This is an automated email from the ASF dual-hosted git repository.
omartushevskyi pushed a commit to branch DLAB-1158
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
The following commit(s) were added to refs/heads/DLAB-1158 by this push:
new 4af7c4e upgraded helm and terraform version
4af7c4e is described below
commit 4af7c4e6fe8b4550005a2131e31b6e960b7a1f1d
Author: Oleh Martushevskyi <oleh_martushevs...@epam.com>
AuthorDate: Mon Oct 21 15:16:44 2019 +0300
upgraded helm and terraform version
---
.../main/cert-manager-chart/.helmignore | 43 -
.../main/cert-manager-chart/Chart.yaml | 26 -
.../main/cert-manager-chart/templates/NOTES.txt | 28 -
.../main/cert-manager-chart/templates/_helpers.tpl | 65 -
.../cert-manager-chart/templates/cert-manager.yaml | 2428 --------------------
.../main/cert-manager-chart/values.yaml | 26 -
.../aws/ssn-helm-charts/main/cert-manager.tf | 24 +-
.../main/step-issuer-chart/templates/crd.yaml | 148 --
8 files changed, 9 insertions(+), 2779 deletions(-)
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/.helmignore
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/.helmignore
deleted file mode 100644
index 4976779..0000000
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/.helmignore
+++ /dev/null
@@ -1,43 +0,0 @@
-# *****************************************************************************
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-#
******************************************************************************
-
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/Chart.yaml
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/Chart.yaml
deleted file mode 100644
index 55efa53..0000000
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/Chart.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-# *****************************************************************************
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-#
******************************************************************************
-
-apiVersion: v1
-appVersion: "1.0"
-description: A Helm chart for Kubernetes
-name: cert-manager
-version: 0.9.1
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/NOTES.txt
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/NOTES.txt
deleted file mode 100644
index ed07054..0000000
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/NOTES.txt
+++ /dev/null
@@ -1,28 +0,0 @@
-# *****************************************************************************
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-#
******************************************************************************
-
-Your release is named {{ .Release.Name }}.
-
-To learn more about the release, try:
-
- $ helm status {{ .Release.Name }}
- $ helm get {{ .Release.Name }}
-
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/_helpers.tpl
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/_helpers.tpl
deleted file mode 100644
index c8a9a87..0000000
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/_helpers.tpl
+++ /dev/null
@@ -1,65 +0,0 @@
-# *****************************************************************************
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-#
******************************************************************************
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "cert-manager.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "cert-manager.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "cert-manager.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 |
trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Common labels
-*/}}
-{{- define "cert-manager.labels" -}}
-app.kubernetes.io/name: {{ include "cert-manager.name" . }}
-helm.sh/chart: {{ include "cert-manager.chart" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end -}}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/cert-manager.yaml
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/cert-manager.yaml
deleted file mode 100644
index 87aa83d..0000000
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/cert-manager.yaml
+++ /dev/null
@@ -1,2428 +0,0 @@
-{{- /*
-# *****************************************************************************
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-#
******************************************************************************
-*/ -}}
-
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- creationTimestamp: null
- labels:
- controller-tools.k8s.io: "1.0"
- name: certificates.certmanager.k8s.io
-spec:
- additionalPrinterColumns:
- - JSONPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - JSONPath: .spec.secretName
- name: Secret
- type: string
- - JSONPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - JSONPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - JSONPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time
when
- this object was created. It is not guaranteed to be set in
happens-before order
- across separate operations. Clients may not set this value. It is
represented
- in RFC3339 form and is in UTC.
- name: Age
- type: date
- group: certmanager.k8s.io
- names:
- kind: Certificate
- plural: certificates
- shortNames:
- - cert
- - certs
- scope: Namespaced
- validation:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this
representation
- of an object. Servers should convert recognized schemas to the
latest
- internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource
this
- object represents. Servers may infer this from the endpoint the
client
- submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- properties:
- acme:
- description: ACME contains configuration specific to ACME
Certificates.
- Notably, this contains details on how the domain names listed
on this
- Certificate resource should be 'solved', i.e. mapping HTTP01
and DNS01
- providers to DNS names.
- properties:
- config:
- items:
- properties:
- domains:
- description: Domains is the list of domains that this
SolverConfig
- applies to.
- items:
- type: string
- type: array
- required:
- - domains
- type: object
- type: array
- required:
- - config
- type: object
- commonName:
- description: CommonName is a common name to be used on the
Certificate.
- If no CommonName is given, then the first entry in DNSNames is
used
- as the CommonName. The CommonName should have a length of 64
characters
- or fewer to avoid generating invalid CSRs; in order to have
longer
- domain names, set the CommonName (or first DNSNames entry) to
have
- 64 characters or fewer, and then add the longer domain name to
DNSNames.
- type: string
- dnsNames:
- description: DNSNames is a list of subject alt names to be used
on the
- Certificate. If no CommonName is given, then the first entry
in DNSNames
- is used as the CommonName and must have a length of 64
characters
- or fewer.
- items:
- type: string
- type: array
- duration:
- description: Certificate default Duration
- type: string
- ipAddresses:
- description: IPAddresses is a list of IP addresses to be used on
the
- Certificate
- items:
- type: string
- type: array
- isCA:
- description: IsCA will mark this Certificate as valid for
signing. This
- implies that the 'signing' usage is set
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this
certificate.
- If the 'kind' field is not set, or set to 'Issuer', an Issuer
resource
- with the given name in the same namespace as the Certificate
will
- be used. If the 'kind' field is set to 'ClusterIssuer', a
ClusterIssuer
- with the provided name will be used. The 'name' field in this
stanza
- is required at all times.
