cert-manager: upgrade to 1.5.4 (#8069)

* cert-manager: update to 1.5.4

* cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
pull/8076/head
Cristian Calin 2021-10-12 19:17:47 +03:00 committed by GitHub
parent e4c8c7188e
commit cee481f63d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 17180 additions and 26528 deletions

View File

@ -150,7 +150,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [ambassador](https://github.com/datawire/ambassador): v1.5 - [ambassador](https://github.com/datawire/ambassador): v1.5
- [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11 - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
- [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11 - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
- [cert-manager](https://github.com/jetstack/cert-manager) v1.0.4 - [cert-manager](https://github.com/jetstack/cert-manager) v1.5.4
- [coredns](https://github.com/coredns/coredns) v1.8.0 - [coredns](https://github.com/coredns/coredns) v1.8.0
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.0.0 - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.0.0

View File

@ -11,29 +11,13 @@
Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Lets Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry. Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Lets Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively.
Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future.
## Kubernetes TLS Root CA Certificate/Key Secret ## Kubernetes TLS Root CA Certificate/Key Secret
If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster. If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
e.g.
```shell
$ cat ca.pem | base64 -w 0
LS0tLS1CRUdJTiBDRVJU...
$ cat ca-key.pem | base64 -w 0
LS0tLS1CRUdJTiBSU0Eg...
```
For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc. For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and setting `cert_manager_enabled` to true. `cert-manager` can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and setting `cert_manager_enabled` to true.
```ini ```ini
# Cert manager deployment # Cert manager deployment

View File

@ -558,7 +558,7 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
ingress_ambassador_image_tag: "v1.2.9" ingress_ambassador_image_tag: "v1.2.9"
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
alb_ingress_image_tag: "v1.1.9" alb_ingress_image_tag: "v1.1.9"
cert_manager_version: "v1.0.4" cert_manager_version: "v1.5.4"
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller" cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
cert_manager_controller_image_tag: "{{ cert_manager_version }}" cert_manager_controller_image_tag: "{{ cert_manager_version }}"
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector" cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"

View File

@ -31,20 +31,8 @@
- name: Cert Manager | Templates list - name: Cert Manager | Templates list
set_fact: set_fact:
cert_manager_templates: cert_manager_templates:
- { name: 00-namespace, file: 00-namespace.yml, type: ns } - { name: cert-manager, file: cert-manager.yml, type: all }
- { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa } - { name: cert-manager.crds, file: cert-manager.crds.yml, type: crd }
- { name: crd-certificate, file: crd-certificate.yml, type: crd }
- { name: crd-challenge, file: crd-challenge.yml, type: crd }
- { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
- { name: crd-issuer, file: crd-issuer.yml, type: crd }
- { name: crd-order, file: crd-order.yml, type: crd }
- { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
- { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
- { name: role-cert-manager, file: role-cert-manager.yml, type: role }
- { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
- { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
- { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
- { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
- name: Cert Manager | Create manifests - name: Cert Manager | Create manifests
template: template:

View File

@ -1,21 +0,0 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ cert_manager_namespace }}
labels:
name: {{ cert_manager_namespace }}

View File

@ -1,498 +0,0 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- get
- create
- update
- patch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- update
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- watch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- apiGroups:
- auditregistration.k8s.io
resources:
- auditsinks
verbs:
- get
- list
- watch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-issuers
rules:
- apiGroups:
- cert-manager.io
resources:
- issuers
- issuers/status
verbs:
- update
- apiGroups:
- cert-manager.io
resources:
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-clusterissuers
rules:
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
- clusterissuers/status
verbs:
- update
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-certificates
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificates/status
- certificaterequests
- certificaterequests/status
verbs:
- update
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- clusterissuers
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- certificates/finalizers
- certificaterequests/finalizers
verbs:
- update
- apiGroups:
- acme.cert-manager.io
resources:
- orders
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-orders
rules:
- apiGroups:
- acme.cert-manager.io
resources:
- orders
- orders/status
verbs:
- update
- apiGroups:
- acme.cert-manager.io
resources:
- orders
- challenges
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- acme.cert-manager.io
resources:
- challenges
verbs:
- create
- delete
- apiGroups:
- acme.cert-manager.io
resources:
- orders/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-challenges
rules:
- apiGroups:
- acme.cert-manager.io
resources:
- challenges
- challenges/status
verbs:
- update
- apiGroups:
- acme.cert-manager.io
resources:
- challenges
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- issuers
- clusterissuers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- route.openshift.io
resources:
- routes/custom-host
verbs:
- create
- apiGroups:
- acme.cert-manager.io
resources:
- challenges/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-ingress-shim
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
verbs:
- create
- update
- delete
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- issuers
- clusterissuers
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: cert-manager-view
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- issuers
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: cert-manager-edit
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- issuers
verbs:
- create
- delete
- deletecollection
- patch
- update

View File

@ -1,140 +0,0 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-cainjector
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-issuers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-issuers
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: {{ cert_manager_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-clusterissuers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-clusterissuers
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: {{ cert_manager_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-certificates
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-certificates
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: {{ cert_manager_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-orders
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-orders
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: {{ cert_manager_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-challenges
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-challenges
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: {{ cert_manager_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-ingress-shim
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-ingress-shim
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: {{ cert_manager_namespace }}

View File

@ -1,885 +0,0 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: orders.acme.cert-manager.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
path: /convert
conversionReviewVersions:
- v1
- v1beta1
group: acme.cert-manager.io
names:
kind: Order
listKind: OrderList
plural: orders
singular: order
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
commonName:
description: CommonName is the common name as specified on the DER
encoded CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded
CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
format: byte
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
items:
type: string
type: array
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed.
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
required:
- name
type: object
required:
- csr
- dnsNames
- issuerRef
type: object
status:
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process.
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
properties:
token:
description: Token is the token that must be presented
for this challenge. This is used to compute the 'key'
