This is an automated email from the ASF dual-hosted git repository.
omartushevskyi pushed a commit to branch DLAB-1158
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
The following commit(s) were added to refs/heads/DLAB-1158 by this push:
new be990d2 added step-issuer
be990d2 is described below
commit be990d2ede960b06c65aa3228a01006257716c38
Author: Oleh Martushevskyi <oleh_martushevs...@epam.com>
AuthorDate: Mon Oct 21 11:57:28 2019 +0300
added step-issuer
---
.../{main.tf => cert-manager-chart/.helmignore} | 54 +-
.../{main.tf => cert-manager-chart/Chart.yaml} | 37 +-
.../main/cert-manager-chart/templates/NOTES.txt | 42 +
.../main/cert-manager-chart/templates/_helpers.tpl | 65 +
.../cert-manager-chart/templates/cert-manager.yaml | 2428 ++++++++++++++++++++
.../{main.tf => cert-manager-chart/values.yaml} | 35 +-
.../main/{main.tf => cert-manager.tf} | 40 +-
.../terraform/aws/ssn-helm-charts/main/main.tf | 14 +-
.../ssn-helm-charts/main/{main.tf => outputs.tf} | 29 -
.../terraform/aws/ssn-helm-charts/main/step-ca.tf | 1 +
.../{main.tf => step-issuer-chart/.helmignore} | 54 +-
.../main/{main.tf => step-issuer-chart/Chart.yaml} | 37 +-
.../main/step-issuer-chart/templates/NOTES.txt | 42 +
.../main/step-issuer-chart/templates/_helpers.tpl | 65 +
.../main/step-issuer-chart/templates/crd.yaml | 148 ++
.../step-issuer-chart/templates/deployment.yaml | 360 +++
.../{main.tf => step-issuer-chart/values.yaml} | 35 +-
.../main/{main.tf => step-issuer.tf} | 40 +-
18 files changed, 3245 insertions(+), 281 deletions(-)
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/.helmignore
similarity index 58%
copy from infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/.helmignore
index 8cdf66b..4976779 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/.helmignore
@@ -18,36 +18,26 @@
# under the License.
#
#
******************************************************************************
-provider "helm" {
- install_tiller = true
- namespace = "kube-system"
- service_account = "tiller"
- tiller_image = "gcr.io/kubernetes-helm/tiller:v2.14.1"
-}
-provider "kubernetes" {}
-
-resource "kubernetes_namespace" "dlab-namespace" {
- metadata {
- annotations = {
- name = var.namespace_name
- }
-
- name = var.namespace_name
- }
-}
-
-resource "kubernetes_storage_class" "dlab-storage-class" {
- metadata {
- name = "aws-ebs"
- }
- storage_provisioner = "kubernetes.io/aws-ebs"
- reclaim_policy = "Delete"
- parameters = {
- type = "gp2"
- }
-}
-
-output "keycloak_client_secret" {
- value = random_uuid.keycloak_client_secret.result
-}
\ No newline at end of file
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/Chart.yaml
similarity index 58%
copy from infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/Chart.yaml
index 8cdf66b..55efa53 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/Chart.yaml
@@ -18,36 +18,9 @@
# under the License.
#
#
******************************************************************************
-provider "helm" {
- install_tiller = true
- namespace = "kube-system"
- service_account = "tiller"
- tiller_image = "gcr.io/kubernetes-helm/tiller:v2.14.1"
-}
-provider "kubernetes" {}
-
-resource "kubernetes_namespace" "dlab-namespace" {
- metadata {
- annotations = {
- name = var.namespace_name
- }
-
- name = var.namespace_name
- }
-}
-
-resource "kubernetes_storage_class" "dlab-storage-class" {
- metadata {
- name = "aws-ebs"
- }
- storage_provisioner = "kubernetes.io/aws-ebs"
- reclaim_policy = "Delete"
- parameters = {
- type = "gp2"
- }
-}
-
-output "keycloak_client_secret" {
- value = random_uuid.keycloak_client_secret.result
-}
\ No newline at end of file
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Kubernetes
+name: cert-manager
+version: 0.9.1
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/NOTES.txt
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/NOTES.txt
new file mode 100644
index 0000000..8342598
--- /dev/null
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/NOTES.txt
@@ -0,0 +1,42 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+ {{- range .paths }}
+ http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+ {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o
jsonpath="{.spec.ports[0].nodePort}" services {{ include
"cert-manager.fullname" . }})
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o
jsonpath="{.items[0].status.addresses[0].address}")
+ echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ You can watch the status of by running 'kubectl get --namespace {{
.Release.Namespace }} svc -w {{ include "cert-manager.fullname" . }}'
+ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{
include "cert-manager.fullname" . }} -o
jsonpath='{.status.loadBalancer.ingress[0].ip}')
+ echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+ export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l
"app.kubernetes.io/name={{ include "cert-manager.name" .
