This is an automated email from the ASF dual-hosted git repository.
omartushevskyi pushed a commit to branch DLAB-1158
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
The following commit(s) were added to refs/heads/DLAB-1158 by this push:
new f54f77b changed cert-manager installation
f54f77b is described below
commit f54f77b0b18af23ba6cfbee40b9a9a1804617c0f
Author: Oleh Martushevskyi <oleh_martushevs...@epam.com>
AuthorDate: Mon Oct 21 18:30:49 2019 +0300
changed cert-manager installation
---
.../.helmignore} | 39 +-
.../Chart.yaml} | 22 +-
.../templates/NOTES.txt} | 21 +-
.../cert-manager-crd-chart/templates/_helpers.tpl | 65 +
.../main/cert-manager-crd-chart/templates/crd.yaml | 1449 ++++++++++++++++++++
.../values.yaml} | 20 +-
.../aws/ssn-helm-charts/main/cert-manager.tf | 51 +-
.../terraform/aws/ssn-helm-charts/main/step-ca.tf | 2 +-
8 files changed, 1587 insertions(+), 82 deletions(-)
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/.helmignore
similarity index 67%
copy from
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/.helmignore
index 59f4b71..4976779 100644
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/.helmignore
@@ -19,20 +19,25 @@
#
#
******************************************************************************
-resource "null_resource" "cert_manager" {
- provisioner "local-exec" {
- command = "kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v0.9.1/cert-manager.yaml";
- }
- triggers = {
- "after" = kubernetes_namespace.cert-manager-namespace.metadata[0].name
- }
-}
-
-resource "null_resource" "cert_manager_delay" {
- provisioner "local-exec" {
- command = "sleep 120"
- }
- triggers = {
- "before" = null_resource.cert_manager.id
- }
-}
\ No newline at end of file
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/Chart.yaml
similarity index 67%
copy from
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/Chart.yaml
index 59f4b71..039e6d0 100644
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/Chart.yaml
@@ -19,20 +19,8 @@
#
#
******************************************************************************
-resource "null_resource" "cert_manager" {
- provisioner "local-exec" {
- command = "kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v0.9.1/cert-manager.yaml";
- }
- triggers = {
- "after" = kubernetes_namespace.cert-manager-namespace.metadata[0].name
- }
-}
-
-resource "null_resource" "cert_manager_delay" {
- provisioner "local-exec" {
- command = "sleep 120"
- }
- triggers = {
- "before" = null_resource.cert_manager.id
- }
-}
\ No newline at end of file
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Kubernetes
+name: cert-manager-crd
+version: 0.1.0
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/templates/NOTES.txt
similarity index 67%
copy from
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/templates/NOTES.txt
index 59f4b71..58e9f20 100644
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/templates/NOTES.txt
@@ -19,20 +19,9 @@
#
#
******************************************************************************
-resource "null_resource" "cert_manager" {
- provisioner "local-exec" {
- command = "kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v0.9.1/cert-manager.yaml";
- }
- triggers = {
- "after" = kubernetes_namespace.cert-manager-namespace.metadata[0].name
- }
-}
+Your release is named {{ .Release.Name }}.
-resource "null_resource" "cert_manager_delay" {
- provisioner "local-exec" {
- command = "sleep 120"
- }
- triggers = {
- "before" = null_resource.cert_manager.id
- }
-}
\ No newline at end of file
+To learn more about the release, try:
+
+ $ helm status {{ .Release.Name }}
+ $ helm get {{ .Release.Name }}
\ No newline at end of file
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/templates/_helpers.tpl
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/templates/_helpers.tpl
new file mode 100644
index 0000000..b5ada58
--- /dev/null
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/templates/_helpers.tpl
@@ -0,0 +1,65 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cert-manager-crd.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cert-manager-crd.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cert-manager-crd.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 |
trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "cert-manager-crd.labels" -}}
+app.kubernetes.io/name: {{ include "cert-manager-crd.name" . }}
+helm.sh/chart: {{ include "cert-manager-crd.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/templates/crd.yaml
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/templates/crd.yaml
new file mode 100644
index 0000000..c2d6a4c
--- /dev/null
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/templates/crd.yaml
@@ -0,0 +1,1449 @@
+{{- /*
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+*/ -}}
+
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: certificates.certmanager.k8s.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - JSONPath: .spec.secretName
+ name: Secret
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - JSONPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time
when
+ this object was created. It is not guaranteed to be set in
happens-before order
+ across separate operations. Clients may not set this value. It is
represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ names:
+ kind: Certificate
+ plural: certificates
+ shortNames:
+ - cert
+ - certs
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ acme:
+ description: ACME contains configuration specific to ACME
Certificates.