- properties:
- group:
- type: string
- kind:
- type: string
- name:
- type: string
- required:
- - name
- type: object
- keyAlgorithm:
- description: KeyAlgorithm is the private key algorithm of the
corresponding
- private key for this certificate. If provided, allowed values
are
- either "rsa" or "ecdsa" If KeyAlgorithm is specified and
KeySize is
- not provided, key size of 256 will be used for "ecdsa" key
algorithm
- and key size of 2048 will be used for "rsa" key algorithm.
- enum:
- - rsa
- - ecdsa
- type: string
- keyEncoding:
- description: KeyEncoding is the private key cryptography
standards (PKCS)
- for this certificate's private key to be encoded in. If
provided,
- allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and
PKCS#8,
- respectively. If KeyEncoding is not specified, then PKCS#1
will be
- used by default.
- type: string
- keySize:
- description: KeySize is the key bit size of the corresponding
private
- key for this certificate. If provided, value must be between
2048
- and 8192 inclusive when KeyAlgorithm is empty or is set to
"rsa",
- and value must be one of (256, 384, 521) when KeyAlgorithm is
set
- to "ecdsa".
- format: int64
- type: integer
- organization:
- description: Organization is the organization to be used on the
Certificate
- items:
- type: string
- type: array
- renewBefore:
- description: Certificate renew before expiration duration
- type: string
- secretName:
- description: SecretName is the name of the secret resource to
store
- this secret in
- type: string
- required:
- - secretName
- - issuerRef
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp
corresponding
- to the last status change of this condition.
- format: date-time
- type: string
- message:
- description: Message is a human readable description of
the details
- of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable
explanation for
- the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True',
'False',
- 'Unknown').
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: Type of the condition, currently ('Ready').
- type: string
- required:
- - type
- - status
- type: object
- type: array
- lastFailureTime:
- format: date-time
- type: string
- notAfter:
- description: The expiration time of the certificate stored in
the secret
- named by this resource in spec.secretName.
- format: date-time
- type: string
- type: object
- version: v1alpha1
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- creationTimestamp: null
- labels:
- controller-tools.k8s.io: "1.0"
- name: certificaterequests.certmanager.k8s.io
-spec:
- additionalPrinterColumns:
- - JSONPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - JSONPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - JSONPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - JSONPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time
when
- this object was created. It is not guaranteed to be set in
happens-before order
- across separate operations. Clients may not set this value. It is
represented
- in RFC3339 form and is in UTC.
- name: Age
- type: date
- group: certmanager.k8s.io
- names:
- kind: CertificateRequest
- plural: certificaterequests
- shortNames:
- - cr
- - crs
- scope: Namespaced
- validation:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this
representation
- of an object. Servers should convert recognized schemas to the
latest
- internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource
this
- object represents. Servers may infer this from the endpoint the
client
- submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- properties:
- csr:
- description: Byte slice containing the PEM encoded
CertificateSigningRequest
- format: byte
- type: string
- duration:
- description: Requested certificate default Duration
- type: string
- isCA:
- description: IsCA will mark the resulting certificate as valid
for signing.
- This implies that the 'signing' usage is set
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this
CertificateRequest. If
- the 'kind' field is not set, or set to 'Issuer', an Issuer
resource
- with the given name in the same namespace as the
CertificateRequest
- will be used. If the 'kind' field is set to 'ClusterIssuer',
a ClusterIssuer
- with the provided name will be used. The 'name' field in this
stanza
- is required at all times. The group field refers to the API
group
- of the issuer which defaults to 'certmanager.k8s.io' if empty.
- properties:
- group:
- type: string
- kind:
- type: string
- name:
- type: string
- required:
- - name
- type: object
- required:
- - issuerRef
- type: object
- status:
- properties:
- ca:
- description: Byte slice containing the PEM encoded certificate
authority
- of the signed certificate.
- format: byte
- type: string
- certificate:
- description: Byte slice containing a PEM encoded signed
certificate
- resulting from the given certificate signing request.
- format: byte
- type: string
- conditions:
- items:
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp
corresponding
- to the last status change of this condition.
- format: date-time
- type: string
- message:
- description: Message is a human readable description of
the details
- of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable
explanation for
- the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True',
'False',
- 'Unknown').
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: Type of the condition, currently ('Ready').
- type: string
- required:
- - type
- - status
- type: object
- type: array
- type: object
- version: v1alpha1
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- creationTimestamp: null
- labels:
- controller-tools.k8s.io: "1.0"
- name: challenges.certmanager.k8s.io
-spec:
- additionalPrinterColumns:
- - JSONPath: .status.state
- name: State
- type: string
- - JSONPath: .spec.dnsName
- name: Domain
- type: string
- - JSONPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - JSONPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time
when
- this object was created. It is not guaranteed to be set in
happens-before order
- across separate operations. Clients may not set this value. It is
represented
- in RFC3339 form and is in UTC.
- name: Age
- type: date
- group: certmanager.k8s.io
- names:
- kind: Challenge
- plural: challenges
- scope: Namespaced
- validation:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this
representation
- of an object. Servers should convert recognized schemas to the
latest
- internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource
this
- object represents. Servers may infer this from the endpoint the
client
- submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- properties:
- authzURL:
- description: AuthzURL is the URL to the ACME Authorization
resource
- that this challenge is a part of.
- type: string
- config:
- description: 'Config specifies the solver configuration for this
challenge.
- Only **one** of ''config'' or ''solver'' may be specified, and
if
- both are specified then no action will be performed on the
Challenge
- resource. DEPRECATED: the ''solver'' field should be specified
instead'
- type: object
- dnsName:
- description: DNSName is the identifier that this challenge is
for, e.g.
- example.com.
- type: string
- issuerRef:
- description: IssuerRef references a properly configured
ACME-type Issuer
- which should be used to create this Challenge. If the Issuer
does
- not exist, processing will be retried. If the Issuer is not an
'ACME'
- Issuer, an error will be returned and the Challenge will be
marked
- as failed.