}},app.kubernetes.io/instance={{ .Release.Name }}" -o
jsonpath="{.items[0].metadata.name}")
+ echo "Visit http://127.0.0.1:8080 to use your application"
+ kubectl port-forward $POD_NAME 8080:80
+{{- end }}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/_helpers.tpl
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/_helpers.tpl
new file mode 100644
index 0000000..c8a9a87
--- /dev/null
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/_helpers.tpl
@@ -0,0 +1,65 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cert-manager.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cert-manager.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cert-manager.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 |
trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "cert-manager.labels" -}}
+app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+helm.sh/chart: {{ include "cert-manager.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/cert-manager.yaml
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/cert-manager.yaml
new file mode 100644
index 0000000..87aa83d
--- /dev/null
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/templates/cert-manager.yaml
@@ -0,0 +1,2428 @@
+{{- /*
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+*/ -}}
+
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: certificates.certmanager.k8s.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - JSONPath: .spec.secretName
+ name: Secret
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - JSONPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time
when
+ this object was created. It is not guaranteed to be set in
happens-before order
+ across separate operations. Clients may not set this value. It is
represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ names:
+ kind: Certificate
+ plural: certificates
+ shortNames:
+ - cert
+ - certs
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ acme:
+ description: ACME contains configuration specific to ACME
Certificates.
+ Notably, this contains details on how the domain names listed
on this
+ Certificate resource should be 'solved', i.e. mapping HTTP01
and DNS01
+ providers to DNS names.
+ properties:
+ config:
+ items:
+ properties:
+ domains:
+ description: Domains is the list of domains that this
SolverConfig
+ applies to.
+ items:
+ type: string
+ type: array
+ required:
+ - domains
+ type: object
+ type: array
+ required:
+ - config
+ type: object
+ commonName:
+ description: CommonName is a common name to be used on the
Certificate.
+ If no CommonName is given, then the first entry in DNSNames is
used
+ as the CommonName. The CommonName should have a length of 64
characters
+ or fewer to avoid generating invalid CSRs; in order to have
longer
+ domain names, set the CommonName (or first DNSNames entry) to
have
+ 64 characters or fewer, and then add the longer domain name to
DNSNames.
+ type: string
+ dnsNames:
+ description: DNSNames is a list of subject alt names to be used
on the
+ Certificate. If no CommonName is given, then the first entry
in DNSNames
+ is used as the CommonName and must have a length of 64
characters
+ or fewer.
+ items:
+ type: string
+ type: array
+ duration:
+ description: Certificate default Duration
+ type: string
+ ipAddresses:
+ description: IPAddresses is a list of IP addresses to be used on
the
+ Certificate
+ items:
+ type: string
+ type: array
+ isCA:
+ description: IsCA will mark this Certificate as valid for
signing. This
+ implies that the 'signing' usage is set
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this
certificate.
+ If the 'kind' field is not set, or set to 'Issuer', an Issuer
resource
+ with the given name in the same namespace as the Certificate
will
+ be used. If the 'kind' field is set to 'ClusterIssuer', a
ClusterIssuer
+ with the provided name will be used. The 'name' field in this
stanza
+ is required at all times.
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ keyAlgorithm:
+ description: KeyAlgorithm is the private key algorithm of the
corresponding
+ private key for this certificate. If provided, allowed values
are
+ either "rsa" or "ecdsa" If KeyAlgorithm is specified and
KeySize is
+ not provided, key size of 256 will be used for "ecdsa" key
algorithm
+ and key size of 2048 will be used for "rsa" key algorithm.
+ enum:
+ - rsa
+ - ecdsa
+ type: string
+ keyEncoding:
+ description: KeyEncoding is the private key cryptography
standards (PKCS)
+ for this certificate's private key to be encoded in. If
provided,
+ allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and
PKCS#8,
+ respectively. If KeyEncoding is not specified, then PKCS#1
will be
+ used by default.
+ type: string
+ keySize:
+ description: KeySize is the key bit size of the corresponding
private
+ key for this certificate. If provided, value must be between
2048
+ and 8192 inclusive when KeyAlgorithm is empty or is set to
"rsa",
+ and value must be one of (256, 384, 521) when KeyAlgorithm is
set
+ to "ecdsa".
+ format: int64
+ type: integer
+ organization:
+ description: Organization is the organization to be used on the
Certificate
+ items:
+ type: string
+ type: array
+ renewBefore:
+ description: Certificate renew before expiration duration
+ type: string
+ secretName:
+ description: SecretName is the name of the secret resource to
store
+ this secret in
+ type: string
+ required:
+ - secretName
+ - issuerRef
+ type: object
+ status:
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp
corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of
the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable
explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True',
'False',
+ 'Unknown').
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ type: string
+ required:
+ - type
+ - status
+ type: object
+ type: array
+ lastFailureTime:
+ format: date-time
+ type: string
+ notAfter:
+ description: The expiration time of the certificate stored in
the secret
+ named by this resource in spec.secretName.
