[cert-manager] upgrade to v1.15.3 (#11668)

* Feat: upgrade cert-manager version to v1.15.3 Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> * Feat: upgrade cert-manager crd to v1.15.3 Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> * Feat: update cert-manager v1.15.3 deployment files Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> * Docs: upgrade cert-manager to v1.15.3 Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> --------- Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
2024-11-04 18:39:29 +08:00 · 2024-11-04 18:39:29 +08:00 · 66d3cb7e6f
parent e293a887da
commit 66d3cb7e6f
4 changed files with 4229 additions and 780 deletions
--- a/README.md
+++ b/README.md
@ -176,7 +176,7 @@ Note: Upstart/SysV init based OS types are not supported.
  - [weave](https://github.com/rajch/weave) v2.8.7
  - [kube-vip](https://github.com/kube-vip/kube-vip) v0.8.0
 - Application
-  - [cert-manager](https://github.com/jetstack/cert-manager) v1.14.7
+  - [cert-manager](https://github.com/jetstack/cert-manager) v1.15.3
  - [coredns](https://github.com/coredns/coredns) v1.11.3
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.11.2
  - [krew](https://github.com/kubernetes-sigs/krew) v0.4.4
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.crds.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.crds.yml.j2
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@ -422,7 +422,9 @@ rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["signers"]
    verbs: ["approve"]
-    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+    resourceNames:
+    - "issuers.cert-manager.io/*"
+    - "clusterissuers.cert-manager.io/*"
 ---
 # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
 # Permission to:
@ -921,9 +923,7 @@ spec:
            capabilities:
              drop:
              - ALL
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
+            readOnlyRootFilesystem: true
 {% if cert_manager_tolerations %}
      tolerations:
        {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
@ -1009,9 +1009,7 @@ spec:
            capabilities:
              drop:
              - ALL
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
+            readOnlyRootFilesystem: true
          env:
          - name: POD_NAMESPACE
            valueFrom:
@ -1029,6 +1027,16 @@ spec:
          - name: NO_PROXY
            value: "{{ cert_manager_no_proxy }}"
 {% endif %}
+          livenessProbe:
+            httpGet:
+              port: http-healthz
+              path: /livez
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 15
+            successThreshold: 1
+            failureThreshold: 8
 {% if cert_manager_trusted_internal_ca is defined %}
          volumeMounts:
          - mountPath: /etc/ssl/certs/internal-ca.pem
@ -1138,9 +1146,7 @@ spec:
            capabilities:
              drop:
              - ALL
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
+            readOnlyRootFilesystem: true
          env:
          - name: POD_NAMESPACE
            valueFrom:
@ -1189,20 +1195,18 @@ webhooks:
    rules:
      - apiGroups:
          - "cert-manager.io"
-          - "acme.cert-manager.io"
        apiVersions:
          - "v1"
        operations:
          - CREATE
-          - UPDATE
        resources:
-          - "*/*"
+          - "certificaterequests"
    admissionReviewVersions: ["v1"]
    # This webhook only accepts v1 cert-manager resources.
    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
    # this webhook (after the resources have been converted to v1).
    matchPolicy: Equivalent
-    timeoutSeconds: 10
+    timeoutSeconds: 30
    failurePolicy: Fail
    # Only include 'sideEffects' field in Kubernetes 1.12+
    sideEffects: None
@ -1229,8 +1233,8 @@ webhooks:
  - name: webhook.cert-manager.io
    namespaceSelector:
      matchExpressions:
-      - key: "cert-manager.io/disable-validation"
-        operator: "NotIn"
+      - key: cert-manager.io/disable-validation
+        operator: NotIn
        values:
        - "true"
    rules:
@ -1249,7 +1253,7 @@ webhooks:
    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
    # this webhook (after the resources have been converted to v1).
    matchPolicy: Equivalent
-    timeoutSeconds: 10
+    timeoutSeconds: 30
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
--- a/roles/kubespray-defaults/defaults/main/download.yml
+++ b/roles/kubespray-defaults/defaults/main/download.yml
@ -338,7 +338,7 @@ ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-ng
 ingress_nginx_kube_webhook_certgen_image_tag: "v1.4.3"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
-cert_manager_version: "v1.14.7"
+cert_manager_version: "v1.15.3"
 cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
 cert_manager_controller_image_tag: "{{ cert_manager_version }}"
 cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"