9cc70e9e70
* Upgrade JetStack Cert-Manager to v0.15.2 * Add README.md table of contents
293 lines
11 KiB
Django/Jinja
293 lines
11 KiB
Django/Jinja
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cert-manager-cainjector
|
|
labels:
|
|
app: cainjector
|
|
app.kubernetes.io/name: cainjector
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/component: cainjector
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["get", "create", "update", "patch"]
|
|
- apiGroups: ["admissionregistration.k8s.io"]
|
|
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
|
verbs: ["get", "list", "watch", "update"]
|
|
- apiGroups: ["apiregistration.k8s.io"]
|
|
resources: ["apiservices"]
|
|
verbs: ["get", "list", "watch", "update"]
|
|
- apiGroups: ["apiextensions.k8s.io"]
|
|
resources: ["customresourcedefinitions"]
|
|
verbs: ["get", "list", "watch", "update"]
|
|
- apiGroups: ["auditregistration.k8s.io"]
|
|
resources: ["auditsinks"]
|
|
verbs: ["get", "list", "watch", "update"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cert-manager-controller-orders
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/component: controller
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
rules:
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["orders", "orders/status"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["orders", "challenges"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["clusterissuers", "issuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["challenges"]
|
|
verbs: ["create", "delete"]
|
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|
# admission controller enabled:
|
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["orders/finalizers"]
|
|
verbs: ["update"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cert-manager-controller-ingress-shim
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/component: controller
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificaterequests"]
|
|
verbs: ["create", "update", "delete"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["extensions"]
|
|
resources: ["ingresses"]
|
|
verbs: ["get", "list", "watch"]
|
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|
# admission controller enabled:
|
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|
- apiGroups: ["extensions"]
|
|
resources: ["ingresses/finalizers"]
|
|
verbs: ["update"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cert-manager-view
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/component: controller
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificaterequests", "issuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cert-manager-controller-challenges
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/component: controller
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
rules:
|
|
# Use to update challenge resource status
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["challenges", "challenges/status"]
|
|
verbs: ["update"]
|
|
# Used to watch challenge resources
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["challenges"]
|
|
verbs: ["get", "list", "watch"]
|
|
# Used to watch challenges, issuer and clusterissuer resources
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["issuers", "clusterissuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
# Need to be able to retrieve ACME account private key to complete challenges
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch"]
|
|
# Used to create events
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
# HTTP01 rules
|
|
- apiGroups: [""]
|
|
resources: ["pods", "services"]
|
|
verbs: ["get", "list", "watch", "create", "delete"]
|
|
- apiGroups: ["extensions"]
|
|
resources: ["ingresses"]
|
|
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
|
# We require the ability to specify a custom hostname when we are creating
|
|
# new ingress resources.
|
|
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
|
- apiGroups: ["route.openshift.io"]
|
|
resources: ["routes/custom-host"]
|
|
verbs: ["create"]
|
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|
# admission controller enabled:
|
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["challenges/finalizers"]
|
|
verbs: ["update"]
|
|
# DNS01 rules (duplicated above)
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cert-manager-controller-issuers
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/component: controller
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["issuers", "issuers/status"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["issuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cert-manager-controller-clusterissuers
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/component: controller
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["clusterissuers", "clusterissuers/status"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["clusterissuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cert-manager-edit
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/component: controller
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificaterequests", "issuers"]
|
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cert-manager-controller-certificates
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/component: controller
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|
# admission controller enabled:
|
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["orders"]
|
|
verbs: ["create", "delete", "get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|