+ Notably, this contains details on how the domain names listed
on this
+ Certificate resource should be 'solved', i.e. mapping HTTP01
and DNS01
+ providers to DNS names.
+ properties:
+ config:
+ items:
+ properties:
+ domains:
+ description: Domains is the list of domains that this
SolverConfig
+ applies to.
+ items:
+ type: string
+ type: array
+ required:
+ - domains
+ type: object
+ type: array
+ required:
+ - config
+ type: object
+ commonName:
+ description: CommonName is a common name to be used on the
Certificate.
+ If no CommonName is given, then the first entry in DNSNames is
used
+ as the CommonName. The CommonName should have a length of 64
characters
+ or fewer to avoid generating invalid CSRs; in order to have
longer
+ domain names, set the CommonName (or first DNSNames entry) to
have
+ 64 characters or fewer, and then add the longer domain name to
DNSNames.
+ type: string
+ dnsNames:
+ description: DNSNames is a list of subject alt names to be used
on the
+ Certificate. If no CommonName is given, then the first entry
in DNSNames
+ is used as the CommonName and must have a length of 64
characters
+ or fewer.
+ items:
+ type: string
+ type: array
+ duration:
+ description: Certificate default Duration
+ type: string
+ ipAddresses:
+ description: IPAddresses is a list of IP addresses to be used on
the
+ Certificate
+ items:
+ type: string
+ type: array
+ isCA:
+ description: IsCA will mark this Certificate as valid for
signing. This
+ implies that the 'signing' usage is set
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this
certificate.
+ If the 'kind' field is not set, or set to 'Issuer', an Issuer
resource
+ with the given name in the same namespace as the Certificate
will
+ be used. If the 'kind' field is set to 'ClusterIssuer', a
ClusterIssuer
+ with the provided name will be used. The 'name' field in this
stanza
+ is required at all times.
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ keyAlgorithm:
+ description: KeyAlgorithm is the private key algorithm of the
corresponding
+ private key for this certificate. If provided, allowed values
are
+ either "rsa" or "ecdsa" If KeyAlgorithm is specified and
KeySize is
+ not provided, key size of 256 will be used for "ecdsa" key
algorithm
+ and key size of 2048 will be used for "rsa" key algorithm.
+ enum:
+ - rsa
+ - ecdsa
+ type: string
+ keyEncoding:
+ description: KeyEncoding is the private key cryptography
standards (PKCS)
+ for this certificate's private key to be encoded in. If
provided,
+ allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and
PKCS#8,
+ respectively. If KeyEncoding is not specified, then PKCS#1
will be
+ used by default.
+ type: string
+ keySize:
+ description: KeySize is the key bit size of the corresponding
private
+ key for this certificate. If provided, value must be between
2048
+ and 8192 inclusive when KeyAlgorithm is empty or is set to
"rsa",
+ and value must be one of (256, 384, 521) when KeyAlgorithm is
set
+ to "ecdsa".
+ format: int64
+ type: integer
+ organization:
+ description: Organization is the organization to be used on the
Certificate
+ items:
+ type: string
+ type: array
+ renewBefore:
+ description: Certificate renew before expiration duration
+ type: string
+ secretName:
+ description: SecretName is the name of the secret resource to
store
+ this secret in
+ type: string
+ required:
+ - secretName
+ - issuerRef
+ type: object
+ status:
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp
corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of
the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable
explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True',
'False',
+ 'Unknown').
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ type: string
+ required:
+ - type
+ - status
+ type: object
+ type: array
+ lastFailureTime:
+ format: date-time
+ type: string
+ notAfter:
+ description: The expiration time of the certificate stored in
the secret
+ named by this resource in spec.secretName.
