cert-manager: upgrade to 1.5.4 (#8069)
* cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuerpull/8076/head
parent
e4c8c7188e
commit
cee481f63d
|
@ -150,7 +150,7 @@ Note: Upstart/SysV init based OS types are not supported.
|
|||
- [ambassador](https://github.com/datawire/ambassador): v1.5
|
||||
- [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
|
||||
- [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
|
||||
- [cert-manager](https://github.com/jetstack/cert-manager) v1.0.4
|
||||
- [cert-manager](https://github.com/jetstack/cert-manager) v1.5.4
|
||||
- [coredns](https://github.com/coredns/coredns) v1.8.0
|
||||
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.0.0
|
||||
|
||||
|
|
|
@ -11,29 +11,13 @@
|
|||
|
||||
Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
|
||||
|
||||
The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively.
|
||||
|
||||
Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future.
|
||||
|
||||
## Kubernetes TLS Root CA Certificate/Key Secret
|
||||
|
||||
If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
|
||||
|
||||
If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
|
||||
|
||||
e.g.
|
||||
|
||||
```shell
|
||||
$ cat ca.pem | base64 -w 0
|
||||
LS0tLS1CRUdJTiBDRVJU...
|
||||
|
||||
$ cat ca-key.pem | base64 -w 0
|
||||
LS0tLS1CRUdJTiBSU0Eg...
|
||||
```
|
||||
|
||||
For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
|
||||
|
||||
Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and setting `cert_manager_enabled` to true.
|
||||
`cert-manager` can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and setting `cert_manager_enabled` to true.
|
||||
|
||||
```ini
|
||||
# Cert manager deployment
|
||||
|
|
|
@ -558,7 +558,7 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
|
|||
ingress_ambassador_image_tag: "v1.2.9"
|
||||
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
|
||||
alb_ingress_image_tag: "v1.1.9"
|
||||
cert_manager_version: "v1.0.4"
|
||||
cert_manager_version: "v1.5.4"
|
||||
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
|
||||
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
||||
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
|
||||
|
|
|
@ -31,20 +31,8 @@
|
|||
- name: Cert Manager | Templates list
|
||||
set_fact:
|
||||
cert_manager_templates:
|
||||
- { name: 00-namespace, file: 00-namespace.yml, type: ns }
|
||||
- { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
|
||||
- { name: crd-certificate, file: crd-certificate.yml, type: crd }
|
||||
- { name: crd-challenge, file: crd-challenge.yml, type: crd }
|
||||
- { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
|
||||
- { name: crd-issuer, file: crd-issuer.yml, type: crd }
|
||||
- { name: crd-order, file: crd-order.yml, type: crd }
|
||||
- { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
|
||||
- { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
|
||||
- { name: role-cert-manager, file: role-cert-manager.yml, type: role }
|
||||
- { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
|
||||
- { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
|
||||
- { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
|
||||
- { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
|
||||
- { name: cert-manager, file: cert-manager.yml, type: all }
|
||||
- { name: cert-manager.crds, file: cert-manager.crds.yml, type: crd }
|
||||
|
||||
- name: Cert Manager | Create manifests
|
||||
template:
|
||||
|
|
|
@ -1,21 +0,0 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: {{ cert_manager_namespace }}
|
||||
labels:
|
||||
name: {{ cert_manager_namespace }}
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -1,498 +0,0 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/component: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cainjector
|
||||
name: cert-manager-cainjector
|
||||
rules:
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- certificates
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
- apiGroups:
|
||||
- admissionregistration.k8s.io
|
||||
resources:
|
||||
- validatingwebhookconfigurations
|
||||
- mutatingwebhookconfigurations
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- apiGroups:
|
||||
- apiregistration.k8s.io
|
||||
resources:
|
||||
- apiservices
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- apiGroups:
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- apiGroups:
|
||||
- auditregistration.k8s.io
|
||||
resources:
|
||||
- auditsinks
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-issuers
|
||||
rules:
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- issuers
|
||||
- issuers/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- issuers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-clusterissuers
|
||||
rules:
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- clusterissuers
|
||||
- clusterissuers/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- clusterissuers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-certificates
|
||||
rules:
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- certificates
|
||||
- certificates/status
|
||||
- certificaterequests
|
||||
- certificaterequests/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- certificates
|
||||
- certificaterequests
|
||||
- clusterissuers
|
||||
- issuers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- certificates/finalizers
|
||||
- certificaterequests/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- acme.cert-manager.io
|
||||
resources:
|
||||
- orders
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-orders