- properties:
- group:
- type: string
- kind:
- type: string
- name:
- type: string
- required:
- - name
- type: object
- key:
- description: Key is the ACME challenge key for this challenge
- type: string
- solver:
- description: Solver contains the domain solving configuration
that should
- be used to solve this challenge resource. Only **one** of
'config'
- or 'solver' may be specified, and if both are specified then
no action
- will be performed on the Challenge resource.
- properties:
- selector:
- description: Selector selects a set of DNSNames on the
Certificate
- resource that should be solved using this challenge solver.
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be
used
- to solve. If specified and a match is found, a
dnsNames selector
- will take precedence over a dnsZones selector. If
multiple
- solvers match with the same dnsNames value, the solver
with
- the most matching labels in matchLabels will be
selected.
- If neither has more matches, the solver defined
earlier in
- the list will be selected.
- items:
- type: string
- type: array
- dnsZones:
- description: List of DNSZones that this solver will be
used
- to solve. The most specific DNS zone match specified
here
- will take precedence over other DNS zone matches, so a
solver
- specifying sys.example.com will be selected over one
specifying
- example.com for the domain www.sys.example.com. If
multiple
- solvers match with the same dnsZones value, the solver
with
- the most matching labels in matchLabels will be
selected.
- If neither has more matches, the solver defined
earlier in
- the list will be selected.
- items:
- type: string
- type: array
- matchLabels:
- description: A label selector that is used to refine the
set
- of certificate's that this challenge solver will apply
to.
- type: object
- type: object
- type: object
- token:
- description: Token is the ACME challenge token for this
challenge.
- type: string
- type:
- description: Type is the type of ACME challenge this resource
represents,
- e.g. "dns01" or "http01"
- type: string
- url:
- description: URL is the URL of the ACME Challenge resource for
this
- challenge. This can be used to lookup details about the status
of
- this challenge.
- type: string
- wildcard:
- description: Wildcard will be true if this challenge is for a
wildcard
- identifier, for example '*.example.com'
- type: boolean
- required:
- - authzURL
- - type
- - url
- - dnsName
- - token
- - key
- - wildcard
- - issuerRef
- type: object
- status:
- properties:
- presented:
- description: Presented will be set to true if the challenge
values for
- this challenge are currently 'presented'. This *does not*
imply the
- self check is passing. Only that the values have been
'submitted'
- for the appropriate challenge mechanism (i.e. the DNS01 TXT
record
- has been presented, or the HTTP01 configuration has been
configured).
- type: boolean
- processing:
- description: Processing is used to denote whether this challenge
should
- be processed or not. This field will only be set to true by
the 'scheduling'
- component. It will only be set to false by the 'challenges'
controller,
- after the challenge has reached a final state or timed out. If
this
- field is set to false, the challenge controller will not take
any
- more action.
- type: boolean
- reason:
- description: Reason contains human readable information on why
the Challenge
- is in the current state.
- type: string
- state:
- description: State contains the current 'state' of the
challenge. If
- not set, the state of the challenge is unknown.
- enum:
- - ""
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- type: string
- required:
- - processing
- - presented
- - reason
- type: object
- required:
- - metadata
- - spec
- - status
- version: v1alpha1
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- creationTimestamp: null
- labels:
- controller-tools.k8s.io: "1.0"
- name: clusterissuers.certmanager.k8s.io
-spec:
- group: certmanager.k8s.io
- names:
- kind: ClusterIssuer
- plural: clusterissuers
- scope: Cluster
- validation:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this
representation
- of an object. Servers should convert recognized schemas to the
latest
- internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource
this
- object represents. Servers may infer this from the endpoint the
client
- submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- properties:
- acme:
- properties:
- email:
- description: Email is the email for this account
- type: string
- privateKeySecretRef:
- description: PrivateKey is the name of a secret containing
the private
- key for this user account.
- properties:
- key:
- description: The key of the secret to select from. Must
be a
- valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- required:
- - name
- type: object
- server:
- description: Server is the ACME server URL
- type: string
- skipTLSVerify:
- description: If true, skip verifying the ACME server TLS
certificate
- type: boolean
- solvers:
- description: Solvers is a list of challenge solvers that
will be
- used to solve ACME challenges for the matching domains.
- items:
- properties:
- selector:
- description: Selector selects a set of DNSNames on the
Certificate
- resource that should be solved using this challenge
solver.
- properties:
- dnsNames:
- description: List of DNSNames that this solver
will be
- used to solve. If specified and a match is
found, a
- dnsNames selector will take precedence over a
dnsZones
- selector. If multiple solvers match with the
same dnsNames
- value, the solver with the most matching labels
in matchLabels
- will be selected. If neither has more matches,
the solver
- defined earlier in the list will be selected.
- items:
- type: string
- type: array
- dnsZones:
- description: List of DNSZones that this solver
will be
- used to solve. The most specific DNS zone match
specified
- here will take precedence over other DNS zone
matches,
- so a solver specifying sys.example.com will be
selected
- over one specifying example.com for the domain
www.sys.example.com.
- If multiple solvers match with the same dnsZones
value,
- the solver with the most matching labels in
matchLabels
- will be selected. If neither has more matches,
the solver
- defined earlier in the list will be selected.
- items:
- type: string
- type: array
- matchLabels:
- description: A label selector that is used to
refine the
- set of certificate's that this challenge solver
will
- apply to.
- type: object
- type: object
- type: object
- type: array
- required:
- - server
- - privateKeySecretRef
- type: object
- ca:
- properties:
- secretName:
- description: SecretName is the name of the secret used to
sign Certificates
- issued by this Issuer.
- type: string
- required:
- - secretName
- type: object
- selfSigned:
- type: object
- vault:
- properties:
- auth:
- description: Vault authentication
- properties:
- appRole:
- description: This Secret contains a AppRole and Secret
- properties:
- path:
- description: Where the authentication path is
mounted in
- Vault.