+ format: date-time
+ type: string
+ type: object
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: certificaterequests.certmanager.k8s.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - JSONPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time
when
+ this object was created. It is not guaranteed to be set in
happens-before order
+ across separate operations. Clients may not set this value. It is
represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ names:
+ kind: CertificateRequest
+ plural: certificaterequests
+ shortNames:
+ - cr
+ - crs
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ csr:
+ description: Byte slice containing the PEM encoded
CertificateSigningRequest
+ format: byte
+ type: string
+ duration:
+ description: Requested certificate default Duration
+ type: string
+ isCA:
+ description: IsCA will mark the resulting certificate as valid
for signing.
+ This implies that the 'signing' usage is set
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this
CertificateRequest. If
+ the 'kind' field is not set, or set to 'Issuer', an Issuer
resource
+ with the given name in the same namespace as the
CertificateRequest
+ will be used. If the 'kind' field is set to 'ClusterIssuer',
a ClusterIssuer
+ with the provided name will be used. The 'name' field in this
stanza
+ is required at all times. The group field refers to the API
group
+ of the issuer which defaults to 'certmanager.k8s.io' if empty.
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - issuerRef
+ type: object
+ status:
+ properties:
+ ca:
+ description: Byte slice containing the PEM encoded certificate
authority
+ of the signed certificate.
+ format: byte
+ type: string
+ certificate:
+ description: Byte slice containing a PEM encoded signed
certificate
+ resulting from the given certificate signing request.
+ format: byte
+ type: string
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp
corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of
the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable
explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True',
'False',
+ 'Unknown').
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ type: string
+ required:
+ - type
+ - status
+ type: object
+ type: array
+ type: object
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: challenges.certmanager.k8s.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.state
+ name: State
+ type: string
+ - JSONPath: .spec.dnsName
+ name: Domain
+ type: string
+ - JSONPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time
when
+ this object was created. It is not guaranteed to be set in
happens-before order
+ across separate operations. Clients may not set this value. It is
represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ names:
+ kind: Challenge
+ plural: challenges
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ authzURL:
+ description: AuthzURL is the URL to the ACME Authorization
resource
+ that this challenge is a part of.
+ type: string
+ config:
+ description: 'Config specifies the solver configuration for this
challenge.
+ Only **one** of ''config'' or ''solver'' may be specified, and
if
+ both are specified then no action will be performed on the
Challenge
+ resource. DEPRECATED: the ''solver'' field should be specified
instead'
+ type: object
+ dnsName:
+ description: DNSName is the identifier that this challenge is
for, e.g.
+ example.com.
+ type: string
+ issuerRef:
+ description: IssuerRef references a properly configured
ACME-type Issuer
+ which should be used to create this Challenge. If the Issuer
does
+ not exist, processing will be retried. If the Issuer is not an
'ACME'
+ Issuer, an error will be returned and the Challenge will be
marked
+ as failed.
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ key:
+ description: Key is the ACME challenge key for this challenge
+ type: string
+ solver:
+ description: Solver contains the domain solving configuration
that should
+ be used to solve this challenge resource. Only **one** of
'config'
+ or 'solver' may be specified, and if both are specified then
no action
+ will be performed on the Challenge resource.
+ properties:
+ selector:
+ description: Selector selects a set of DNSNames on the
Certificate
+ resource that should be solved using this challenge solver.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be
used
+ to solve. If specified and a match is found, a
dnsNames selector
+ will take precedence over a dnsZones selector. If
multiple
+ solvers match with the same dnsNames value, the solver
with
+ the most matching labels in matchLabels will be
selected.
+ If neither has more matches, the solver defined
earlier in
+ the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver will be
used
+ to solve. The most specific DNS zone match specified
here
+ will take precedence over other DNS zone matches, so a
solver
+ specifying sys.example.com will be selected over one
specifying
+ example.com for the domain www.sys.example.com. If
multiple
+ solvers match with the same dnsZones value, the solver
with
+ the most matching labels in matchLabels will be
selected.
+ If neither has more matches, the solver defined
earlier in
+ the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ description: A label selector that is used to refine the
set
+ of certificate's that this challenge solver will apply
to.
+ type: object
+ type: object
+ type: object
+ token:
+ description: Token is the ACME challenge token for this
challenge.