|
||||
rules:
|
||||
- apiGroups:
|
||||
- acme.cert-manager.io
|
||||
resources:
|
||||
- orders
|
||||
- orders/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- acme.cert-manager.io
|
||||
resources:
|
||||
- orders
|
||||
- challenges
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- clusterissuers
|
||||
- issuers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- acme.cert-manager.io
|
||||
resources:
|
||||
- challenges
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- apiGroups:
|
||||
- acme.cert-manager.io
|
||||
resources:
|
||||
- orders/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-challenges
|
||||
rules:
|
||||
- apiGroups:
|
||||
- acme.cert-manager.io
|
||||
resources:
|
||||
- challenges
|
||||
- challenges/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- acme.cert-manager.io
|
||||
resources:
|
||||
- challenges
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- issuers
|
||||
- clusterissuers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
- services
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- update
|
||||
- apiGroups:
|
||||
- route.openshift.io
|
||||
resources:
|
||||
- routes/custom-host
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- acme.cert-manager.io
|
||||
resources:
|
||||
- challenges/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-ingress-shim
|
||||
rules:
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- certificates
|
||||
- certificaterequests
|
||||
verbs:
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- certificates
|
||||
- certificaterequests
|
||||
- issuers
|
||||
- clusterissuers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- ingresses/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
name: cert-manager-view
|
||||
rules:
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- certificates
|
||||
- certificaterequests
|
||||
- issuers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
name: cert-manager-edit
|
||||
rules:
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
resources:
|
||||
- certificates
|
||||
- certificaterequests
|
||||
- issuers
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- deletecollection
|
||||
- patch
|
||||
- update
|
|
@ -1,140 +0,0 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/component: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cainjector
|
||||
name: cert-manager-cainjector
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-cainjector
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-manager-cainjector
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-issuers
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-issuers
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-clusterissuers
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-clusterissuers
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-certificates
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-certificates
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-orders
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-orders
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-challenges
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-challenges
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager-controller-ingress-shim
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-ingress-shim
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -1,885 +0,0 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: orders.acme.cert-manager.io
|
||||
spec:
|
||||
conversion:
|
||||
strategy: Webhook
|
||||
webhook:
|
||||
clientConfig:
|
||||
service:
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
path: /convert
|
||||
conversionReviewVersions:
|
||||
- v1
|
||||
- v1beta1
|
||||
group: acme.cert-manager.io
|
||||
names:
|
||||
kind: Order
|
||||
listKind: OrderList
|
||||
plural: orders
|
||||
singular: order
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: .status.state
|
||||
name: State
|
||||
type: string
|
||||
- jsonPath: .spec.issuerRef.name
|
||||
name: Issuer
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .status.reason
|
||||
name: Reason
|
||||
priority: 1
|
||||
type: string
|
||||
- description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before
|
||||
order across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
name: v1alpha2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: Order is a type to represent an Order with an ACME server
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
properties:
|
||||
commonName:
|
||||
description: CommonName is the common name as specified on the DER
|
||||
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
||||
This field must match the corresponding field on the DER encoded
|
||||
CSR.
|
||||
type: string
|
||||
csr:
|
||||
description: Certificate signing request bytes in DER encoding. This
|
||||
will be used when finalizing the order. This field must be set on
|
||||
the order.
|
||||
format: byte
|
||||
type: string
|
||||
dnsNames:
|
||||
description: DNSNames is a list of DNS names that should be included
|
||||
as part of the Order validation process. This field must match the
|
||||
corresponding field on the DER encoded CSR.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
issuerRef:
|
||||
description: IssuerRef references a properly configured ACME-type
|
||||
Issuer which should be used to create this Order. If the Issuer
|
||||
does not exist, processing will be retried. If the Issuer is not
|
||||
an 'ACME' Issuer, an error will be returned and the Order will be
|
||||
marked as failed.
