[cert-manager] upgrade to v1.15.3 (#11668)
* Feat: upgrade cert-manager version to v1.15.3 Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> * Feat: upgrade cert-manager crd to v1.15.3 Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> * Feat: update cert-manager v1.15.3 deployment files Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> * Docs: upgrade cert-manager to v1.15.3 Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> --------- Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>pull/11692/head
parent
e293a887da
commit
66d3cb7e6f
|
@ -176,7 +176,7 @@ Note: Upstart/SysV init based OS types are not supported.
|
||||||
- [weave](https://github.com/rajch/weave) v2.8.7
|
- [weave](https://github.com/rajch/weave) v2.8.7
|
||||||
- [kube-vip](https://github.com/kube-vip/kube-vip) v0.8.0
|
- [kube-vip](https://github.com/kube-vip/kube-vip) v0.8.0
|
||||||
- Application
|
- Application
|
||||||
- [cert-manager](https://github.com/jetstack/cert-manager) v1.14.7
|
- [cert-manager](https://github.com/jetstack/cert-manager) v1.15.3
|
||||||
- [coredns](https://github.com/coredns/coredns) v1.11.3
|
- [coredns](https://github.com/coredns/coredns) v1.11.3
|
||||||
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.11.2
|
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.11.2
|
||||||
- [krew](https://github.com/kubernetes-sigs/krew) v0.4.4
|
- [krew](https://github.com/kubernetes-sigs/krew) v0.4.4
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -422,7 +422,9 @@ rules:
|
||||||
- apiGroups: ["cert-manager.io"]
|
- apiGroups: ["cert-manager.io"]
|
||||||
resources: ["signers"]
|
resources: ["signers"]
|
||||||
verbs: ["approve"]
|
verbs: ["approve"]
|
||||||
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
resourceNames:
|
||||||
|
- "issuers.cert-manager.io/*"
|
||||||
|
- "clusterissuers.cert-manager.io/*"
|
||||||
---
|
---
|
||||||
# Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
|
# Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
|
||||||
# Permission to:
|
# Permission to:
|
||||||
|
@ -921,9 +923,7 @@ spec:
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
runAsNonRoot: true
|
readOnlyRootFilesystem: true
|
||||||
seccompProfile:
|
|
||||||
type: RuntimeDefault
|
|
||||||
{% if cert_manager_tolerations %}
|
{% if cert_manager_tolerations %}
|
||||||
tolerations:
|
tolerations:
|
||||||
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
|
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
|
||||||
|
@ -1009,9 +1009,7 @@ spec:
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
runAsNonRoot: true
|
readOnlyRootFilesystem: true
|
||||||
seccompProfile:
|
|
||||||
type: RuntimeDefault
|
|
||||||
env:
|
env:
|
||||||
- name: POD_NAMESPACE
|
- name: POD_NAMESPACE
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
@ -1029,6 +1027,16 @@ spec:
|
||||||
- name: NO_PROXY
|
- name: NO_PROXY
|
||||||
value: "{{ cert_manager_no_proxy }}"
|
value: "{{ cert_manager_no_proxy }}"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
port: http-healthz
|
||||||
|
path: /livez
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
periodSeconds: 10
|
||||||
|
timeoutSeconds: 15
|
||||||
|
successThreshold: 1
|
||||||
|
failureThreshold: 8
|
||||||
{% if cert_manager_trusted_internal_ca is defined %}
|
{% if cert_manager_trusted_internal_ca is defined %}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- mountPath: /etc/ssl/certs/internal-ca.pem
|
- mountPath: /etc/ssl/certs/internal-ca.pem
|
||||||
|
@ -1138,9 +1146,7 @@ spec:
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
runAsNonRoot: true
|
readOnlyRootFilesystem: true
|
||||||
seccompProfile:
|
|
||||||
type: RuntimeDefault
|
|
||||||
env:
|
env:
|
||||||
- name: POD_NAMESPACE
|
- name: POD_NAMESPACE
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
@ -1189,20 +1195,18 @@ webhooks:
|
||||||
rules:
|
rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- "cert-manager.io"
|
- "cert-manager.io"
|
||||||
- "acme.cert-manager.io"
|
|
||||||
apiVersions:
|
apiVersions:
|
||||||
- "v1"
|
- "v1"
|
||||||
operations:
|
operations:
|
||||||
- CREATE
|
- CREATE
|
||||||
- UPDATE
|
|
||||||
resources:
|
resources:
|
||||||
- "*/*"
|
- "certificaterequests"
|
||||||
admissionReviewVersions: ["v1"]
|
admissionReviewVersions: ["v1"]
|
||||||
# This webhook only accepts v1 cert-manager resources.
|
# This webhook only accepts v1 cert-manager resources.
|
||||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||||
# this webhook (after the resources have been converted to v1).
|
# this webhook (after the resources have been converted to v1).
|
||||||
matchPolicy: Equivalent
|
matchPolicy: Equivalent
|
||||||
timeoutSeconds: 10
|
timeoutSeconds: 30
|
||||||
failurePolicy: Fail
|
failurePolicy: Fail
|
||||||
# Only include 'sideEffects' field in Kubernetes 1.12+
|
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||||
sideEffects: None
|
sideEffects: None
|
||||||
|
@ -1229,8 +1233,8 @@ webhooks:
|
||||||
- name: webhook.cert-manager.io
|
- name: webhook.cert-manager.io
|
||||||
namespaceSelector:
|
namespaceSelector:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
- key: "cert-manager.io/disable-validation"
|
- key: cert-manager.io/disable-validation
|
||||||
operator: "NotIn"
|
operator: NotIn
|
||||||
values:
|
values:
|
||||||
- "true"
|
- "true"
|
||||||
rules:
|
rules:
|
||||||
|
@ -1249,7 +1253,7 @@ webhooks:
|
||||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||||
# this webhook (after the resources have been converted to v1).
|
# this webhook (after the resources have been converted to v1).
|
||||||
matchPolicy: Equivalent
|
matchPolicy: Equivalent
|
||||||
timeoutSeconds: 10
|
timeoutSeconds: 30
|
||||||
failurePolicy: Fail
|
failurePolicy: Fail
|
||||||
sideEffects: None
|
sideEffects: None
|
||||||
clientConfig:
|
clientConfig:
|
||||||
|
|
|
@ -338,7 +338,7 @@ ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-ng
|
||||||
ingress_nginx_kube_webhook_certgen_image_tag: "v1.4.3"
|
ingress_nginx_kube_webhook_certgen_image_tag: "v1.4.3"
|
||||||
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
|
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
|
||||||
alb_ingress_image_tag: "v1.1.9"
|
alb_ingress_image_tag: "v1.1.9"
|
||||||
cert_manager_version: "v1.14.7"
|
cert_manager_version: "v1.15.3"
|
||||||
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
|
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
|
||||||
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
||||||
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
|
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
|
||||||
|
|
Loading…
Reference in New Issue