+ type: string
+ type:
+ description: Type is the type of ACME challenge this resource
represents,
+ e.g. "dns01" or "http01"
+ type: string
+ url:
+ description: URL is the URL of the ACME Challenge resource for
this
+ challenge. This can be used to lookup details about the status
of
+ this challenge.
+ type: string
+ wildcard:
+ description: Wildcard will be true if this challenge is for a
wildcard
+ identifier, for example '*.example.com'
+ type: boolean
+ required:
+ - authzURL
+ - type
+ - url
+ - dnsName
+ - token
+ - key
+ - wildcard
+ - issuerRef
+ type: object
+ status:
+ properties:
+ presented:
+ description: Presented will be set to true if the challenge
values for
+ this challenge are currently 'presented'. This *does not*
imply the
+ self check is passing. Only that the values have been
'submitted'
+ for the appropriate challenge mechanism (i.e. the DNS01 TXT
record
+ has been presented, or the HTTP01 configuration has been
configured).
+ type: boolean
+ processing:
+ description: Processing is used to denote whether this challenge
should
+ be processed or not. This field will only be set to true by
the 'scheduling'
+ component. It will only be set to false by the 'challenges'
controller,
+ after the challenge has reached a final state or timed out. If
this
+ field is set to false, the challenge controller will not take
any
+ more action.
+ type: boolean
+ reason:
+ description: Reason contains human readable information on why
the Challenge
+ is in the current state.
+ type: string
+ state:
+ description: State contains the current 'state' of the
challenge. If
+ not set, the state of the challenge is unknown.
+ enum:
+ - ""
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ required:
+ - processing
+ - presented
+ - reason
+ type: object
+ required:
+ - metadata
+ - spec
+ - status
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: clusterissuers.certmanager.k8s.io
+spec:
+ group: certmanager.k8s.io
+ names:
+ kind: ClusterIssuer
+ plural: clusterissuers
+ scope: Cluster
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ acme:
+ properties:
+ email:
+ description: Email is the email for this account
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a secret containing
the private
+ key for this user account.
+ properties:
+ key:
+ description: The key of the secret to select from. Must
be a
+ valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ required:
+ - name
+ type: object
+ server:
+ description: Server is the ACME server URL
+ type: string
+ skipTLSVerify:
+ description: If true, skip verifying the ACME server TLS
certificate
+ type: boolean
+ solvers:
+ description: Solvers is a list of challenge solvers that
will be
+ used to solve ACME challenges for the matching domains.
+ items:
+ properties:
+ selector:
+ description: Selector selects a set of DNSNames on the
Certificate
+ resource that should be solved using this challenge
solver.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver
will be
+ used to solve. If specified and a match is
found, a
+ dnsNames selector will take precedence over a
dnsZones
+ selector. If multiple solvers match with the
same dnsNames
+ value, the solver with the most matching labels
in matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver
will be
+ used to solve. The most specific DNS zone match
specified
+ here will take precedence over other DNS zone
matches,
+ so a solver specifying sys.example.com will be
selected
+ over one specifying example.com for the domain
www.sys.example.com.
+ If multiple solvers match with the same dnsZones
value,
+ the solver with the most matching labels in
matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ description: A label selector that is used to
refine the
+ set of certificate's that this challenge solver
will
+ apply to.
+ type: object
+ type: object
+ type: object
+ type: array
+ required:
+ - server
+ - privateKeySecretRef
+ type: object
+ ca:
+ properties:
+ secretName:
+ description: SecretName is the name of the secret used to
sign Certificates
+ issued by this Issuer.
+ type: string
+ required:
+ - secretName
+ type: object
+ selfSigned:
+ type: object
+ vault:
+ properties:
+ auth:
+ description: Vault authentication
+ properties:
+ appRole:
+ description: This Secret contains a AppRole and Secret
+ properties:
+ path:
+ description: Where the authentication path is
mounted in
+ Vault.
+ type: string
+ roleId:
+ type: string
+ secretRef:
+ properties:
+ key:
+ description: The key of the secret to select
from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion,
kind, uid?'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ type: object
+ tokenSecretRef:
+ description: This Secret contains the Vault token key
+ properties:
+ key:
+ description: The key of the secret to select from.
Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ caBundle:
+ description: Base64 encoded CA bundle to validate Vault
server certificate.