|
||||
properties:
|
||||
group:
|
||||
description: Group of the resource being referred to.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of the resource being referred to.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the resource being referred to.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
required:
|
||||
- csr
|
||||
- dnsNames
|
||||
- issuerRef
|
||||
type: object
|
||||
status:
|
||||
properties:
|
||||
authorizations:
|
||||
description: Authorizations contains data returned from the ACME server
|
||||
on what authorizations must be completed in order to validate the
|
||||
DNS names specified on the Order.
|
||||
items:
|
||||
description: ACMEAuthorization contains data returned from the ACME
|
||||
server on an authorization that must be completed in order validate
|
||||
a DNS name on an ACME Order resource.
|
||||
properties:
|
||||
challenges:
|
||||
description: Challenges specifies the challenge types offered
|
||||
by the ACME server. One of these challenge types will be selected
|
||||
when validating the DNS name and an appropriate Challenge
|
||||
resource will be created to perform the ACME challenge process.
|
||||
items:
|
||||
description: Challenge specifies a challenge offered by the
|
||||
ACME server for an Order. An appropriate Challenge resource
|
||||
can be created to perform the ACME challenge process.
|
||||
properties:
|
||||
token:
|
||||
description: Token is the token that must be presented
|
||||
for this challenge. This is used to compute the 'key'
|
||||
that must also be presented.
|
||||
type: string
|
||||
type:
|
||||
description: Type is the type of challenge being offered,
|
||||
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
||||
the raw value retrieved from the ACME server. Only 'http-01'
|
||||
and 'dns-01' are supported by cert-manager, other values
|
||||
will be ignored.
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of this challenge. It can
|
||||
be used to retrieve additional metadata about the Challenge
|
||||
from the ACME server.
|
||||
type: string
|
||||
required:
|
||||
- token
|
||||
- type
|
||||
- url
|
||||
type: object
|
||||
type: array
|
||||
identifier:
|
||||
description: Identifier is the DNS name to be validated as part
|
||||
of this authorization
|
||||
type: string
|
||||
initialState:
|
||||
description: InitialState is the initial state of the ACME authorization
|
||||
when first fetched from the ACME server. If an Authorization
|
||||
is already 'valid', the Order controller will not create a
|
||||
Challenge resource for the authorization. This will occur
|
||||
when working with an ACME server that enables 'authz reuse'
|
||||
(such as Let's Encrypt's production endpoint). If not set
|
||||
and 'identifier' is set, the state is assumed to be pending
|
||||
and a Challenge will be created.
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of the Authorization that must be
|
||||
completed
|
||||
type: string
|
||||
wildcard:
|
||||
description: Wildcard will be true if this authorization is
|
||||
for a wildcard DNS name. If this is true, the identifier will
|
||||
be the *non-wildcard* version of the DNS name. For example,
|
||||
if '*.example.com' is the DNS name being validated, this field
|
||||
will be 'true' and the 'identifier' field will be 'example.com'.
|
||||
type: boolean
|
||||
required:
|
||||
- url
|
||||
type: object
|
||||
type: array
|
||||
certificate:
|
||||
description: Certificate is a copy of the PEM encoded certificate
|
||||
for this Order. This field will be populated after the order has
|
||||
been successfully finalized with the ACME server, and the order
|
||||
has transitioned to the 'valid' state.
|
||||
format: byte
|
||||
type: string
|
||||
failureTime:
|
||||
description: FailureTime stores the time that this order failed. This
|
||||
is used to influence garbage collection and back-off.
|
||||
format: date-time
|
||||
type: string
|
||||
finalizeURL:
|
||||
description: FinalizeURL of the Order. This is used to obtain certificates
|
||||
for this order once it has been completed.
|
||||
type: string
|
||||
reason:
|
||||
description: Reason optionally provides more information about a why
|
||||
the order is in the current state.
|
||||
type: string
|
||||
state:
|
||||
description: State contains the current state of this Order resource.
|
||||
States 'success' and 'expired' are 'final'
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
type: string
|
||||
url:
|
||||
description: URL of the Order. This will initially be empty when the
|
||||
resource is first created. The Order controller will populate this
|
||||
field when the Order is first processed. This field will be immutable
|
||||
after it is initially set.
