
verbs: ["get", "list", "watch"] - acme.cert-manager.io
- apiGroups: ["acme.cert-manager.io"] resources:
resources: ["challenges"] - orders
verbs: ["create", "delete"] - challenges
# We require these rules to support users with the OwnerReferencesPermissionEnforcement verbs:
# admission controller enabled: - get
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - list
- apiGroups: ["acme.cert-manager.io"] - watch
resources: ["orders/finalizers"] - apiGroups:
verbs: ["update"] - cert-manager.io
- apiGroups: [""] resources:
resources: ["secrets"] - clusterissuers
verbs: ["get", "list", "watch"] - issuers
- apiGroups: [""] verbs:
resources: ["events"] - get
verbs: ["create", "patch"] - list
- watch
- apiGroups:
- acme.cert-manager.io
resources:
- challenges
verbs:
- create
- delete
- apiGroups:
- acme.cert-manager.io
resources:
- orders/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-challenges name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules: rules:
# Use to update challenge resource status - apiGroups:
- apiGroups: ["acme.cert-manager.io"] - acme.cert-manager.io
resources: ["challenges", "challenges/status"] resources:
verbs: ["update"] - challenges
# Used to watch challenge resources - challenges/status
- apiGroups: ["acme.cert-manager.io"] verbs:
resources: ["challenges"] - update
verbs: ["get", "list", "watch"] - apiGroups:
# Used to watch challenges, issuer and clusterissuer resources - acme.cert-manager.io
- apiGroups: ["cert-manager.io"] resources:
resources: ["issuers", "clusterissuers"] - challenges
verbs: ["get", "list", "watch"] verbs:
# Need to be able to retrieve ACME account private key to complete challenges - get
- apiGroups: [""] - list
resources: ["secrets"] - watch
verbs: ["get", "list", "watch"] - apiGroups:
# Used to create events - cert-manager.io
- apiGroups: [""] resources:
resources: ["events"] - issuers
verbs: ["create", "patch"] - clusterissuers
# HTTP01 rules verbs:
- apiGroups: [""] - get
resources: ["pods", "services"] - list
verbs: ["get", "list", "watch", "create", "delete"] - watch
- apiGroups: ["extensions"] - apiGroups:
resources: ["ingresses"] - ""
verbs: ["get", "list", "watch", "create", "delete", "update"] resources:
# We require the ability to specify a custom hostname when we are creating - secrets
# new ingress resources. verbs:
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 - get
- apiGroups: ["route.openshift.io"] - list
resources: ["routes/custom-host"] - watch
verbs: ["create"] - apiGroups:
# We require these rules to support users with the OwnerReferencesPermissionEnforcement - ""
# admission controller enabled: resources:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - events
- apiGroups: ["acme.cert-manager.io"] verbs:
resources: ["challenges/finalizers"] - create
verbs: ["update"] - patch
# DNS01 rules (duplicated above) - apiGroups:
- apiGroups: [""] - ""
resources: ["secrets"] resources:
verbs: ["get", "list", "watch"] - pods
- services
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- route.openshift.io
resources:
- routes/custom-host
verbs:
- create
- apiGroups:
- acme.cert-manager.io
resources:
- challenges/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-ingress-shim name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules: rules:
- apiGroups: ["cert-manager.io"] - apiGroups:
resources: ["certificates", "certificaterequests"] - cert-manager.io
verbs: ["create", "update", "delete"] resources:
- apiGroups: ["cert-manager.io"] - certificates
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] - certificaterequests
verbs: ["get", "list", "watch"] verbs:
- apiGroups: ["extensions"] - create
resources: ["ingresses"] - update
verbs: ["get", "list", "watch"] - delete
# We require these rules to support users with the OwnerReferencesPermissionEnforcement - apiGroups:
# admission controller enabled: - cert-manager.io
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement resources:
- apiGroups: ["extensions"] - certificates
resources: ["ingresses/finalizers"] - certificaterequests
verbs: ["update"] - issuers
- apiGroups: [""] - clusterissuers
resources: ["events"] verbs:
verbs: ["create", "patch"] - get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: cert-manager-view
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true" name: cert-manager-view
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules: rules:
- apiGroups: ["cert-manager.io"] - apiGroups:
resources: ["certificates", "certificaterequests", "issuers"] - cert-manager.io
verbs: ["get", "list", "watch"] resources:
- certificates
- certificaterequests
- issuers
verbs:
- get
- list
- watch
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: cert-manager-edit
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
rbac.authorization.k8s.io/aggregate-to-edit: "true" app.kubernetes.io/name: cert-manager
rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: cert-manager-edit
rules: rules:
- apiGroups: ["cert-manager.io"] - apiGroups:
resources: ["certificates", "certificaterequests", "issuers"] - cert-manager.io
verbs: ["create", "delete", "deletecollection", "patch", "update"] resources:
- certificates
- certificaterequests
- issuers
verbs:
- create
- delete
- deletecollection
- patch
- update