that must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
the raw value retrieved from the ACME server. Only 'http-01'
and 'dns-01' are supported by cert-manager, other values
will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
required:
- token
- type
- url
type: object
type: array
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
required:
- url
type: object
type: array
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
format: byte
type: string
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
format: date-time
type: string
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string
type: object
required:
- metadata
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha3
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
commonName:
description: CommonName is the common name as specified on the DER
encoded CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded
CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
format: byte
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
items:
type: string
type: array
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed.
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
required:
- name
type: object
required:
- csr
- dnsNames
- issuerRef
type: object
status:
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process.
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
properties:
token:
description: Token is the token that must be presented
for this challenge. This is used to compute the 'key'
that must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
the raw value retrieved from the ACME server. Only 'http-01'
and 'dns-01' are supported by cert-manager, other values
will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
required:
- token
- type
- url
type: object
type: array
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
required:
- url
type: object
type: array
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
format: byte
type: string
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
format: date-time
type: string
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string
type: object
required:
- metadata
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
commonName:
description: CommonName is the common name as specified on the DER
encoded CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded
CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
items:
type: string
type: array
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed.
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
required:
- name
type: object
request:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
format: byte
type: string
required:
- dnsNames
- issuerRef
- request
type: object
status:
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process.
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
properties:
token:
description: Token is the token that must be presented
for this challenge. This is used to compute the 'key'
that must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
the raw value retrieved from the ACME server. Only 'http-01'
and 'dns-01' are supported by cert-manager, other values
will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
required:
- token
- type
- url
type: object
type: array
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
required:
- url
type: object
type: array
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
format: byte
type: string
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
format: date-time
type: string
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string
type: object
required:
- metadata
- spec
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
commonName:
description: CommonName is the common name as specified on the DER
encoded CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded
CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
items:
type: string
type: array
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed.
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
required:
- name
type: object
request:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
format: byte
type: string
required:
- dnsNames
- issuerRef
- request
type: object
status:
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process.
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
properties:
token:
description: Token is the token that must be presented
for this challenge. This is used to compute the 'key'
that must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
the raw value retrieved from the ACME server. Only 'http-01'
and 'dns-01' are supported by cert-manager, other values
will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
required:
- token
- type
- url
type: object
type: array
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
required:
- url
type: object
type: array
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
format: byte
type: string
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
format: date-time
type: string
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -1,168 +0,0 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
template:
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
spec:
containers:
- args:
- --v=2
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
name: cert-manager
resources: {}
serviceAccountName: cert-manager-cainjector
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager
namespace: {{ cert_manager_namespace }}
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
template:
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "9402"
prometheus.io/scrape: "true"
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
spec:
containers:
- args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
name: cert-manager
ports:
- containerPort: 9402
protocol: TCP
resources: {}
serviceAccountName: cert-manager
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
template:
metadata:
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
spec:
containers:
- args:
- --v=2
- --secure-port=10250
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.{{ cert_manager_namespace }},cert-manager-webhook.{{ cert_manager_namespace }}.svc
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
livenessProbe:
failureThreshold: 3
httpGet:
path: /livez
port: 6080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: cert-manager
ports:
- containerPort: 10250
name: https
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 6080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources: {}
serviceAccountName: cert-manager-webhook

View File

@ -1,100 +0,0 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector:leaderelection
namespace: kube-system
rules:
- apiGroups:
- ""
resourceNames:
- cert-manager-cainjector-leader-election
- cert-manager-cainjector-leader-election-core
resources:
- configmaps
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager:leaderelection
namespace: kube-system
rules:
- apiGroups:
- ""
resourceNames:
- cert-manager-controller
resources:
- configmaps
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook:dynamic-serving
namespace: {{ cert_manager_namespace }}
rules:
- apiGroups:
- ""
resourceNames:
- cert-manager-webhook-ca
resources:
- secrets
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create

View File

@ -1,73 +0,0 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector:leaderelection
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-cainjector:leaderelection
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager:leaderelection
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: {{ cert_manager_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook:dynamic-serving
namespace: {{ cert_manager_namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook:dynamic-serving
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}

View File

@ -1,47 +0,0 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
namespace: {{ cert_manager_namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager
namespace: {{ cert_manager_namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}

View File

@ -1,56 +0,0 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
kind: Service
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager
namespace: {{ cert_manager_namespace }}
spec:
ports:
- port: 9402
protocol: TCP
targetPort: 9402
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
spec:
ports:
- name: https
port: 443
targetPort: 10250
selector:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
type: ClusterIP

View File

@ -1,94 +0,0 @@
# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
path: /mutate
failurePolicy: Fail
name: webhook.cert-manager.io
rules:
- apiGroups:
- cert-manager.io
- acme.cert-manager.io
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- '*/*'
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cert-manager-webhook
namespace: {{ cert_manager_namespace }}
path: /validate
failurePolicy: Fail
name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- key: cert-manager.io/disable-validation
operator: NotIn
values:
- "true"
- key: name
operator: NotIn
values:
- cert-manager
rules:
- apiGroups:
- cert-manager.io
- acme.cert-manager.io
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- '*/*'
sideEffects: None