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- metadata
|
||||
type: object
|
||||
served: true
|
||||
storage: false
|
||||
subresources:
|
||||
status: {}
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: .status.state
|
||||
name: State
|
||||
type: string
|
||||
- jsonPath: .spec.issuerRef.name
|
||||
name: Issuer
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .status.reason
|
||||
name: Reason
|
||||
priority: 1
|
||||
type: string
|
||||
- description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before
|
||||
order across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
name: v1alpha3
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: Order is a type to represent an Order with an ACME server
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
properties:
|
||||
commonName:
|
||||
description: CommonName is the common name as specified on the DER
|
||||
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
||||
This field must match the corresponding field on the DER encoded
|
||||
CSR.
|
||||
type: string
|
||||
csr:
|
||||
description: Certificate signing request bytes in DER encoding. This
|
||||
will be used when finalizing the order. This field must be set on
|
||||
the order.
|
||||
format: byte
|
||||
type: string
|
||||
dnsNames:
|
||||
description: DNSNames is a list of DNS names that should be included
|
||||
as part of the Order validation process. This field must match the
|
||||
corresponding field on the DER encoded CSR.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
issuerRef:
|
||||
description: IssuerRef references a properly configured ACME-type
|
||||
Issuer which should be used to create this Order. If the Issuer
|
||||
does not exist, processing will be retried. If the Issuer is not
|
||||
an 'ACME' Issuer, an error will be returned and the Order will be
|
||||
marked as failed.
|
||||
properties:
|
||||
group:
|
||||
description: Group of the resource being referred to.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of the resource being referred to.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the resource being referred to.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
required:
|
||||
- csr
|
||||
- dnsNames
|
||||
- issuerRef
|
||||
type: object
|
||||
status:
|
||||
properties:
|
||||
authorizations:
|
||||
description: Authorizations contains data returned from the ACME server
|
||||
on what authorizations must be completed in order to validate the
|
||||
DNS names specified on the Order.
|
||||
items:
|
||||
description: ACMEAuthorization contains data returned from the ACME
|
||||
server on an authorization that must be completed in order validate
|
||||
a DNS name on an ACME Order resource.
|
||||
properties:
|
||||
challenges:
|
||||
description: Challenges specifies the challenge types offered
|
||||
by the ACME server. One of these challenge types will be selected
|
||||
when validating the DNS name and an appropriate Challenge
|
||||
resource will be created to perform the ACME challenge process.
|
||||
items:
|
||||
description: Challenge specifies a challenge offered by the
|
||||
ACME server for an Order. An appropriate Challenge resource
|
||||
can be created to perform the ACME challenge process.
|
||||
properties:
|
||||
token:
|
||||
description: Token is the token that must be presented
|
||||
for this challenge. This is used to compute the 'key'
|
||||
that must also be presented.
|
||||
type: string
|
||||
type:
|
||||
description: Type is the type of challenge being offered,
|
||||
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
||||
the raw value retrieved from the ACME server. Only 'http-01'
|
||||
and 'dns-01' are supported by cert-manager, other values
|
||||
will be ignored.
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of this challenge. It can
|
||||
be used to retrieve additional metadata about the Challenge
|
||||
from the ACME server.
|
||||
type: string
|
||||
required:
|
||||
- token
|
||||
- type
|
||||
- url
|
||||
type: object
|
||||
type: array
|
||||
identifier:
|
||||
description: Identifier is the DNS name to be validated as part
|
||||
of this authorization
|
||||
type: string
|
||||
initialState:
|
||||
description: InitialState is the initial state of the ACME authorization
|
||||
when first fetched from the ACME server. If an Authorization
|
||||
is already 'valid', the Order controller will not create a
|
||||
Challenge resource for the authorization. This will occur
|
||||
when working with an ACME server that enables 'authz reuse'
|
||||
(such as Let's Encrypt's production endpoint). If not set
|
||||
and 'identifier' is set, the state is assumed to be pending
|
||||
and a Challenge will be created.