98
roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
View file

@ -16,139 +16,125 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cert-manager-cainjector
labels: labels:
app: cainjector app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cert-manager-cainjector name: cert-manager-cainjector
subjects: subjects:
- name: cert-manager-cainjector - kind: ServiceAccount
namespace: {{ cert_manager_namespace }} name: cert-manager-cainjector
kind: ServiceAccount namespace: {{ cert_manager_namespace }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cert-manager-controller-issuers
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-issuers
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cert-manager-controller-issuers name: cert-manager-controller-issuers
subjects: subjects:
- name: cert-manager - kind: ServiceAccount
namespace: {{ cert_manager_namespace }} name: cert-manager
kind: ServiceAccount namespace: {{ cert_manager_namespace }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cert-manager-controller-clusterissuers
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-clusterissuers
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cert-manager-controller-clusterissuers name: cert-manager-controller-clusterissuers
subjects: subjects:
- name: cert-manager - kind: ServiceAccount
namespace: {{ cert_manager_namespace }} name: cert-manager
kind: ServiceAccount namespace: {{ cert_manager_namespace }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cert-manager-controller-certificates
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-certificates
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cert-manager-controller-certificates name: cert-manager-controller-certificates
subjects: subjects:
- name: cert-manager - kind: ServiceAccount
namespace: {{ cert_manager_namespace }} name: cert-manager
kind: ServiceAccount namespace: {{ cert_manager_namespace }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cert-manager-controller-orders
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-orders
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cert-manager-controller-orders name: cert-manager-controller-orders
subjects: subjects:
- name: cert-manager - kind: ServiceAccount
namespace: {{ cert_manager_namespace }} name: cert-manager
kind: ServiceAccount namespace: {{ cert_manager_namespace }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cert-manager-controller-challenges
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-challenges
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cert-manager-controller-challenges name: cert-manager-controller-challenges
subjects: subjects:
- name: cert-manager - kind: ServiceAccount
namespace: {{ cert_manager_namespace }} name: cert-manager
kind: ServiceAccount namespace: {{ cert_manager_namespace }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cert-manager-controller-ingress-shim
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-ingress-shim
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cert-manager-controller-ingress-shim name: cert-manager-controller-ingress-shim
subjects: subjects:
- name: cert-manager - kind: ServiceAccount
namespace: {{ cert_manager_namespace }} name: cert-manager
kind: ServiceAccount namespace: {{ cert_manager_namespace }}