+ Only used if the Server URL is using HTTPS protocol. This
parameter
+ is ignored for plain HTTP protocol connection. If not set
the
+ system root certificates are used to validate the TLS
connection.
+ format: byte
+ type: string
+ path:
+ description: Vault URL path to the certificate role
+ type: string
+ server:
+ description: Server is the vault connection address
+ type: string
+ required:
+ - auth
+ - server
+ - path
+ type: object
+ venafi:
+ properties:
+ cloud:
+ description: Cloud specifies the Venafi cloud configuration
settings.
+ Only one of TPP or Cloud may be specified.
+ properties:
+ apiTokenSecretRef:
+ description: APITokenSecretRef is a secret key selector
for
+ the Venafi Cloud API token.
+ properties:
+ key:
+ description: The key of the secret to select from.
Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ url:
+ description: URL is the base URL for Venafi Cloud
+ type: string
+ required:
+ - url
+ - apiTokenSecretRef
+ type: object
+ tpp:
+ description: TPP specifies Trust Protection Platform
configuration
+ settings. Only one of TPP or Cloud may be specified.
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded TLS certifiate to
use
+ to verify connections to the TPP instance. If
specified, system
+ roots will not be used and the issuing CA for the TPP
instance
+ must be verifiable using the provided root. If not
specified,
+ the connection will be verified using the cert-manager
system
+ root certificates.
+ format: byte
+ type: string
+ credentialsRef:
+ description: CredentialsRef is a reference to a Secret
containing
+ the username and password for the TPP server. The
secret must
+ contain two keys, 'username' and 'password'.
+ properties:
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ url:
+ description: URL is the base URL for the Venafi TPP
instance
+ type: string
+ required:
+ - url
+ - credentialsRef
+ type: object
+ zone:
+ description: Zone is the Venafi Policy Zone to use for this
issuer.
+ All requests made to the Venafi platform will be
restricted by
+ the named zone policy. This field is required.
+ type: string
+ required:
+ - zone
+ type: object
+ type: object
+ status:
+ properties:
+ acme:
+ properties:
+ lastRegisteredEmail:
+ description: LastRegisteredEmail is the email associated
with the
+ latest registered ACME account, in order to track changes
made
+ to registered account associated with the Issuer
+ type: string
+ uri:
+ description: URI is the unique account identifier, which can
also
+ be used to retrieve account details from the CA
+ type: string
+ type: object
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp
corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of
the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable
explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True',
'False',
+ 'Unknown').
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ type: string
+ required:
+ - type
+ - status
+ type: object
+ type: array
+ type: object
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: issuers.certmanager.k8s.io
+spec:
+ group: certmanager.k8s.io
+ names:
+ kind: Issuer
+ plural: issuers
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ acme:
+ properties:
+ email:
+ description: Email is the email for this account
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a secret containing
the private
+ key for this user account.
+ properties:
+ key:
+ description: The key of the secret to select from. Must
be a
+ valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ required:
+ - name
+ type: object
+ server:
+ description: Server is the ACME server URL
+ type: string
+ skipTLSVerify:
+ description: If true, skip verifying the ACME server TLS
certificate
+ type: boolean
+ solvers:
+ description: Solvers is a list of challenge solvers that
will be
+ used to solve ACME challenges for the matching domains.
+ items:
+ properties:
+ selector:
+ description: Selector selects a set of DNSNames on the
Certificate
+ resource that should be solved using this challenge
solver.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver
will be
+ used to solve. If specified and a match is
found, a
+ dnsNames selector will take precedence over a
dnsZones
+ selector. If multiple solvers match with the
same dnsNames
+ value, the solver with the most matching labels
in matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver
will be
+ used to solve. The most specific DNS zone match
specified
+ here will take precedence over other DNS zone
matches,
+ so a solver specifying sys.example.com will be
selected
+ over one specifying example.com for the domain
www.sys.example.com.
+ If multiple solvers match with the same dnsZones
value,
+ the solver with the most matching labels in
matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ description: A label selector that is used to
refine the
+ set of certificate's that this challenge solver
will
+ apply to.
+ type: object
+ type: object
+ type: object
+ type: array
+ required:
+ - server
+ - privateKeySecretRef
+ type: object
+ ca:
+ properties:
+ secretName:
+ description: SecretName is the name of the secret used to
sign Certificates
+ issued by this Issuer.