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of the Authorization that must be
|
||||
completed
|
||||
type: string
|
||||
wildcard:
|
||||
description: Wildcard will be true if this authorization is
|
||||
for a wildcard DNS name. If this is true, the identifier will
|
||||
be the *non-wildcard* version of the DNS name. For example,
|
||||
if '*.example.com' is the DNS name being validated, this field
|
||||
will be 'true' and the 'identifier' field will be 'example.com'.
|
||||
type: boolean
|
||||
required:
|
||||
- url
|
||||
type: object
|
||||
type: array
|
||||
certificate:
|
||||
description: Certificate is a copy of the PEM encoded certificate
|
||||
for this Order. This field will be populated after the order has
|
||||
been successfully finalized with the ACME server, and the order
|
||||
has transitioned to the 'valid' state.
|
||||
format: byte
|
||||
type: string
|
||||
failureTime:
|
||||
description: FailureTime stores the time that this order failed. This
|
||||
is used to influence garbage collection and back-off.
|
||||
format: date-time
|
||||
type: string
|
||||
finalizeURL:
|
||||
description: FinalizeURL of the Order. This is used to obtain certificates
|
||||
for this order once it has been completed.
|
||||
type: string
|
||||
reason:
|
||||
description: Reason optionally provides more information about a why
|
||||
the order is in the current state.
|
||||
type: string
|
||||
state:
|
||||
description: State contains the current state of this Order resource.
|
||||
States 'success' and 'expired' are 'final'
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
type: string
|
||||
url:
|
||||
description: URL of the Order. This will initially be empty when the
|
||||
resource is first created. The Order controller will populate this
|
||||
field when the Order is first processed. This field will be immutable
|
||||
after it is initially set.
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- metadata
|
||||
type: object
|
||||
served: true
|
||||
storage: false
|
||||
subresources:
|
||||
status: {}
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: .status.state
|
||||
name: State
|
||||
type: string
|
||||
- jsonPath: .spec.issuerRef.name
|
||||
name: Issuer
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .status.reason
|
||||
name: Reason
|
||||
priority: 1
|
||||
type: string
|
||||
- description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before
|
||||
order across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
name: v1beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: Order is a type to represent an Order with an ACME server
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
properties:
|
||||
commonName:
|
||||
description: CommonName is the common name as specified on the DER
|
||||
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
||||
This field must match the corresponding field on the DER encoded
|
||||
CSR.
|
||||
type: string
|
||||
dnsNames:
|
||||
description: DNSNames is a list of DNS names that should be included
|
||||
as part of the Order validation process. This field must match the
|
||||
corresponding field on the DER encoded CSR.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
issuerRef:
|
||||
description: IssuerRef references a properly configured ACME-type
|
||||
Issuer which should be used to create this Order. If the Issuer
|
||||
does not exist, processing will be retried. If the Issuer is not
|
||||
an 'ACME' Issuer, an error will be returned and the Order will be
|
||||
marked as failed.
|
||||
properties:
|
||||
group:
|
||||
description: Group of the resource being referred to.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of the resource being referred to.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the resource being referred to.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
request:
|
||||
description: Certificate signing request bytes in DER encoding. This
|
||||
will be used when finalizing the order. This field must be set on
|
||||
the order.
|
||||
format: byte
|
||||
type: string
|
||||
required:
|
||||
- dnsNames
|
||||
- issuerRef
|
||||
- request
|
||||
type: object
|
||||
status:
|
||||
properties:
|
||||
authorizations:
|
||||
description: Authorizations contains data returned from the ACME server
|
||||
on what authorizations must be completed in order to validate the
|
||||
DNS names specified on the Order.
|
||||
items:
|
||||
description: ACMEAuthorization contains data returned from the ACME
|
||||
server on an authorization that must be completed in order validate
|
||||
a DNS name on an ACME Order resource.
|
||||
properties:
|
||||
challenges:
|
||||
description: Challenges specifies the challenge types offered
|
||||
by the ACME server. One of these challenge types will be selected
|
||||
when validating the DNS name and an appropriate Challenge
|
||||
resource will be created to perform the ACME challenge process.
|
||||
items:
|
||||
description: Challenge specifies a challenge offered by the
|
||||
ACME server for an Order. An appropriate Challenge resource
|
||||
can be created to perform the ACME challenge process.
|
||||
properties:
|
||||
token:
|
||||
description: Token is the token that must be presented
|
||||
for this challenge. This is used to compute the 'key'
|
||||
that must also be presented.
|
||||
type: string
|
||||
type:
|
||||
description: Type is the type of challenge being offered,
|
||||
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
||||
the raw value retrieved from the ACME server. Only 'http-01'
|
||||
and 'dns-01' are supported by cert-manager, other values
|
||||
will be ignored.