1350
roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
View file

File diff suppressed because it is too large Load diff

2965
roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
View file

File diff suppressed because it is too large Load diff

3850
roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
View file

File diff suppressed because it is too large Load diff

3849
roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
View file

File diff suppressed because it is too large Load diff

522
roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
View file

@ -13,67 +13,59 @@
# limitations under the License. # limitations under the License.
--- ---
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: orders.acme.cert-manager.io
annotations: annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager
helm.sh/chart: cert-manager-{{ cert_manager_version }} name: orders.acme.cert-manager.io
spec: spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.reason
name: Reason
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: acme.cert-manager.io
preserveUnknownFields: false
conversion: conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. webhook:
webhookClientConfig: clientConfig:
service: service:
namespace: '{{ cert_manager_namespace }}' name: cert-manager-webhook
name: 'cert-manager-webhook' namespace: {{ cert_manager_namespace }}
path: /convert path: /convert
conversionReviewVersions:
- v1
- v1beta1
group: acme.cert-manager.io
names: names:
kind: Order kind: Order
listKind: OrderList listKind: OrderList
plural: orders plural: orders
singular: order singular: order
scope: Namespaced scope: Namespaced
subresources:
status: {}
versions: versions:
- name: v1alpha2 - additionalPrinterColumns:
served: true - jsonPath: .status.state
storage: true name: State
"schema": type: string
"openAPIV3Schema": - jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -88,11 +80,6 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
type: object
required:
- csr
- dnsNames
- issuerRef
properties: properties:
commonName: commonName:
description: CommonName is the common name as specified on the DER description: CommonName is the common name as specified on the DER
@ -104,24 +91,21 @@ spec:
description: Certificate signing request bytes in DER encoding. This description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on will be used when finalizing the order. This field must be set on
the order. the order.
type: string
format: byte format: byte
type: string
dnsNames: dnsNames:
description: DNSNames is a list of DNS names that should be included description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR. corresponding field on the DER encoded CSR.
type: array
items: items:
type: string type: string
type: array
issuerRef: issuerRef:
description: IssuerRef references a properly configured ACME-type description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed. marked as failed.
type: object
required:
- name
properties: properties:
group: group:
description: Group of the resource being referred to. description: Group of the resource being referred to.
@ -132,37 +116,34 @@ spec:
name: name:
description: Name of the resource being referred to. description: Name of the resource being referred to.
type: string type: string
status: required:
- name
type: object
required:
- csr
- dnsNames
- issuerRef
type: object type: object
status:
properties: properties:
authorizations: authorizations:
description: Authorizations contains data returned from the ACME server description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the on what authorizations must be completed in order to validate the
DNS names specified on the Order. DNS names specified on the Order.
type: array
items: items:
description: ACMEAuthorization contains data returned from the ACME description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource. a DNS name on an ACME Order resource.
type: object
required:
- url
properties: properties:
challenges: challenges:
description: Challenges specifies the challenge types offered description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process. resource will be created to perform the ACME challenge process.
type: array
items: items:
description: Challenge specifies a challenge offered by the description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process. can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties: properties:
token: token:
description: Token is the token that must be presented description: Token is the token that must be presented
@ -181,6 +162,12 @@ spec:
be used to retrieve additional metadata about the Challenge be used to retrieve additional metadata about the Challenge
from the ACME server. from the ACME server.
type: string type: string
required:
- token
- type
- url
type: object
type: array
identifier: identifier:
description: Identifier is the DNS name to be validated as part description: Identifier is the DNS name to be validated as part
of this authorization of this authorization
@ -194,7 +181,6 @@ spec:
(such as Let's Encrypt's production endpoint). If not set (such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created. and a Challenge will be created.
type: string
enum: enum:
- valid - valid
- ready - ready
@ -203,6 +189,7 @@ spec:
- invalid - invalid
- expired - expired
- errored - errored
type: string
url: url:
description: URL is the URL of the Authorization that must be description: URL is the URL of the Authorization that must be
completed completed
@ -214,18 +201,22 @@ spec:
if '*.example.com' is the DNS name being validated, this field if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'. will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean type: boolean
required:
- url
type: object
type: array
certificate: certificate:
description: Certificate is a copy of the PEM encoded certificate description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state. has transitioned to the 'valid' state.
type: string
format: byte format: byte
type: string
failureTime: failureTime:
description: FailureTime stores the time that this order failed. This description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off. is used to influence garbage collection and back-off.
type: string
format: date-time format: date-time
type: string
finalizeURL: finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed. for this order once it has been completed.
@ -237,7 +228,6 @@ spec:
state: state:
description: State contains the current state of this Order resource. description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final' States 'success' and 'expired' are 'final'
type: string
enum: enum:
- valid - valid
- ready - ready
@ -246,21 +236,44 @@ spec:
- invalid - invalid
- expired - expired
- errored - errored
type: string
url: url:
description: URL of the Order. This will initially be empty when the description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable field when the Order is first processed. This field will be immutable
after it is initially set. after it is initially set.
type: string type: string
- name: v1alpha3 type: object
served: true
storage: false
"schema":
"openAPIV3Schema":
description: Order is a type to represent an Order with an ACME server
type: object
required: required:
- metadata - metadata
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha3
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -275,11 +288,6 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
type: object
required:
- csr
- dnsNames
- issuerRef
properties: properties:
commonName: commonName:
description: CommonName is the common name as specified on the DER description: CommonName is the common name as specified on the DER
@ -291,24 +299,21 @@ spec:
description: Certificate signing request bytes in DER encoding. This description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on will be used when finalizing the order. This field must be set on
the order. the order.
type: string
format: byte format: byte
type: string
dnsNames: dnsNames:
description: DNSNames is a list of DNS names that should be included description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR. corresponding field on the DER encoded CSR.
type: array
items: items:
type: string type: string
type: array
issuerRef: issuerRef:
description: IssuerRef references a properly configured ACME-type description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed. marked as failed.
type: object
required:
- name
properties: properties:
group: group:
description: Group of the resource being referred to. description: Group of the resource being referred to.
@ -319,37 +324,34 @@ spec:
name: name:
description: Name of the resource being referred to. description: Name of the resource being referred to.
type: string type: string
status: required:
- name
type: object
required:
- csr
- dnsNames
- issuerRef
type: object type: object
status:
properties: properties:
authorizations: authorizations:
description: Authorizations contains data returned from the ACME server description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the on what authorizations must be completed in order to validate the
DNS names specified on the Order. DNS names specified on the Order.
type: array
items: items:
description: ACMEAuthorization contains data returned from the ACME description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource. a DNS name on an ACME Order resource.
type: object
required:
- url
properties: properties:
challenges: challenges:
description: Challenges specifies the challenge types offered description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process. resource will be created to perform the ACME challenge process.
type: array
items: items:
description: Challenge specifies a challenge offered by the description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process. can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties: properties:
token: token:
description: Token is the token that must be presented description: Token is the token that must be presented
@ -368,6 +370,12 @@ spec:
be used to retrieve additional metadata about the Challenge be used to retrieve additional metadata about the Challenge
from the ACME server. from the ACME server.
type: string type: string
required:
- token
- type
- url
type: object
type: array
identifier: identifier:
description: Identifier is the DNS name to be validated as part description: Identifier is the DNS name to be validated as part
of this authorization of this authorization
@ -381,7 +389,6 @@ spec:
(such as Let's Encrypt's production endpoint). If not set (such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created. and a Challenge will be created.
type: string
enum: enum:
- valid - valid
- ready - ready
@ -390,6 +397,7 @@ spec:
- invalid - invalid
- expired - expired
- errored - errored
type: string
url: url:
description: URL is the URL of the Authorization that must be description: URL is the URL of the Authorization that must be
completed completed
@ -401,18 +409,22 @@ spec:
if '*.example.com' is the DNS name being validated, this field if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'. will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean type: boolean
required:
- url
type: object
type: array
certificate: certificate:
description: Certificate is a copy of the PEM encoded certificate description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state. has transitioned to the 'valid' state.
type: string
format: byte format: byte
type: string
failureTime: failureTime:
description: FailureTime stores the time that this order failed. This description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off. is used to influence garbage collection and back-off.
type: string
format: date-time format: date-time
type: string
finalizeURL: finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed. for this order once it has been completed.
@ -424,7 +436,6 @@ spec:
state: state:
description: State contains the current state of this Order resource. description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final' States 'success' and 'expired' are 'final'
type: string
enum: enum:
- valid - valid
- ready - ready
@ -433,22 +444,44 @@ spec:
- invalid - invalid
- expired - expired
- errored - errored
type: string
url: url:
description: URL of the Order. This will initially be empty when the description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable field when the Order is first processed. This field will be immutable
after it is initially set. after it is initially set.
type: string type: string
- name: v1beta1 type: object
served: true
storage: false
"schema":
"openAPIV3Schema":
description: Order is a type to represent an Order with an ACME server
type: object
required: required:
- metadata - metadata
- spec type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
@ -463,11 +496,6 @@ spec:
metadata: metadata:
type: object type: object
spec: spec:
type: object
required:
- dnsNames
- issuerRef
- request
properties: properties:
commonName: commonName:
description: CommonName is the common name as specified on the DER description: CommonName is the common name as specified on the DER
@ -479,18 +507,15 @@ spec:
description: DNSNames is a list of DNS names that should be included description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR. corresponding field on the DER encoded CSR.
type: array
items: items:
type: string type: string
type: array
issuerRef: issuerRef:
description: IssuerRef references a properly configured ACME-type description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed. marked as failed.
type: object
required:
- name
properties: properties:
group: group:
description: Group of the resource being referred to. description: Group of the resource being referred to.
@ -501,43 +526,40 @@ spec:
name: name:
description: Name of the resource being referred to. description: Name of the resource being referred to.
type: string type: string
required:
- name
type: object
request: request:
description: Certificate signing request bytes in DER encoding. This description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on will be used when finalizing the order. This field must be set on
the order. the order.
type: string
format: byte format: byte
status: type: string
required:
- dnsNames
- issuerRef
- request
type: object type: object
status:
properties: properties:
authorizations: authorizations:
description: Authorizations contains data returned from the ACME server description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the on what authorizations must be completed in order to validate the
DNS names specified on the Order. DNS names specified on the Order.
type: array
items: items:
description: ACMEAuthorization contains data returned from the ACME description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource. a DNS name on an ACME Order resource.
type: object
required:
- url
properties: properties:
challenges: challenges:
description: Challenges specifies the challenge types offered description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process. resource will be created to perform the ACME challenge process.
type: array
items: items:
description: Challenge specifies a challenge offered by the description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process. can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties: properties:
token: token:
description: Token is the token that must be presented description: Token is the token that must be presented
@ -556,6 +578,12 @@ spec:
be used to retrieve additional metadata about the Challenge be used to retrieve additional metadata about the Challenge
from the ACME server. from the ACME server.
type: string type: string
required:
- token
- type
- url
type: object
type: array
identifier: identifier:
description: Identifier is the DNS name to be validated as part description: Identifier is the DNS name to be validated as part
of this authorization of this authorization
@ -569,7 +597,6 @@ spec:
(such as Let's Encrypt's production endpoint). If not set (such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created. and a Challenge will be created.
type: string
enum: enum:
- valid - valid
- ready - ready
@ -578,6 +605,7 @@ spec:
- invalid - invalid
- expired - expired
- errored - errored
type: string
url: url:
description: URL is the URL of the Authorization that must be description: URL is the URL of the Authorization that must be
completed completed
@ -589,18 +617,22 @@ spec:
if '*.example.com' is the DNS name being validated, this field if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'. will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean type: boolean
required:
- url
type: object
type: array
certificate: certificate:
description: Certificate is a copy of the PEM encoded certificate description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state. has transitioned to the 'valid' state.
type: string
format: byte format: byte
type: string
failureTime: failureTime:
description: FailureTime stores the time that this order failed. This description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off. is used to influence garbage collection and back-off.
type: string
format: date-time format: date-time
type: string
finalizeURL: finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed. for this order once it has been completed.
@ -612,7 +644,6 @@ spec:
state: state:
description: State contains the current state of this Order resource. description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final' States 'success' and 'expired' are 'final'
type: string
enum: enum:
- valid - valid
- ready - ready
@ -621,9 +652,234 @@ spec:
- invalid - invalid
- expired - expired
- errored - errored
type: string
url: url:
description: URL of the Order. This will initially be empty when the description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable field when the Order is first processed. This field will be immutable
after it is initially set. after it is initially set.
type: string type: string
type: object
required:
- metadata
- spec
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
commonName:
description: CommonName is the common name as specified on the DER
encoded CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded
CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
items:
type: string
type: array
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed.
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
required:
- name
type: object
request:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
format: byte
type: string
required:
- dnsNames
- issuerRef
- request
type: object
status:
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process.
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
properties:
token:
description: Token is the token that must be presented
for this challenge. This is used to compute the 'key'
that must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
the raw value retrieved from the ACME server. Only 'http-01'
and 'dns-01' are supported by cert-manager, other values
will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
required:
- token
- type
- url
type: object
type: array
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
required:
- url
type: object
type: array
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
format: byte
type: string
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
format: date-time
type: string
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