- type: string
- roleId:
- type: string
- secretRef:
- properties:
- key:
- description: The key of the secret to select
from. Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
kind, uid?'
- type: string
- required:
- - name
- type: object
- required:
- - path
- - roleId
- - secretRef
- type: object
- tokenSecretRef:
- description: This Secret contains the Vault token key
- properties:
- key:
- description: The key of the secret to select from.
Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
uid?'
- type: string
- required:
- - name
- type: object
- type: object
- caBundle:
- description: Base64 encoded CA bundle to validate Vault
server certificate.
- Only used if the Server URL is using HTTPS protocol. This
parameter
- is ignored for plain HTTP protocol connection. If not set
the
- system root certificates are used to validate the TLS
connection.
- format: byte
- type: string
- path:
- description: Vault URL path to the certificate role
- type: string
- server:
- description: Server is the vault connection address
- type: string
- required:
- - auth
- - server
- - path
- type: object
- venafi:
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration
settings.
- Only one of TPP or Cloud may be specified.
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector
for
- the Venafi Cloud API token.
- properties:
- key:
- description: The key of the secret to select from.
Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
uid?'
- type: string
- required:
- - name
- type: object
- url:
- description: URL is the base URL for Venafi Cloud
- type: string
- required:
- - url
- - apiTokenSecretRef
- type: object
- tpp:
- description: TPP specifies Trust Protection Platform
configuration
- settings. Only one of TPP or Cloud may be specified.
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certifiate to
use
- to verify connections to the TPP instance. If
specified, system
- roots will not be used and the issuing CA for the TPP
instance
- must be verifiable using the provided root. If not
specified,
- the connection will be verified using the cert-manager
system
- root certificates.
- format: byte
- type: string
- credentialsRef:
- description: CredentialsRef is a reference to a Secret
containing
- the username and password for the TPP server. The
secret must
- contain two keys, 'username' and 'password'.
- properties:
- name:
- description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
uid?'
- type: string
- required:
- - name
- type: object
- url:
- description: URL is the base URL for the Venafi TPP
instance
- type: string
- required:
- - url
- - credentialsRef
- type: object
- zone:
- description: Zone is the Venafi Policy Zone to use for this
issuer.
- All requests made to the Venafi platform will be
restricted by
- the named zone policy. This field is required.
- type: string
- required:
- - zone
- type: object
- type: object
- status:
- properties:
- acme:
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated
with the
- latest registered ACME account, in order to track changes
made
- to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can
also
- be used to retrieve account details from the CA
- type: string
- type: object
- conditions:
- items:
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp
corresponding
- to the last status change of this condition.
- format: date-time
- type: string
- message:
- description: Message is a human readable description of
the details
- of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable
explanation for
- the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True',
'False',
- 'Unknown').
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: Type of the condition, currently ('Ready').
- type: string
- required:
- - type
- - status
- type: object
- type: array
- type: object
- version: v1alpha1
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- creationTimestamp: null
- labels:
- controller-tools.k8s.io: "1.0"
- name: issuers.certmanager.k8s.io
-spec:
- group: certmanager.k8s.io
- names:
- kind: Issuer
- plural: issuers
- scope: Namespaced
- validation:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this
representation
- of an object. Servers should convert recognized schemas to the
latest
- internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource
this
- object represents. Servers may infer this from the endpoint the
client
- submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- properties:
- acme:
- properties:
- email:
- description: Email is the email for this account
- type: string
- privateKeySecretRef:
- description: PrivateKey is the name of a secret containing
the private
- key for this user account.
- properties:
- key:
- description: The key of the secret to select from. Must
be a
- valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- required:
- - name
- type: object
- server:
- description: Server is the ACME server URL
- type: string
- skipTLSVerify:
- description: If true, skip verifying the ACME server TLS
certificate
- type: boolean
- solvers:
- description: Solvers is a list of challenge solvers that
will be
- used to solve ACME challenges for the matching domains.
- items:
- properties:
- selector:
- description: Selector selects a set of DNSNames on the
Certificate
- resource that should be solved using this challenge
solver.
- properties:
- dnsNames:
- description: List of DNSNames that this solver
will be
- used to solve. If specified and a match is
found, a
- dnsNames selector will take precedence over a
dnsZones
- selector. If multiple solvers match with the
same dnsNames
- value, the solver with the most matching labels
in matchLabels
- will be selected. If neither has more matches,
the solver
- defined earlier in the list will be selected.
- items:
- type: string
- type: array
- dnsZones:
- description: List of DNSZones that this solver
will be
- used to solve. The most specific DNS zone match
specified
- here will take precedence over other DNS zone
matches,
- so a solver specifying sys.example.com will be
selected
- over one specifying example.com for the domain
www.sys.example.com.
- If multiple solvers match with the same dnsZones
value,
- the solver with the most matching labels in
matchLabels
- will be selected. If neither has more matches,
the solver
- defined earlier in the list will be selected.
- items:
- type: string
- type: array
- matchLabels:
- description: A label selector that is used to
refine the
- set of certificate's that this challenge solver
will
- apply to.
- type: object
- type: object
- type: object
- type: array
- required:
- - server
- - privateKeySecretRef
- type: object
- ca:
- properties:
- secretName:
- description: SecretName is the name of the secret used to
sign Certificates
- issued by this Issuer.
- type: string
- required:
- - secretName
- type: object
- selfSigned:
- type: object
- vault:
- properties:
- auth:
- description: Vault authentication
- properties:
- appRole:
- description: This Secret contains a AppRole and Secret
- properties:
- path:
- description: Where the authentication path is
mounted in
- Vault.
- type: string
- roleId:
- type: string
- secretRef:
- properties:
- key:
- description: The key of the secret to select
from. Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
kind, uid?'
- type: string
- required:
- - name
- type: object
- required:
- - path
- - roleId
- - secretRef
- type: object
- tokenSecretRef:
- description: This Secret contains the Vault token key
- properties:
- key:
- description: The key of the secret to select from.
Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
uid?'
- type: string
- required:
- - name
- type: object
- type: object
- caBundle:
- description: Base64 encoded CA bundle to validate Vault
server certificate.
- Only used if the Server URL is using HTTPS protocol. This
parameter
- is ignored for plain HTTP protocol connection. If not set
the
- system root certificates are used to validate the TLS
connection.
- format: byte
- type: string
- path:
- description: Vault URL path to the certificate role
- type: string
- server:
- description: Server is the vault connection address
- type: string
- required:
- - auth
- - server
- - path
- type: object
- venafi:
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration
settings.
- Only one of TPP or Cloud may be specified.
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector
for
- the Venafi Cloud API token.
- properties:
- key:
- description: The key of the secret to select from.
Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
uid?'
- type: string
- required:
- - name
- type: object
- url:
- description: URL is the base URL for Venafi Cloud
- type: string
- required:
- - url
- - apiTokenSecretRef
- type: object
- tpp:
- description: TPP specifies Trust Protection Platform
configuration
- settings. Only one of TPP or Cloud may be specified.
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certifiate to
use
- to verify connections to the TPP instance. If
specified, system
- roots will not be used and the issuing CA for the TPP
instance
- must be verifiable using the provided root. If not
specified,
- the connection will be verified using the cert-manager
system
- root certificates.
- format: byte
- type: string
- credentialsRef:
- description: CredentialsRef is a reference to a Secret
containing
- the username and password for the TPP server. The
secret must
- contain two keys, 'username' and 'password'.
- properties:
- name:
- description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
uid?'
- type: string
- required:
- - name
- type: object
- url:
- description: URL is the base URL for the Venafi TPP
instance
- type: string
- required:
- - url
- - credentialsRef
- type: object
- zone:
- description: Zone is the Venafi Policy Zone to use for this
issuer.
- All requests made to the Venafi platform will be
restricted by
- the named zone policy. This field is required.
- type: string
- required:
- - zone
- type: object
- type: object
- status:
- properties:
- acme:
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated
with the
- latest registered ACME account, in order to track changes
made
- to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can
also
- be used to retrieve account details from the CA
- type: string
- type: object
- conditions:
- items:
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp
corresponding
- to the last status change of this condition.
- format: date-time
- type: string
- message:
- description: Message is a human readable description of
the details
- of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable
explanation for
- the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True',
'False',
- 'Unknown').
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: Type of the condition, currently ('Ready').
- type: string
- required:
- - type
- - status
- type: object
- type: array
- type: object
- version: v1alpha1
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- creationTimestamp: null
- labels:
- controller-tools.k8s.io: "1.0"
- name: orders.certmanager.k8s.io
-spec:
- additionalPrinterColumns:
- - JSONPath: .status.state
- name: State
- type: string
- - JSONPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - JSONPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - JSONPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time
when
- this object was created. It is not guaranteed to be set in
happens-before order
- across separate operations. Clients may not set this value. It is
represented
- in RFC3339 form and is in UTC.
- name: Age
- type: date
- group: certmanager.k8s.io
- names:
- kind: Order
- plural: orders
- scope: Namespaced
- validation:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this
representation
- of an object. Servers should convert recognized schemas to the
latest
- internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource
this
- object represents. Servers may infer this from the endpoint the
client
- submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- properties:
- commonName:
- description: CommonName is the common name as specified on the
DER encoded
- CSR. If CommonName is not specified, the first DNSName
specified will
- be used as the CommonName. At least one of CommonName or a
DNSNames
- must be set. This field must match the corresponding field on
the
- DER encoded CSR.
- type: string
- config:
- description: 'Config specifies a mapping from DNS identifiers to
how
- those identifiers should be solved when performing ACME
challenges.
- A config entry must exist for each domain listed in DNSNames
and CommonName.
- Only **one** of ''config'' or ''solvers'' may be specified,
and if
- both are specified then no action will be performed on the
Order resource. This
- field will be removed when support for solver config specified
on
- the Certificate under certificate.spec.acme has been removed.
DEPRECATED:
- this field will be removed in future. Solver configuration
must instead
- be provided on ACME Issuer resources.'
- items:
- properties:
- domains:
- description: Domains is the list of domains that this
SolverConfig
- applies to.
- items:
- type: string
- type: array
- required:
- - domains
- type: object
- type: array
- csr:
- description: Certificate signing request bytes in DER encoding.
This
- will be used when finalizing the order. This field must be set
on
- the order.
- format: byte
- type: string
- dnsNames:
- description: DNSNames is a list of DNS names that should be
included
- as part of the Order validation process. If CommonName is not
specified,
- the first DNSName specified will be used as the CommonName. At
least
- one of CommonName or a DNSNames must be set. This field must
match
- the corresponding field on the DER encoded CSR.
- items:
- type: string
- type: array
- issuerRef:
- description: IssuerRef references a properly configured
ACME-type Issuer
- which should be used to create this Order. If the Issuer does
not
- exist, processing will be retried. If the Issuer is not an
'ACME'
- Issuer, an error will be returned and the Order will be marked
as
- failed.
- properties:
- group:
- type: string
- kind:
- type: string
- name:
- type: string
- required:
- - name
- type: object
- required:
- - csr
- - issuerRef
- type: object
- status:
- properties:
- certificate:
- description: Certificate is a copy of the PEM encoded
certificate for
- this Order. This field will be populated after the order has
been
- successfully finalized with the ACME server, and the order has
transitioned
- to the 'valid' state.
- format: byte
- type: string
- challenges:
- description: Challenges is a list of ChallengeSpecs for
Challenges that
- must be created in order to complete this Order.
- items:
- properties:
- authzURL:
- description: AuthzURL is the URL to the ACME Authorization
resource
- that this challenge is a part of.