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of this challenge. It can
|
||||
be used to retrieve additional metadata about the Challenge
|
||||
from the ACME server.
|
||||
type: string
|
||||
required:
|
||||
- token
|
||||
- type
|
||||
- url
|
||||
type: object
|
||||
type: array
|
||||
identifier:
|
||||
description: Identifier is the DNS name to be validated as part
|
||||
of this authorization
|
||||
type: string
|
||||
initialState:
|
||||
description: InitialState is the initial state of the ACME authorization
|
||||
when first fetched from the ACME server. If an Authorization
|
||||
is already 'valid', the Order controller will not create a
|
||||
Challenge resource for the authorization. This will occur
|
||||
when working with an ACME server that enables 'authz reuse'
|
||||
(such as Let's Encrypt's production endpoint). If not set
|
||||
and 'identifier' is set, the state is assumed to be pending
|
||||
and a Challenge will be created.
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of the Authorization that must be
|
||||
completed
|
||||
type: string
|
||||
wildcard:
|
||||
description: Wildcard will be true if this authorization is
|
||||
for a wildcard DNS name. If this is true, the identifier will
|
||||
be the *non-wildcard* version of the DNS name. For example,
|
||||
if '*.example.com' is the DNS name being validated, this field
|
||||
will be 'true' and the 'identifier' field will be 'example.com'.
|
||||
type: boolean
|
||||
required:
|
||||
- url
|
||||
type: object
|
||||
type: array
|
||||
certificate:
|
||||
description: Certificate is a copy of the PEM encoded certificate
|
||||
for this Order. This field will be populated after the order has
|
||||
been successfully finalized with the ACME server, and the order
|
||||
has transitioned to the 'valid' state.
|
||||
format: byte
|
||||
type: string
|
||||
failureTime:
|
||||
description: FailureTime stores the time that this order failed. This
|
||||
is used to influence garbage collection and back-off.
|
||||
format: date-time
|
||||
type: string
|
||||
finalizeURL:
|
||||
description: FinalizeURL of the Order. This is used to obtain certificates
|
||||
for this order once it has been completed.
|
||||
type: string
|
||||
reason:
|
||||
description: Reason optionally provides more information about a why
|
||||
the order is in the current state.
|
||||
type: string
|
||||
state:
|
||||
description: State contains the current state of this Order resource.
|
||||
States 'success' and 'expired' are 'final'
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
type: string
|
||||
url:
|
||||
description: URL of the Order. This will initially be empty when the
|
||||
resource is first created. The Order controller will populate this
|
||||
field when the Order is first processed. This field will be immutable
|
||||
after it is initially set.
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- metadata
|
||||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: false
|
||||
subresources:
|
||||
status: {}
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: .status.state
|
||||
name: State
|
||||
type: string
|
||||
- jsonPath: .spec.issuerRef.name
|
||||
name: Issuer
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .status.reason
|
||||
name: Reason
|
||||
priority: 1
|
||||
type: string
|
||||
- description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before
|
||||
order across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
name: v1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: Order is a type to represent an Order with an ACME server
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
properties:
|
||||
commonName:
|
||||
description: CommonName is the common name as specified on the DER
|
||||
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
||||
This field must match the corresponding field on the DER encoded
|
||||
CSR.
|
||||
type: string
|
||||
dnsNames:
|
||||
description: DNSNames is a list of DNS names that should be included
|
||||
as part of the Order validation process. This field must match the
|
||||
corresponding field on the DER encoded CSR.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
issuerRef:
|
||||
description: IssuerRef references a properly configured ACME-type
|
||||
Issuer which should be used to create this Order. If the Issuer
|
||||
does not exist, processing will be retried. If the Issuer is not
|
||||
an 'ACME' Issuer, an error will be returned and the Order will be
|
||||
marked as failed.
|
||||
properties:
|
||||
group:
|
||||
description: Group of the resource being referred to.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of the resource being referred to.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the resource being referred to.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
request:
|
||||
description: Certificate signing request bytes in DER encoding. This
|
||||
will be used when finalizing the order. This field must be set on
|
||||
the order.