203
roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
View file

@ -16,162 +16,153 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
labels: labels:
app: cainjector app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: cainjector app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
template: template:
metadata: metadata:
labels: labels:
app: cainjector app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
spec: spec:
serviceAccountName: cert-manager-cainjector
containers: containers:
- name: cert-manager - args:
image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}" - --v=2
imagePullPolicy: {{ k8s_image_pull_policy }} - --leader-election-namespace=kube-system
args: env:
- --v=2 - name: POD_NAMESPACE
- --leader-election-namespace=kube-system valueFrom:
env: fieldRef:
- name: POD_NAMESPACE fieldPath: metadata.namespace
valueFrom: image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
fieldRef: imagePullPolicy: {{ k8s_image_pull_policy }}
fieldPath: metadata.namespace name: cert-manager
resources: resources: {}
{} serviceAccountName: cert-manager-cainjector
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: cert-manager
namespace: {{ cert_manager_namespace }}
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager
namespace: {{ cert_manager_namespace }}
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
template: template:
metadata: metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "9402"
prometheus.io/scrape: "true"
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
app.kubernetes.io/managed-by: Helm app.kubernetes.io/instance: cert-manager
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/name: cert-manager
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
prometheus.io/port: '9402'
spec: spec:
serviceAccountName: cert-manager
containers: containers:
- name: cert-manager - args:
image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}" - --v=2
imagePullPolicy: {{ k8s_image_pull_policy }} - --cluster-resource-namespace=$(POD_NAMESPACE)
args: - --leader-election-namespace=kube-system
- --v=2 env:
- --cluster-resource-namespace=$(POD_NAMESPACE) - name: POD_NAMESPACE
- --leader-election-namespace=kube-system valueFrom:
ports: fieldRef:
- containerPort: 9402 fieldPath: metadata.namespace
protocol: TCP image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
env: imagePullPolicy: {{ k8s_image_pull_policy }}
- name: POD_NAMESPACE name: cert-manager
valueFrom: ports:
fieldRef: - containerPort: 9402
fieldPath: metadata.namespace protocol: TCP
resources: resources: {}
{} serviceAccountName: cert-manager
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
labels: labels:
app: webhook app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: webhook app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
template: template:
metadata: metadata:
labels: labels:
app: webhook app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
spec: spec:
serviceAccountName: cert-manager-webhook
containers: containers:
- name: cert-manager - args:
image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}" - --v=2
imagePullPolicy: {{ k8s_image_pull_policy }} - --secure-port=10250
args: - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --v=2 - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --secure-port=10250 - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.{{ cert_manager_namespace }},cert-manager-webhook.{{ cert_manager_namespace }}.svc
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) env:
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca - name: POD_NAMESPACE
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc valueFrom:
ports: fieldRef:
- name: https fieldPath: metadata.namespace
containerPort: 10250 image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
livenessProbe: imagePullPolicy: {{ k8s_image_pull_policy }}
httpGet: livenessProbe:
path: /livez failureThreshold: 3
port: 6080 httpGet:
scheme: HTTP path: /livez
initialDelaySeconds: 60 port: 6080
periodSeconds: 10 scheme: HTTP
readinessProbe: initialDelaySeconds: 60
httpGet: periodSeconds: 10
path: /healthz successThreshold: 1
port: 6080 timeoutSeconds: 1
scheme: HTTP name: cert-manager
initialDelaySeconds: 5 ports:
periodSeconds: 5 - containerPort: 10250
env: name: https
- name: POD_NAMESPACE readinessProbe:
valueFrom: failureThreshold: 3
fieldRef: httpGet:
fieldPath: metadata.namespace path: /healthz
resources: port: 6080
{} scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources: {}
serviceAccountName: cert-manager-webhook