- type: string
- config:
- description: 'Config specifies the solver configuration
for this
- challenge. Only **one** of ''config'' or ''solver'' may
be specified,
- and if both are specified then no action will be
performed on
- the Challenge resource. DEPRECATED: the ''solver'' field
should
- be specified instead'
- type: object
- dnsName:
- description: DNSName is the identifier that this challenge
is
- for, e.g. example.com.
- type: string
- issuerRef:
- description: IssuerRef references a properly configured
ACME-type
- Issuer which should be used to create this Challenge. If
the
- Issuer does not exist, processing will be retried. If
the Issuer
- is not an 'ACME' Issuer, an error will be returned and
the Challenge
- will be marked as failed.
- properties:
- group:
- type: string
- kind:
- type: string
- name:
- type: string
- required:
- - name
- type: object
- key:
- description: Key is the ACME challenge key for this
challenge
- type: string
- solver:
- description: Solver contains the domain solving
configuration
- that should be used to solve this challenge resource.
Only **one**
- of 'config' or 'solver' may be specified, and if both
are specified
- then no action will be performed on the Challenge
resource.
- properties:
- selector:
- description: Selector selects a set of DNSNames on the
Certificate
- resource that should be solved using this challenge
solver.
- properties:
- dnsNames:
- description: List of DNSNames that this solver
will be
- used to solve. If specified and a match is
found, a
- dnsNames selector will take precedence over a
dnsZones
- selector. If multiple solvers match with the
same dnsNames
- value, the solver with the most matching labels
in matchLabels
- will be selected. If neither has more matches,
the solver
- defined earlier in the list will be selected.
- items:
- type: string
- type: array
- dnsZones:
- description: List of DNSZones that this solver
will be
- used to solve. The most specific DNS zone match
specified
- here will take precedence over other DNS zone
matches,
- so a solver specifying sys.example.com will be
selected
- over one specifying example.com for the domain
www.sys.example.com.
- If multiple solvers match with the same dnsZones
value,
- the solver with the most matching labels in
matchLabels
- will be selected. If neither has more matches,
the solver
- defined earlier in the list will be selected.
- items:
- type: string
- type: array
- matchLabels:
- description: A label selector that is used to
refine the
- set of certificate's that this challenge solver
will
- apply to.
- type: object
- type: object
- type: object
- token:
- description: Token is the ACME challenge token for this
challenge.
- type: string
- type:
- description: Type is the type of ACME challenge this
resource
- represents, e.g. "dns01" or "http01"
- type: string
- url:
- description: URL is the URL of the ACME Challenge resource
for
- this challenge. This can be used to lookup details about
the
- status of this challenge.
- type: string
- wildcard:
- description: Wildcard will be true if this challenge is
for a
- wildcard identifier, for example '*.example.com'
- type: boolean
- required:
- - authzURL
- - type
- - url
- - dnsName
- - token
- - key
- - wildcard
- - issuerRef
- type: object
- type: array
- failureTime:
- description: FailureTime stores the time that this order failed.
This
- is used to influence garbage collection and back-off.
- format: date-time
- type: string
- finalizeURL:
- description: FinalizeURL of the Order. This is used to obtain
certificates
- for this order once it has been completed.
- type: string
- reason:
- description: Reason optionally provides more information about a
why
- the order is in the current state.
- type: string
- state:
- description: State contains the current state of this Order
resource.
- States 'success' and 'expired' are 'final'
- enum:
- - ""
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- type: string
- url:
- description: URL of the Order. This will initially be empty when
the
- resource is first created. The Order controller will populate
this
- field when the Order is first processed. This field will be
immutable
- after it is initially set.
- type: string
- type: object
- required:
- - metadata
- - spec
- - status
- version: v1alpha1
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-apiVersion: v1
-kind: Namespace
-metadata:
- name: cert-manager
- labels:
- certmanager.k8s.io/disable-validation: "true"
-
----
----
-# Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: cert-manager-cainjector
- namespace: "cert-manager"
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.9.1
-
----
-# Source: cert-manager/charts/webhook/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: cert-manager-webhook
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
-
----
-# Source: cert-manager/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: cert-manager
- namespace: "cert-manager"
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-
----
-# Source: cert-manager/charts/cainjector/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: cert-manager-cainjector
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.9.1
-rules:
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["configmaps", "events"]
- verbs: ["get", "create", "update", "patch"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations",
"mutatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["apiregistration.k8s.io"]
- resources: ["apiservices"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch", "update"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-cainjector
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.9.1
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-cainjector
-subjects:
- - name: cert-manager-cainjector
- namespace: "cert-manager"
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: cert-manager-leaderelection
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-rules:
- # Used for leader election by the controller
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "create", "update", "patch"]
-
----
-
-# Issuer controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-issuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-rules:
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["issuers", "issuers/status"]
- verbs: ["update"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["issuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
-
----
-
-# ClusterIssuer controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-clusterissuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-rules:
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["clusterissuers", "clusterissuers/status"]
- verbs: ["update"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["clusterissuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
-
----
-
-# Certificates controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-certificates
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-rules:
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificates/status", "certificaterequests",
"certificaterequests/status"]
- verbs: ["update"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificaterequests", "clusterissuers",
"issuers", "orders"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the
OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- #
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates/finalizers"]
- verbs: ["update"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["orders"]
- verbs: ["create", "delete"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
-
----
-
-# Orders controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-orders
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-rules:
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["orders", "orders/status"]
- verbs: ["update"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["orders", "clusterissuers", "issuers", "challenges"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["challenges"]
- verbs: ["create", "delete"]
- # We require these rules to support users with the
OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- #
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["orders/finalizers"]
- verbs: ["update"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
-
----
-
-# Challenges controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-challenges
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-rules:
- # Use to update challenge resource status
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["challenges", "challenges/status"]
- verbs: ["update"]
- # Used to watch challenges, issuer and clusterissuer resources
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["challenges", "issuers", "clusterissuers"]
- verbs: ["get", "list", "watch"]
- # Need to be able to retrieve ACME account private key to complete challenges
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- # Used to create events
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
- # HTTP01 rules
- - apiGroups: [""]
- resources: ["pods", "services"]
- verbs: ["get", "list", "watch", "create", "delete"]
- - apiGroups: ["extensions"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- # We require these rules to support users with the
OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- #
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["challenges/finalizers"]
- verbs: ["update"]
- # DNS01 rules (duplicated above)
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
-
----
-
-# ingress-shim controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-ingress-shim
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-rules:
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificaterequests"]
- verbs: ["create", "update", "delete"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificaterequests", "issuers",
"clusterissuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["extensions"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the
OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- #
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["extensions"]
- resources: ["ingresses/finalizers"]
- verbs: ["update"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-leaderelection
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-leaderelection
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-issuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-issuers
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-clusterissuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-clusterissuers
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-certificates
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-certificates
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-orders
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-orders
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-challenges
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-challenges
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-ingress-shim
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-ingress-shim
-subjects:
- - name: cert-manager
- namespace: "cert-manager"
- kind: ServiceAccount
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-view
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["get", "list", "watch"]
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-edit
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["create", "delete", "deletecollection", "patch", "update"]
-
----
-# Source: cert-manager/charts/webhook/templates/rbac.yaml
-### Webhook ###
----
-# apiserver gets the auth-delegator role to delegate auth decisions to
-# the core apiserver
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-webhook:auth-delegator
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: system:auth-delegator
-subjects:
-- apiGroup: ""
- kind: ServiceAccount
- name: cert-manager-webhook
- namespace: cert-manager
-
----
-
-# apiserver gets the ability to read authentication. This allows it to
-# read the specific configmap that has the requestheader-* entries to
-# api agg
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
- name: cert-manager-webhook:webhook-authentication-reader
- namespace: kube-system
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: extension-apiserver-authentication-reader
-subjects:
-- apiGroup: ""
- kind: ServiceAccount
- name: cert-manager-webhook
- namespace: cert-manager
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-webhook:webhook-requester
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
-rules:
-- apiGroups:
- - admission.certmanager.k8s.io
- resources:
- - certificates
- - certificaterequests
- - issuers
- - clusterissuers
- verbs:
- - create
-
----
-# Source: cert-manager/charts/webhook/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: cert-manager-webhook
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
-spec:
- type: ClusterIP
- ports:
- - name: https
- port: 443
- targetPort: 6443
- selector:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
-
----
-# Source: cert-manager/charts/cainjector/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager-cainjector
- namespace: "cert-manager"
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.9.1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- template:
- metadata:
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.9.1
- annotations:
- spec:
- serviceAccountName: cert-manager-cainjector
- containers:
- - name: cainjector
- image: "quay.io/jetstack/cert-manager-cainjector:v0.9.1"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --leader-election-namespace=$(POD_NAMESPACE)
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- resources:
- {}
-
-
----
-# Source: cert-manager/charts/webhook/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager-webhook
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- template:
- metadata:
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
- annotations:
- spec:
- serviceAccountName: cert-manager-webhook
- containers:
- - name: webhook
- image: "quay.io/jetstack/cert-manager-webhook:v0.9.1"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --secure-port=6443
- - --tls-cert-file=/certs/tls.crt
- - --tls-private-key-file=/certs/tls.key
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- resources:
- {}
-
- volumeMounts:
- - name: certs
- mountPath: /certs
- volumes:
- - name: certs
- secret:
- secretName: cert-manager-webhook-webhook-tls
-
----
-# Source: cert-manager/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager
- namespace: "cert-manager"
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- template:
- metadata:
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- annotations:
- prometheus.io/path: "/metrics"
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9402'
- spec:
- serviceAccountName: cert-manager
- containers:
- - name: cert-manager
- image: "quay.io/jetstack/cert-manager-controller:v0.9.1"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --cluster-resource-namespace=$(POD_NAMESPACE)
- - --leader-election-namespace=$(POD_NAMESPACE)
- ports:
- - containerPort: 9402
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- resources:
- requests:
- cpu: 10m
- memory: 32Mi
-
-
----
-# Source: cert-manager/charts/webhook/templates/apiservice.yaml
-apiVersion: apiregistration.k8s.io/v1beta1
-kind: APIService
-metadata:
- name: v1beta1.admission.certmanager.k8s.io
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
- annotations:
- certmanager.k8s.io/inject-ca-from:
"cert-manager/cert-manager-webhook-webhook-tls"
-spec:
- group: admission.certmanager.k8s.io
- groupPriorityMinimum: 1000
- versionPriority: 15
- service:
- name: cert-manager-webhook
- namespace: "cert-manager"
- version: v1beta1
-
----
-# Source: cert-manager/charts/webhook/templates/pki.yaml
----
-# Create a selfsigned Issuer, in order to create a root CA certificate for
-# signing webhook serving certificates
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: Issuer
-metadata:
- name: cert-manager-webhook-selfsign
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
-spec:
- selfSigned: {}
-
----
-
-# Generate a CA Certificate used to sign certificates for the webhook