|
||||
format: byte
|
||||
type: string
|
||||
required:
|
||||
- dnsNames
|
||||
- issuerRef
|
||||
- request
|
||||
type: object
|
||||
status:
|
||||
properties:
|
||||
authorizations:
|
||||
description: Authorizations contains data returned from the ACME server
|
||||
on what authorizations must be completed in order to validate the
|
||||
DNS names specified on the Order.
|
||||
items:
|
||||
description: ACMEAuthorization contains data returned from the ACME
|
||||
server on an authorization that must be completed in order validate
|
||||
a DNS name on an ACME Order resource.
|
||||
properties:
|
||||
challenges:
|
||||
description: Challenges specifies the challenge types offered
|
||||
by the ACME server. One of these challenge types will be selected
|
||||
when validating the DNS name and an appropriate Challenge
|
||||
resource will be created to perform the ACME challenge process.
|
||||
items:
|
||||
description: Challenge specifies a challenge offered by the
|
||||
ACME server for an Order. An appropriate Challenge resource
|
||||
can be created to perform the ACME challenge process.
|
||||
properties:
|
||||
token:
|
||||
description: Token is the token that must be presented
|
||||
for this challenge. This is used to compute the 'key'
|
||||
that must also be presented.
|
||||
type: string
|
||||
type:
|
||||
description: Type is the type of challenge being offered,
|
||||
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
||||
the raw value retrieved from the ACME server. Only 'http-01'
|
||||
and 'dns-01' are supported by cert-manager, other values
|
||||
will be ignored.
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of this challenge. It can
|
||||
be used to retrieve additional metadata about the Challenge
|
||||
from the ACME server.
|
||||
type: string
|
||||
required:
|
||||
- token
|
||||
- type
|
||||
- url
|
||||
type: object
|
||||
type: array
|
||||
identifier:
|
||||
description: Identifier is the DNS name to be validated as part
|
||||
of this authorization
|
||||
type: string
|
||||
initialState:
|
||||
description: InitialState is the initial state of the ACME authorization
|
||||
when first fetched from the ACME server. If an Authorization
|
||||
is already 'valid', the Order controller will not create a
|
||||
Challenge resource for the authorization. This will occur
|
||||
when working with an ACME server that enables 'authz reuse'
|
||||
(such as Let's Encrypt's production endpoint). If not set
|
||||
and 'identifier' is set, the state is assumed to be pending
|
||||
and a Challenge will be created.
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of the Authorization that must be
|
||||
completed
|
||||
type: string
|
||||
wildcard:
|
||||
description: Wildcard will be true if this authorization is
|
||||
for a wildcard DNS name. If this is true, the identifier will
|
||||
be the *non-wildcard* version of the DNS name. For example,
|
||||
if '*.example.com' is the DNS name being validated, this field
|
||||
will be 'true' and the 'identifier' field will be 'example.com'.
|
||||
type: boolean
|
||||
required:
|
||||
- url
|
||||
type: object
|
||||
type: array
|
||||
certificate:
|
||||
description: Certificate is a copy of the PEM encoded certificate
|
||||
for this Order. This field will be populated after the order has
|
||||
been successfully finalized with the ACME server, and the order
|
||||
has transitioned to the 'valid' state.
|
||||
format: byte
|
||||
type: string
|
||||
failureTime:
|
||||
description: FailureTime stores the time that this order failed. This
|
||||
is used to influence garbage collection and back-off.
|
||||
format: date-time
|
||||
type: string
|
||||
finalizeURL:
|
||||
description: FinalizeURL of the Order. This is used to obtain certificates
|
||||
for this order once it has been completed.
|
||||
type: string
|
||||
reason:
|
||||
description: Reason optionally provides more information about a why
|
||||
the order is in the current state.
|
||||
type: string
|
||||
state:
|
||||
description: State contains the current state of this Order resource.
|
||||
States 'success' and 'expired' are 'final'
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
type: string
|
||||
url:
|
||||
description: URL of the Order. This will initially be empty when the
|
||||
resource is first created. The Order controller will populate this
|
||||
field when the Order is first processed. This field will be immutable
|
||||
after it is initially set.