107
roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2
View file

@ -16,70 +16,85 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels: labels:
app: cainjector app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector:leaderelection
namespace: kube-system
rules: rules:
# Used for leader election by the controller - apiGroups:
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller - ""
# see cmd/cainjector/start.go#L113 resourceNames:
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller - cert-manager-cainjector-leader-election
# see cmd/cainjector/start.go#L137 - cert-manager-cainjector-leader-election-core
- apiGroups: [""] resources:
resources: ["configmaps"] - configmaps
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] verbs:
verbs: ["get", "update", "patch"] - get
- apiGroups: [""] - update
resources: ["configmaps"] - patch
verbs: ["create"] - apiGroups:
- ""
resources:
- configmaps
verbs:
- create
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: cert-manager:leaderelection
namespace: kube-system
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager:leaderelection
namespace: kube-system
rules: rules:
# Used for leader election by the controller - apiGroups:
- apiGroups: [""] - ""
resources: ["configmaps"] resourceNames:
resourceNames: ["cert-manager-controller"] - cert-manager-controller
verbs: ["get", "update", "patch"] resources:
- apiGroups: [""] - configmaps
resources: ["configmaps"] verbs:
verbs: ["create"] - get
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: cert-manager-webhook:dynamic-serving
namespace: {{ cert_manager_namespace }}
labels: labels:
app: webhook app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook:dynamic-serving
namespace: {{ cert_manager_namespace }}
rules: rules:
- apiGroups: [""] - apiGroups:
resources: ["secrets"] - ""
resourceNames: resourceNames:
- 'cert-manager-webhook-ca' - cert-manager-webhook-ca
verbs: ["get", "list", "watch", "update"] resources:
# It's not possible to grant CREATE permission on a single resourceName. - secrets
- apiGroups: [""] verbs:
resources: ["secrets"] - get
verbs: ["create"] - list
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create

44
roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2
View file

@ -16,58 +16,52 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels: labels:
app: cainjector app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector:leaderelection
namespace: kube-system
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
name: cert-manager-cainjector:leaderelection name: cert-manager-cainjector:leaderelection
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: cert-manager-cainjector name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_namespace }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: cert-manager:leaderelection
namespace: kube-system
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager:leaderelection
namespace: kube-system
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
name: cert-manager:leaderelection name: cert-manager:leaderelection
subjects: subjects:
- apiGroup: "" - apiGroup: ""
kind: ServiceAccount kind: ServiceAccount
name: cert-manager name: cert-manager
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_namespace }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: cert-manager-webhook:dynamic-serving
namespace: {{ cert_manager_namespace }}
labels: labels:
app: webhook app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook:dynamic-serving
namespace: {{ cert_manager_namespace }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role