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: Certificate
-metadata:
- name: cert-manager-webhook-ca
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
-spec:
- secretName: cert-manager-webhook-ca
- duration: 43800h # 5y
- issuerRef:
- name: cert-manager-webhook-selfsign
- commonName: "ca.webhook.cert-manager"
- isCA: true
-
----
-
-# Create an Issuer that uses the above generated CA certificate to issue certs
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: Issuer
-metadata:
- name: cert-manager-webhook-ca
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
-spec:
- ca:
- secretName: cert-manager-webhook-ca
-
----
-
-# Finally, generate a serving certificate for the webhook to use
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: Certificate
-metadata:
- name: cert-manager-webhook-webhook-tls
- namespace: "cert-manager"
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
-spec:
- secretName: cert-manager-webhook-webhook-tls
- duration: 8760h # 1y
- issuerRef:
- name: cert-manager-webhook-ca
- dnsNames:
- - cert-manager-webhook
- - cert-manager-webhook.cert-manager
- - cert-manager-webhook.cert-manager.svc
-
----
-# Source: cert-manager/templates/servicemonitor.yaml
-
-
----
-# Source: cert-manager/charts/webhook/templates/validating-webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1beta1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: cert-manager-webhook
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
- annotations:
- certmanager.k8s.io/inject-apiserver-ca: "true"
-webhooks:
- - name: certificates.admission.certmanager.k8s.io
- namespaceSelector:
- matchExpressions:
- - key: "certmanager.k8s.io/disable-validation"
- operator: "NotIn"
- values:
- - "true"
- - key: "name"
- operator: "NotIn"
- values:
- - cert-manager
- rules:
- - apiGroups:
- - "certmanager.k8s.io"
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - certificates
- failurePolicy: Fail
- clientConfig:
- service:
- name: kubernetes
- namespace: default
- path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
- - name: issuers.admission.certmanager.k8s.io
- namespaceSelector:
- matchExpressions:
- - key: "certmanager.k8s.io/disable-validation"
- operator: "NotIn"
- values:
- - "true"
- - key: "name"
- operator: "NotIn"
- values:
- - cert-manager
- rules:
- - apiGroups:
- - "certmanager.k8s.io"
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - issuers
- failurePolicy: Fail
- clientConfig:
- service:
- name: kubernetes
- namespace: default
- path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
- - name: clusterissuers.admission.certmanager.k8s.io
- namespaceSelector:
- matchExpressions:
- - key: "certmanager.k8s.io/disable-validation"
- operator: "NotIn"
- values:
- - "true"
- - key: "name"
- operator: "NotIn"
- values:
- - cert-manager
- rules:
- - apiGroups:
- - "certmanager.k8s.io"
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - clusterissuers
- failurePolicy: Fail
- clientConfig:
- service:
- name: kubernetes
- namespace: default
- path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers
-
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/values.yaml
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/values.yaml
deleted file mode 100644
index 0c6d2cf..0000000
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/values.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-# *****************************************************************************
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-#
******************************************************************************
-
-replicaCount: 1
-
-ingress:
- enabled: false
-labels: {}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
index 58d2707..59f4b71 100644
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
@@ -19,26 +19,20 @@
#
#
******************************************************************************
-data "template_file" "cert_manager_values" {
- template = file("./cert-manager-chart/values.yaml")
-}
-
-resource "helm_release" "cert-manager" {
- name = "cert-manager"
- chart = "./cert-manager-chart"
- namespace = kubernetes_namespace.cert-manager-namespace.metadata[0].name
- wait = false
-
- values = [
- data.template_file.cert_manager_values.rendered
- ]
+resource "null_resource" "cert_manager" {
+ provisioner "local-exec" {
+ command = "kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v0.9.1/cert-manager.yaml";
+ }
+ triggers = {
+ "after" = kubernetes_namespace.cert-manager-namespace.metadata[0].name
+ }
}
resource "null_resource" "cert_manager_delay" {
provisioner "local-exec" {
- command = "sleep 60"
+ command = "sleep 120"
}
triggers = {
- "before" = helm_release.cert-manager.name
+ "before" = null_resource.cert_manager.id
}
}
\ No newline at end of file
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/crd.yaml
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/crd.yaml
deleted file mode 100644
index 63744e9..0000000
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/crd.yaml
+++ /dev/null
@@ -1,148 +0,0 @@
-{{- /*
-# *****************************************************************************
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-#
******************************************************************************
-*/ -}}
-
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- creationTimestamp: null
- name: stepissuers.certmanager.step.sm
-spec:
- group: certmanager.step.sm
- names:
- kind: StepIssuer
- plural: stepissuers
- scope: ""
- validation:
- openAPIV3Schema:
- description: StepIssuer is the Schema for the stepissuers API
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this
representation
- of an object. Servers should convert recognized schemas to the
latest
- internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource
this
- object represents. Servers may infer this from the endpoint the
client
- submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: StepIssuerSpec defines the desired state of StepIssuer
- properties:
- caBundle:
- description: CABundle is a base64 encoded TLS certificate used
to verify
- connections to the step certificates server. If not set the
system
- root certificates are used to validate the TLS connection.
- format: byte
- type: string
- provisioner:
- description: Provisioner contains the step certificates
provisioner
- configuration.
- properties:
- kid:
- description: KeyID is the kid property of the JWK
provisioner.
- type: string
- name:
- description: Names is the name of the JWK provisioner.
- type: string
- passwordRef:
- description: PasswordRef is a reference to a Secret
containing the
- provisioner password used to decrypt the provisioner
private key.
- properties:
- key:
- description: The key of the secret to select from. Must
be a
- valid secret key.
- type: string
- name:
- description: The name of the secret in the pod's
namespace to
- select from.
- type: string
- required:
- - name
- type: object
- required:
- - kid
- - name
- - passwordRef
- type: object
- url:
- description: URL is the base URL for the step certificates
instance.
- type: string
- required:
- - provisioner
- - url
- type: object
- status:
- description: StepIssuerStatus defines the observed state of
StepIssuer
- properties:
- conditions:
- items:
- description: StepIssuerCondition contains condition
information for
- the step issuer.
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp
corresponding
- to the last status change of this condition.
- format: date-time
- type: string
- message:
- description: Message is a human readable description of
the details
- of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable
explanation for
- the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True',
'False',
- 'Unknown').
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: Type of the condition, currently ('Ready').
- enum:
- - Ready
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- versions:
- - name: v1beta1
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@dlab.apache.org
For additional commands, e-mail: commits-h...@dlab.apache.org