+ type: string
+ required:
+ - secretName
+ type: object
+ selfSigned:
+ type: object
+ vault:
+ properties:
+ auth:
+ description: Vault authentication
+ properties:
+ appRole:
+ description: This Secret contains a AppRole and Secret
+ properties:
+ path:
+ description: Where the authentication path is
mounted in
+ Vault.
+ type: string
+ roleId:
+ type: string
+ secretRef:
+ properties:
+ key:
+ description: The key of the secret to select
from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion,
kind, uid?'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ type: object
+ tokenSecretRef:
+ description: This Secret contains the Vault token key
+ properties:
+ key:
+ description: The key of the secret to select from.
Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ caBundle:
+ description: Base64 encoded CA bundle to validate Vault
server certificate.
+ Only used if the Server URL is using HTTPS protocol. This
parameter
+ is ignored for plain HTTP protocol connection. If not set
the
+ system root certificates are used to validate the TLS
connection.
+ format: byte
+ type: string
+ path:
+ description: Vault URL path to the certificate role
+ type: string
+ server:
+ description: Server is the vault connection address
+ type: string
+ required:
+ - auth
+ - server
+ - path
+ type: object
+ venafi:
+ properties:
+ cloud:
+ description: Cloud specifies the Venafi cloud configuration
settings.
+ Only one of TPP or Cloud may be specified.
+ properties:
+ apiTokenSecretRef:
+ description: APITokenSecretRef is a secret key selector
for
+ the Venafi Cloud API token.
+ properties:
+ key:
+ description: The key of the secret to select from.
Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ url:
+ description: URL is the base URL for Venafi Cloud
+ type: string
+ required:
+ - url
+ - apiTokenSecretRef
+ type: object
+ tpp:
+ description: TPP specifies Trust Protection Platform
configuration
+ settings. Only one of TPP or Cloud may be specified.
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded TLS certifiate to
use
+ to verify connections to the TPP instance. If
specified, system
+ roots will not be used and the issuing CA for the TPP
instance
+ must be verifiable using the provided root. If not
specified,
+ the connection will be verified using the cert-manager
system
+ root certificates.
+ format: byte
+ type: string
+ credentialsRef:
+ description: CredentialsRef is a reference to a Secret
containing
+ the username and password for the TPP server. The
secret must
+ contain two keys, 'username' and 'password'.
+ properties:
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ url:
+ description: URL is the base URL for the Venafi TPP
instance
+ type: string
+ required:
+ - url
+ - credentialsRef
+ type: object
+ zone:
+ description: Zone is the Venafi Policy Zone to use for this
issuer.
+ All requests made to the Venafi platform will be
restricted by
+ the named zone policy. This field is required.
+ type: string
+ required:
+ - zone
+ type: object
+ type: object
+ status:
+ properties:
+ acme:
+ properties:
+ lastRegisteredEmail:
+ description: LastRegisteredEmail is the email associated
with the
+ latest registered ACME account, in order to track changes
made
+ to registered account associated with the Issuer
+ type: string
+ uri:
+ description: URI is the unique account identifier, which can
also
+ be used to retrieve account details from the CA
+ type: string
+ type: object
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp
corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of
the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable
explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True',
'False',
+ 'Unknown').
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ type: string
+ required:
+ - type
+ - status
+ type: object
+ type: array
+ type: object
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: orders.certmanager.k8s.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.state
+ name: State
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - JSONPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time
when
+ this object was created. It is not guaranteed to be set in
happens-before order
+ across separate operations. Clients may not set this value. It is
represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ names:
+ kind: Order
+ plural: orders
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ commonName:
+ description: CommonName is the common name as specified on the
DER encoded
+ CSR. If CommonName is not specified, the first DNSName
specified will
+ be used as the CommonName. At least one of CommonName or a
DNSNames
+ must be set. This field must match the corresponding field on
the
+ DER encoded CSR.
+ type: string
+ config:
+ description: 'Config specifies a mapping from DNS identifiers to
how
+ those identifiers should be solved when performing ACME
challenges.
+ A config entry must exist for each domain listed in DNSNames
and CommonName.