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- metadata
|
||||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
status:
|
||||
acceptedNames:
|
||||
kind: ""
|
||||
plural: ""
|
||||
conditions: []
|
||||
storedVersions: []
|
|
@ -1,168 +0,0 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/component: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cainjector
|
||||
name: cert-manager-cainjector
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cainjector
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/component: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cainjector
|
||||
spec:
|
||||
containers:
|
||||
- args:
|
||||
- --v=2
|
||||
- --leader-election-namespace=kube-system
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
name: cert-manager
|
||||
resources: {}
|
||||
serviceAccountName: cert-manager-cainjector
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
prometheus.io/path: /metrics
|
||||
prometheus.io/port: "9402"
|
||||
prometheus.io/scrape: "true"
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
spec:
|
||||
containers:
|
||||
- args:
|
||||
- --v=2
|
||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||
- --leader-election-namespace=kube-system
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
name: cert-manager
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
protocol: TCP
|
||||
resources: {}
|
||||
serviceAccountName: cert-manager
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: webhook
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: webhook
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: webhook
|
||||
spec:
|
||||
containers:
|
||||
- args:
|
||||
- --v=2
|
||||
- --secure-port=10250
|
||||
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
||||
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
|
||||
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.{{ cert_manager_namespace }},cert-manager-webhook.{{ cert_manager_namespace }}.svc
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
livenessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
path: /livez
|
||||
port: 6080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
name: cert-manager
|
||||
ports:
|
||||
- containerPort: 10250
|
||||
name: https
|
||||
readinessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 6080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources: {}
|
||||
serviceAccountName: cert-manager-webhook
|
|
@ -1,100 +0,0 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/component: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cainjector
|
||||
name: cert-manager-cainjector:leaderelection
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- cert-manager-cainjector-leader-election
|
||||
- cert-manager-cainjector-leader-election-core
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- create
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager:leaderelection
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- cert-manager-controller
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- create
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: webhook
|
||||
name: cert-manager-webhook:dynamic-serving
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- cert-manager-webhook-ca
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- create
|
|
@ -1,73 +0,0 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/component: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cainjector
|
||||
name: cert-manager-cainjector:leaderelection
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager-cainjector:leaderelection
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-manager-cainjector
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager:leaderelection
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager:leaderelection
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: webhook
|
||||
name: cert-manager-webhook:dynamic-serving
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager-webhook:dynamic-serving
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
|
@ -1,47 +0,0 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/component: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cainjector
|
||||
name: cert-manager-cainjector
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: webhook
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
|
@ -1,56 +0,0 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
name: cert-manager
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 9402
|
||||
protocol: TCP
|
||||
targetPort: 9402
|
||||
selector:
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
type: ClusterIP
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: webhook
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 10250
|
||||
selector:
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: webhook
|
||||
type: ClusterIP
|
|
@ -1,94 +0,0 @@
|
|||
# Copyright YEAR The Jetstack cert-manager contributors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: webhook
|
||||
name: cert-manager-webhook
|
||||
webhooks:
|
||||
- admissionReviewVersions:
|
||||
- v1
|
||||
- v1beta1
|
||||
clientConfig:
|
||||
service:
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
path: /mutate
|
||||
failurePolicy: Fail
|
||||
name: webhook.cert-manager.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
- acme.cert-manager.io
|
||||
apiVersions:
|
||||
- '*'
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- '*/*'
|
||||
sideEffects: None
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/name: webhook
|
||||
name: cert-manager-webhook
|
||||
webhooks:
|
||||
- admissionReviewVersions:
|
||||
- v1
|
||||
- v1beta1
|
||||
clientConfig:
|
||||
service:
|
||||
name: cert-manager-webhook
|
||||
namespace: {{ cert_manager_namespace }}
|
||||
path: /validate
|
||||
failurePolicy: Fail
|
||||
name: webhook.cert-manager.io
|
||||
namespaceSelector:
|
||||
matchExpressions:
|
||||
- key: cert-manager.io/disable-validation
|
||||
operator: NotIn
|
||||
values:
|
||||
- "true"
|
||||
- key: name
|
||||
operator: NotIn
|
||||
values:
|
||||
- cert-manager
|
||||
rules:
|
||||
- apiGroups:
|
||||
- cert-manager.io
|
||||
- acme.cert-manager.io
|
||||
apiVersions:
|
||||
- '*'
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- '*/*'
|
||||
sideEffects: None
|
Loading…
Reference in New Issue