[cert-manager] upgrade to v1.15.3 (#11668)

* Feat: upgrade cert-manager version to v1.15.3

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Feat: upgrade cert-manager crd to v1.15.3

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Feat: update cert-manager v1.15.3 deployment files

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Docs: upgrade cert-manager to v1.15.3

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

---------

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
pull/11692/head
ChengHao Yang 2024-11-04 18:39:29 +08:00 committed by GitHub
parent e293a887da
commit 66d3cb7e6f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 4229 additions and 780 deletions

View File

@ -176,7 +176,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [weave](https://github.com/rajch/weave) v2.8.7 - [weave](https://github.com/rajch/weave) v2.8.7
- [kube-vip](https://github.com/kube-vip/kube-vip) v0.8.0 - [kube-vip](https://github.com/kube-vip/kube-vip) v0.8.0
- Application - Application
- [cert-manager](https://github.com/jetstack/cert-manager) v1.14.7 - [cert-manager](https://github.com/jetstack/cert-manager) v1.15.3
- [coredns](https://github.com/coredns/coredns) v1.11.3 - [coredns](https://github.com/coredns/coredns) v1.11.3
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.11.2 - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.11.2
- [krew](https://github.com/kubernetes-sigs/krew) v0.4.4 - [krew](https://github.com/kubernetes-sigs/krew) v0.4.4

View File

@ -422,7 +422,9 @@ rules:
- apiGroups: ["cert-manager.io"] - apiGroups: ["cert-manager.io"]
resources: ["signers"] resources: ["signers"]
verbs: ["approve"] verbs: ["approve"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] resourceNames:
- "issuers.cert-manager.io/*"
- "clusterissuers.cert-manager.io/*"
--- ---
# Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
# Permission to: # Permission to:
@ -921,9 +923,7 @@ spec:
capabilities: capabilities:
drop: drop:
- ALL - ALL
runAsNonRoot: true readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
{% if cert_manager_tolerations %} {% if cert_manager_tolerations %}
tolerations: tolerations:
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }} {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
@ -1009,9 +1009,7 @@ spec:
capabilities: capabilities:
drop: drop:
- ALL - ALL
runAsNonRoot: true readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
env: env:
- name: POD_NAMESPACE - name: POD_NAMESPACE
valueFrom: valueFrom:
@ -1029,6 +1027,16 @@ spec:
- name: NO_PROXY - name: NO_PROXY
value: "{{ cert_manager_no_proxy }}" value: "{{ cert_manager_no_proxy }}"
{% endif %} {% endif %}
livenessProbe:
httpGet:
port: http-healthz
path: /livez
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 8
{% if cert_manager_trusted_internal_ca is defined %} {% if cert_manager_trusted_internal_ca is defined %}
volumeMounts: volumeMounts:
- mountPath: /etc/ssl/certs/internal-ca.pem - mountPath: /etc/ssl/certs/internal-ca.pem
@ -1138,9 +1146,7 @@ spec:
capabilities: capabilities:
drop: drop:
- ALL - ALL
runAsNonRoot: true readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
env: env:
- name: POD_NAMESPACE - name: POD_NAMESPACE
valueFrom: valueFrom:
@ -1189,20 +1195,18 @@ webhooks:
rules: rules:
- apiGroups: - apiGroups:
- "cert-manager.io" - "cert-manager.io"
- "acme.cert-manager.io"
apiVersions: apiVersions:
- "v1" - "v1"
operations: operations:
- CREATE - CREATE
- UPDATE
resources: resources:
- "*/*" - "certificaterequests"
admissionReviewVersions: ["v1"] admissionReviewVersions: ["v1"]
# This webhook only accepts v1 cert-manager resources. # This webhook only accepts v1 cert-manager resources.
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1). # this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent matchPolicy: Equivalent
timeoutSeconds: 10 timeoutSeconds: 30
failurePolicy: Fail failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+ # Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None sideEffects: None
@ -1229,8 +1233,8 @@ webhooks:
- name: webhook.cert-manager.io - name: webhook.cert-manager.io
namespaceSelector: namespaceSelector:
matchExpressions: matchExpressions:
- key: "cert-manager.io/disable-validation" - key: cert-manager.io/disable-validation
operator: "NotIn" operator: NotIn
values: values:
- "true" - "true"
rules: rules:
@ -1249,7 +1253,7 @@ webhooks:
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1). # this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent matchPolicy: Equivalent
timeoutSeconds: 10 timeoutSeconds: 30
failurePolicy: Fail failurePolicy: Fail
sideEffects: None sideEffects: None
clientConfig: clientConfig:

View File

@ -338,7 +338,7 @@ ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-ng
ingress_nginx_kube_webhook_certgen_image_tag: "v1.4.3" ingress_nginx_kube_webhook_certgen_image_tag: "v1.4.3"
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
alb_ingress_image_tag: "v1.1.9" alb_ingress_image_tag: "v1.1.9"
cert_manager_version: "v1.14.7" cert_manager_version: "v1.15.3"
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller" cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
cert_manager_controller_image_tag: "{{ cert_manager_version }}" cert_manager_controller_image_tag: "{{ cert_manager_version }}"
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector" cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"