+ Only **one** of ''config'' or ''solvers'' may be specified,
and if
+ both are specified then no action will be performed on the
Order resource. This
+ field will be removed when support for solver config specified
on
+ the Certificate under certificate.spec.acme has been removed.
DEPRECATED:
+ this field will be removed in future. Solver configuration
must instead
+ be provided on ACME Issuer resources.'
+ items:
+ properties:
+ domains:
+ description: Domains is the list of domains that this
SolverConfig
+ applies to.
+ items:
+ type: string
+ type: array
+ required:
+ - domains
+ type: object
+ type: array
+ csr:
+ description: Certificate signing request bytes in DER encoding.
This
+ will be used when finalizing the order. This field must be set
on
+ the order.
+ format: byte
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS names that should be
included
+ as part of the Order validation process. If CommonName is not
specified,
+ the first DNSName specified will be used as the CommonName. At
least
+ one of CommonName or a DNSNames must be set. This field must
match
+ the corresponding field on the DER encoded CSR.
+ items:
+ type: string
+ type: array
+ issuerRef:
+ description: IssuerRef references a properly configured
ACME-type Issuer
+ which should be used to create this Order. If the Issuer does
not
+ exist, processing will be retried. If the Issuer is not an
'ACME'
+ Issuer, an error will be returned and the Order will be marked
as
+ failed.
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - csr
+ - issuerRef
+ type: object
+ status:
+ properties:
+ certificate:
+ description: Certificate is a copy of the PEM encoded
certificate for
+ this Order. This field will be populated after the order has
been
+ successfully finalized with the ACME server, and the order has
transitioned
+ to the 'valid' state.
+ format: byte
+ type: string
+ challenges:
+ description: Challenges is a list of ChallengeSpecs for
Challenges that
+ must be created in order to complete this Order.
+ items:
+ properties:
+ authzURL:
+ description: AuthzURL is the URL to the ACME Authorization
resource
+ that this challenge is a part of.
+ type: string
+ config:
+ description: 'Config specifies the solver configuration
for this
+ challenge. Only **one** of ''config'' or ''solver'' may
be specified,
+ and if both are specified then no action will be
performed on
+ the Challenge resource. DEPRECATED: the ''solver'' field
should
+ be specified instead'
+ type: object
+ dnsName:
+ description: DNSName is the identifier that this challenge
is
+ for, e.g. example.com.
+ type: string
+ issuerRef:
+ description: IssuerRef references a properly configured
ACME-type
+ Issuer which should be used to create this Challenge. If
the
+ Issuer does not exist, processing will be retried. If
the Issuer
+ is not an 'ACME' Issuer, an error will be returned and
the Challenge
+ will be marked as failed.
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ key:
+ description: Key is the ACME challenge key for this
challenge
+ type: string
+ solver:
+ description: Solver contains the domain solving
configuration
+ that should be used to solve this challenge resource.
Only **one**
+ of 'config' or 'solver' may be specified, and if both
are specified
+ then no action will be performed on the Challenge
resource.
+ properties:
+ selector:
+ description: Selector selects a set of DNSNames on the
Certificate
+ resource that should be solved using this challenge
solver.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver
will be
+ used to solve. If specified and a match is
found, a
+ dnsNames selector will take precedence over a
dnsZones
+ selector. If multiple solvers match with the
same dnsNames
+ value, the solver with the most matching labels
in matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver
will be
+ used to solve. The most specific DNS zone match
specified
+ here will take precedence over other DNS zone
matches,
+ so a solver specifying sys.example.com will be
selected
+ over one specifying example.com for the domain
www.sys.example.com.
+ If multiple solvers match with the same dnsZones
value,
+ the solver with the most matching labels in
matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ description: A label selector that is used to
refine the
+ set of certificate's that this challenge solver
will
+ apply to.
+ type: object
+ type: object
+ type: object
+ token:
+ description: Token is the ACME challenge token for this
challenge.
+ type: string
+ type:
+ description: Type is the type of ACME challenge this
resource
+ represents, e.g. "dns01" or "http01"
+ type: string
+ url:
+ description: URL is the URL of the ACME Challenge resource
for
+ this challenge. This can be used to lookup details about
the
+ status of this challenge.