30
roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
View file

@ -16,38 +16,32 @@
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
labels: labels:
app: cainjector app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cainjector app.kubernetes.io/component: cainjector
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: cert-manager
namespace: {{ cert_manager_namespace }}
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager
namespace: {{ cert_manager_namespace }}
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
labels: labels:
app: webhook app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}

38
roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2
View file

@ -16,45 +16,41 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: cert-manager
namespace: {{ cert_manager_namespace }}
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager
namespace: {{ cert_manager_namespace }}
spec: spec:
type: ClusterIP
ports: ports:
- protocol: TCP - port: 9402
port: 9402 protocol: TCP
targetPort: 9402 targetPort: 9402
selector: selector:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
type: ClusterIP
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
labels: labels:
app: webhook app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
spec: spec:
type: ClusterIP
ports: ports:
- name: https - name: https
port: 443 port: 443
targetPort: 10250 targetPort: 10250
selector: selector:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: webhook app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
type: ClusterIP

132
roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2
View file

@ -13,82 +13,82 @@
# limitations under the License. # limitations under the License.
--- ---
apiVersion: admissionregistration.k8s.io/v1beta1 apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
name: cert-manager-webhook annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels: labels:
app: webhook app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
annotations: app.kubernetes.io/name: webhook
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" name: cert-manager-webhook
webhooks: webhooks:
- name: webhook.cert-manager.io - admissionReviewVersions:
rules: - v1
- apiGroups: - v1beta1
- "cert-manager.io" clientConfig:
- "acme.cert-manager.io" service:
apiVersions: name: cert-manager-webhook
- "*" namespace: {{ cert_manager_namespace }}
operations: path: /mutate
- CREATE failurePolicy: Fail
- UPDATE name: webhook.cert-manager.io
resources: rules:
- "*/*" - apiGroups:
failurePolicy: Fail - cert-manager.io
# Only include 'sideEffects' field in Kubernetes 1.12+ - acme.cert-manager.io
sideEffects: None apiVersions:
clientConfig: - '*'
service: operations:
name: cert-manager-webhook - CREATE
namespace: {{ cert_manager_namespace }} - UPDATE
path: /mutate resources:
- '*/*'
sideEffects: None
--- ---
apiVersion: admissionregistration.k8s.io/v1beta1 apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration kind: ValidatingWebhookConfiguration
metadata: metadata:
name: cert-manager-webhook annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels: labels:
app: webhook app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: webhook app.kubernetes.io/component: webhook
helm.sh/chart: cert-manager-{{ cert_manager_version }} app.kubernetes.io/instance: cert-manager
annotations: app.kubernetes.io/name: webhook
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" name: cert-manager-webhook
webhooks: webhooks:
- name: webhook.cert-manager.io - admissionReviewVersions:
namespaceSelector: - v1
matchExpressions: - v1beta1
- key: "cert-manager.io/disable-validation" clientConfig:
operator: "NotIn" service:
values: name: cert-manager-webhook
- "true" namespace: {{ cert_manager_namespace }}
- key: "name" path: /validate
operator: "NotIn" failurePolicy: Fail
values: name: webhook.cert-manager.io
- cert-manager namespaceSelector:
rules: matchExpressions:
- apiGroups: - key: cert-manager.io/disable-validation
- "cert-manager.io" operator: NotIn
- "acme.cert-manager.io" values:
apiVersions: - "true"
- "*" - key: name
operations: operator: NotIn
- CREATE values:
- UPDATE - cert-manager
resources: rules:
- "*/*" - apiGroups:
failurePolicy: Fail - cert-manager.io
# Only include 'sideEffects' field in Kubernetes 1.12+ - acme.cert-manager.io
sideEffects: None apiVersions:
clientConfig: - '*'
service: operations:
name: cert-manager-webhook - CREATE
namespace: {{ cert_manager_namespace }} - UPDATE
path: /validate resources:
- '*/*'
sideEffects: None