C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update cert manager to 0.16.1 (#6600)

Browse source 
* Update cert manager to 0.16.1

* Update cert manager to 0.16.1

Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
This commit is contained in:
tasekida 2020-09-04 20:53:48 +09:00 committed by GitHub
parent 0553814b4f
commit fc61f8d52e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 17638 additions and 5412 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -137,7 +137,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [ambassador](https://github.com/datawire/ambassador): v1.5 - [ambassador](https://github.com/datawire/ambassador): v1.5
- [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11 - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
- [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11 - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
- [cert-manager](https://github.com/jetstack/cert-manager) v0.15.2 - [cert-manager](https://github.com/jetstack/cert-manager) v0.16.1
- [coredns](https://github.com/coredns/coredns) v1.6.7 - [coredns](https://github.com/coredns/coredns) v1.6.7
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.35.0 - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.35.0

2
roles/download/defaults/main.yml
View file

@ -583,7 +583,7 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
ingress_ambassador_image_tag: "v1.2.8" ingress_ambassador_image_tag: "v1.2.8"
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
alb_ingress_image_tag: "v1.1.8" alb_ingress_image_tag: "v1.1.8"
cert_manager_version: "v0.15.2" cert_manager_version: "v0.16.1"
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller" cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
cert_manager_controller_image_tag: "{{ cert_manager_version }}" cert_manager_controller_image_tag: "{{ cert_manager_version }}"
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector" cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"

206
roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
View file

@ -49,6 +49,90 @@ rules:
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole kind: ClusterRole
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata: metadata:
name: cert-manager-controller-orders name: cert-manager-controller-orders
labels: labels:
@ -86,56 +170,6 @@ rules:
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole kind: ClusterRole
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["extensions"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-view
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata: metadata:
name: cert-manager-controller-challenges name: cert-manager-controller-challenges
labels: labels:
@ -193,7 +227,7 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: cert-manager-controller-issuers name: cert-manager-controller-ingress-shim
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager app.kubernetes.io/name: cert-manager
@ -203,22 +237,28 @@ metadata:
helm.sh/chart: cert-manager-{{ cert_manager_version }} helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules: rules:
- apiGroups: ["cert-manager.io"] - apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"] resources: ["certificates", "certificaterequests"]
verbs: ["update"] verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"] - apiGroups: ["cert-manager.io"]
resources: ["issuers"] resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"] verbs: ["get", "list", "watch"]
- apiGroups: [""] - apiGroups: ["extensions"]
resources: ["secrets"] resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "update", "delete"] verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["extensions"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: [""] - apiGroups: [""]
resources: ["events"] resources: ["events"]
verbs: ["create", "patch"] verbs: ["create", "patch"]
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: cert-manager-controller-clusterissuers name: cert-manager-view
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager app.kubernetes.io/name: cert-manager
@ -226,19 +266,13 @@ metadata:
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }} helm.sh/chart: cert-manager-{{ cert_manager_version }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules: rules:
- apiGroups: ["cert-manager.io"] - apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"] resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"] verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
@ -257,37 +291,3 @@ rules:
- apiGroups: ["cert-manager.io"] - apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"] resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"] verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

84
roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
View file

@ -36,7 +36,7 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cert-manager-controller-certificates name: cert-manager-controller-issuers
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager app.kubernetes.io/name: cert-manager
@ -47,7 +47,7 @@ metadata:
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cert-manager-controller-certificates name: cert-manager-controller-issuers
subjects: subjects:
- name: cert-manager - name: cert-manager
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_namespace }}
@ -75,6 +75,46 @@ subjects:
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-certificates
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-orders
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata: metadata:
name: cert-manager-controller-challenges name: cert-manager-controller-challenges
labels: labels:
@ -112,43 +152,3 @@ subjects:
- name: cert-manager - name: cert-manager
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_namespace }}
kind: ServiceAccount kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-orders
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-issuers
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount

1235
roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
View file

File diff suppressed because it is too large Load diff

5790
roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
View file

File diff suppressed because it is too large Load diff

7503
roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
View file

File diff suppressed because it is too large Load diff

7500
roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
View file

File diff suppressed because it is too large Load diff

720
roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
View file

@ -68,186 +68,562 @@ spec:
- name: v1alpha2 - name: v1alpha2
served: true served: true
storage: true storage: true
"schema":
"openAPIV3Schema":
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- csr
- dnsNames
- issuerRef
properties:
commonName:
description: CommonName is the common name as specified on the DER
encoded CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded
CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
type: string
format: byte
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented
for this challenge. This is used to compute the 'key'
that must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
the raw value retrieved from the ACME server. Only 'http-01'
and 'dns-01' are supported by cert-manager, other values
will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string
- name: v1alpha3 - name: v1alpha3
served: true served: true
storage: false storage: false
"validation": "schema":
"openAPIV3Schema": "openAPIV3Schema":
description: Order is a type to represent an Order with an ACME server description: Order is a type to represent an Order with an ACME server
type: object type: object
required: required:
- metadata - metadata
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
type: object type: object
spec: spec:
type: object type: object
required: required:
- csr - csr
- issuerRef - dnsNames
properties: - issuerRef
commonName: properties:
description: CommonName is the common name as specified on the DER encoded commonName:
CSR. If CommonName is not specified, the first DNSName specified will description: CommonName is the common name as specified on the DER
be used as the CommonName. At least one of CommonName or a DNSNames encoded CSR. If specified, this value must also be present in `dnsNames`.
must be set. This field must match the corresponding field on the This field must match the corresponding field on the DER encoded
DER encoded CSR. CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
type: string
format: byte
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. If CommonName is not specified,
the first DNSName specified will be used as the CommonName. At least
one of CommonName or a DNSNames must be set. This field must match
the corresponding field on the DER encoded CSR.
type: array
items:
type: string type: string
issuerRef: csr:
description: IssuerRef references a properly configured ACME-type Issuer description: Certificate signing request bytes in DER encoding. This
which should be used to create this Order. If the Issuer does not will be used when finalizing the order. This field must be set on
exist, processing will be retried. If the Issuer is not an 'ACME' the order.
Issuer, an error will be returned and the Order will be marked as type: string
failed. format: byte
type: object dnsNames:
required: description: DNSNames is a list of DNS names that should be included
- name as part of the Order validation process. This field must match the
properties: corresponding field on the DER encoded CSR.
group: type: array
items:
type: string type: string
kind: issuerRef:
type: string description: IssuerRef references a properly configured ACME-type
name: Issuer which should be used to create this Order. If the Issuer
type: string does not exist, processing will be retried. If the Issuer is not
status: an 'ACME' Issuer, an error will be returned and the Order will be
type: object marked as failed.
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
type: object type: object
required: required:
- url - name
properties: properties:
challenges: group:
description: Challenges specifies the challenge types offered description: Group of the resource being referred to.
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge resource
will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented for
this challenge. This is used to compute the 'key' that
must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. http-01, dns-01
type: string
url:
description: URL is the URL of this challenge. It can be
used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string type: string
initialState: kind:
description: InitialState is the initial state of the ACME authorization description: Kind of the resource being referred to.
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a Challenge
resource for the authorization. This will occur when working
with an ACME server that enables 'authz reuse' (such as Let's
Encrypt's production endpoint). If not set and 'identifier'
is set, the state is assumed to be pending and a Challenge will
be created.
type: string type: string
enum: name:
- valid description: Name of the resource being referred to.
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be
completed
type: string type: string
wildcard: status:
description: Wildcard will be true if this authorization is for type: object
a wildcard DNS name. If this is true, the identifier will be properties:
the *non-wildcard* version of the DNS name. For example, if authorizations:
'*.example.com' is the DNS name being validated, this field description: Authorizations contains data returned from the ACME server
will be 'true' and the 'identifier' field will be 'example.com'. on what authorizations must be completed in order to validate the
type: boolean DNS names specified on the Order.
certificate: type: array
description: Certificate is a copy of the PEM encoded certificate for items:
this Order. This field will be populated after the order has been description: ACMEAuthorization contains data returned from the ACME
successfully finalized with the ACME server, and the order has transitioned server on an authorization that must be completed in order validate
to the 'valid' state. a DNS name on an ACME Order resource.
type: string type: object
format: byte required:
failureTime: - url
description: FailureTime stores the time that this order failed. This properties:
is used to influence garbage collection and back-off. challenges:
type: string description: Challenges specifies the challenge types offered
format: date-time by the ACME server. One of these challenge types will be selected
finalizeURL: when validating the DNS name and an appropriate Challenge
description: FinalizeURL of the Order. This is used to obtain certificates resource will be created to perform the ACME challenge process.
for this order once it has been completed. type: array
type: string items:
reason: description: Challenge specifies a challenge offered by the
description: Reason optionally provides more information about a why ACME server for an Order. An appropriate Challenge resource
the order is in the current state. can be created to perform the ACME challenge process.
type: string type: object
state: required:
description: State contains the current state of this Order resource. - token
States 'success' and 'expired' are 'final' - type
type: string - url
enum: properties:
- valid token:
- ready description: Token is the token that must be presented
- pending for this challenge. This is used to compute the 'key'
- processing that must also be presented.
- invalid type: string
- expired type:
- errored description: Type is the type of challenge being offered,
url: e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
description: URL of the Order. This will initially be empty when the the raw value retrieved from the ACME server. Only 'http-01'
resource is first created. The Order controller will populate this and 'dns-01' are supported by cert-manager, other values
field when the Order is first processed. This field will be immutable will be ignored.
after it is initially set. type: string
type: string url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string
- name: v1beta1
served: true
storage: false
"schema":
"openAPIV3Schema":
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- dnsNames
- issuerRef
- request
properties:
commonName:
description: CommonName is the common name as specified on the DER
encoded CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded
CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
type: string
format: byte
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented
for this challenge. This is used to compute the 'key'
that must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
the raw value retrieved from the ACME server. Only 'http-01'
and 'dns-01' are supported by cert-manager, other values
will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string

2
roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
View file

@ -148,7 +148,7 @@ spec:
args: args:
- --v=2 - --v=2
- --secure-port=10250 - --secure-port=10250
- --dynamic-serving-ca-secret-namespace={{ cert_manager_namespace }} - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
ports: ports:

6
roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2
View file

@ -33,8 +33,7 @@ webhooks:
- "cert-manager.io" - "cert-manager.io"
- "acme.cert-manager.io" - "acme.cert-manager.io"
apiVersions: apiVersions:
- v1alpha2 - "*"
- v1alpha3
operations: operations:
- CREATE - CREATE
- UPDATE - UPDATE
@ -79,8 +78,7 @@ webhooks:
- "cert-manager.io" - "cert-manager.io"
- "acme.cert-manager.io" - "acme.cert-manager.io"
apiVersions: apiVersions:
- v1alpha2 - "*"
- v1alpha3
operations: operations:
- CREATE - CREATE
- UPDATE - UPDATE