+ type: string
+ wildcard:
+ description: Wildcard will be true if this challenge is
for a
+ wildcard identifier, for example '*.example.com'
+ type: boolean
+ required:
+ - authzURL
+ - type
+ - url
+ - dnsName
+ - token
+ - key
+ - wildcard
+ - issuerRef
+ type: object
+ type: array
+ failureTime:
+ description: FailureTime stores the time that this order failed.
This
+ is used to influence garbage collection and back-off.
+ format: date-time
+ type: string
+ finalizeURL:
+ description: FinalizeURL of the Order. This is used to obtain
certificates
+ for this order once it has been completed.
+ type: string
+ reason:
+ description: Reason optionally provides more information about a
why
+ the order is in the current state.
+ type: string
+ state:
+ description: State contains the current state of this Order
resource.
+ States 'success' and 'expired' are 'final'
+ enum:
+ - ""
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ url:
+ description: URL of the Order. This will initially be empty when
the
+ resource is first created. The Order controller will populate
this
+ field when the Order is first processed. This field will be
immutable
+ after it is initially set.
+ type: string
+ type: object
+ required:
+ - metadata
+ - spec
+ - status
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
\ No newline at end of file
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/values.yaml
similarity index 67%
copy from
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/values.yaml
index 59f4b71..0c6d2cf 100644
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-crd-chart/values.yaml
@@ -19,20 +19,8 @@
#
#
******************************************************************************
-resource "null_resource" "cert_manager" {
- provisioner "local-exec" {
- command = "kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v0.9.1/cert-manager.yaml";
- }
- triggers = {
- "after" = kubernetes_namespace.cert-manager-namespace.metadata[0].name
- }
-}
+replicaCount: 1
-resource "null_resource" "cert_manager_delay" {
- provisioner "local-exec" {
- command = "sleep 120"
- }
- triggers = {
- "before" = null_resource.cert_manager.id
- }
-}
\ No newline at end of file
+ingress:
+ enabled: false
+labels: {}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
index 59f4b71..cd83bc3 100644
---
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
@@ -19,20 +19,41 @@
#
#
******************************************************************************
-resource "null_resource" "cert_manager" {
- provisioner "local-exec" {
- command = "kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v0.9.1/cert-manager.yaml";
- }
- triggers = {
- "after" = kubernetes_namespace.cert-manager-namespace.metadata[0].name
- }
+//resource "null_resource" "cert_manager" {
+// provisioner "local-exec" {
+// command = "kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v0.9.1/cert-manager.yaml";
+// }
+// triggers = {
+// "after" = kubernetes_namespace.cert-manager-namespace.metadata[0].name
+// }
+//}
+//
+//resource "null_resource" "cert_manager_delay" {
+// provisioner "local-exec" {
+// command = "sleep 120"
+// }
+// triggers = {
+// "before" = null_resource.cert_manager.id
+// }
+//}
+
+resource "helm_release" "cert_manager_crd" {
+ name = "cert_manager_crd"
+ chart = "./cert-manager-crd-chart"
+ wait = true
+}
+
+data "helm_repository" "jetstack" {
+ name = "jetstack"
+ url = "https://charts.jetstack.io";
}
-resource "null_resource" "cert_manager_delay" {
- provisioner "local-exec" {
- command = "sleep 120"
- }
- triggers = {
- "before" = null_resource.cert_manager.id
- }
-}
\ No newline at end of file
+resource "helm_release" "cert-manager" {
+ name = "cert-manager"
+ repository = data.helm_repository.jetstack.metadata.0.name
+ chart = "jetstack/cert-manager"
+ namespace = kubernetes_namespace.cert-manager-namespace.metadata[0].name
+ depends_on = [helm_release.cert_manager_crd]
+ wait = true
+ version = "0.9.1"
+}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-ca.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-ca.tf
index 6771251..66054a1 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-ca.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-ca.tf
@@ -39,7 +39,7 @@ resource "helm_release" "step_ca" {
// repository = data.helm_repository.smallstep.metadata.0.name
chart = "./step-ca-chart"
namespace = kubernetes_namespace.dlab-namespace.metadata[0].name
- depends_on = [null_resource.cert_manager_delay]
+ depends_on = [helm_release.cert-manager]
wait = false
timeout = 600
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@dlab.apache.org
For additional commands, e-mail: commits-h...@dlab.apache.org