+ format: date-time
+ type: string
+ type: object
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: certificaterequests.certmanager.k8s.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - JSONPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time
when
+ this object was created. It is not guaranteed to be set in
happens-before order
+ across separate operations. Clients may not set this value. It is
represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ names:
+ kind: CertificateRequest
+ plural: certificaterequests
+ shortNames:
+ - cr
+ - crs
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ csr:
+ description: Byte slice containing the PEM encoded
CertificateSigningRequest
+ format: byte
+ type: string
+ duration:
+ description: Requested certificate default Duration
+ type: string
+ isCA:
+ description: IsCA will mark the resulting certificate as valid
for signing.
+ This implies that the 'signing' usage is set
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this
CertificateRequest. If
+ the 'kind' field is not set, or set to 'Issuer', an Issuer
resource
+ with the given name in the same namespace as the
CertificateRequest
+ will be used. If the 'kind' field is set to 'ClusterIssuer',
a ClusterIssuer
+ with the provided name will be used. The 'name' field in this
stanza
+ is required at all times. The group field refers to the API
group
+ of the issuer which defaults to 'certmanager.k8s.io' if empty.
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - issuerRef
+ type: object
+ status:
+ properties:
+ ca:
+ description: Byte slice containing the PEM encoded certificate
authority
+ of the signed certificate.
+ format: byte
+ type: string
+ certificate:
+ description: Byte slice containing a PEM encoded signed
certificate
+ resulting from the given certificate signing request.
+ format: byte
+ type: string
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp
corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of
the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable
explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True',
'False',
+ 'Unknown').
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ type: string
+ required:
+ - type
+ - status
+ type: object
+ type: array
+ type: object
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: challenges.certmanager.k8s.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.state
+ name: State
+ type: string
+ - JSONPath: .spec.dnsName
+ name: Domain
+ type: string
+ - JSONPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time
when
+ this object was created. It is not guaranteed to be set in
happens-before order
+ across separate operations. Clients may not set this value. It is
represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ names:
+ kind: Challenge
+ plural: challenges
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ authzURL:
+ description: AuthzURL is the URL to the ACME Authorization
resource
+ that this challenge is a part of.
+ type: string
+ config:
+ description: 'Config specifies the solver configuration for this
challenge.
+ Only **one** of ''config'' or ''solver'' may be specified, and
if
+ both are specified then no action will be performed on the
Challenge
+ resource. DEPRECATED: the ''solver'' field should be specified
instead'
+ type: object
+ dnsName:
+ description: DNSName is the identifier that this challenge is
for, e.g.
+ example.com.
+ type: string
+ issuerRef:
+ description: IssuerRef references a properly configured
ACME-type Issuer
+ which should be used to create this Challenge. If the Issuer
does
+ not exist, processing will be retried. If the Issuer is not an
'ACME'
+ Issuer, an error will be returned and the Challenge will be
marked
+ as failed.
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ key:
+ description: Key is the ACME challenge key for this challenge
+ type: string
+ solver:
+ description: Solver contains the domain solving configuration
that should
+ be used to solve this challenge resource. Only **one** of
'config'
+ or 'solver' may be specified, and if both are specified then
no action
+ will be performed on the Challenge resource.
+ properties:
+ selector:
+ description: Selector selects a set of DNSNames on the
Certificate
+ resource that should be solved using this challenge solver.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be
used
+ to solve. If specified and a match is found, a
dnsNames selector
+ will take precedence over a dnsZones selector. If
multiple
+ solvers match with the same dnsNames value, the solver
with
+ the most matching labels in matchLabels will be
selected.
+ If neither has more matches, the solver defined
earlier in
+ the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver will be
used
+ to solve. The most specific DNS zone match specified
here
+ will take precedence over other DNS zone matches, so a
solver
+ specifying sys.example.com will be selected over one
specifying
+ example.com for the domain www.sys.example.com. If
multiple
+ solvers match with the same dnsZones value, the solver
with
+ the most matching labels in matchLabels will be
selected.
+ If neither has more matches, the solver defined
earlier in
+ the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ description: A label selector that is used to refine the
set
+ of certificate's that this challenge solver will apply
to.
+ type: object
+ type: object
+ type: object
+ token:
+ description: Token is the ACME challenge token for this
challenge.
+ type: string
+ type:
+ description: Type is the type of ACME challenge this resource
represents,
+ e.g. "dns01" or "http01"
+ type: string
+ url:
+ description: URL is the URL of the ACME Challenge resource for
this
+ challenge. This can be used to lookup details about the status
of
+ this challenge.
+ type: string
+ wildcard:
+ description: Wildcard will be true if this challenge is for a
wildcard
+ identifier, for example '*.example.com'
+ type: boolean
+ required:
+ - authzURL
+ - type
+ - url
+ - dnsName
+ - token
+ - key
+ - wildcard
+ - issuerRef
+ type: object
+ status:
+ properties:
+ presented:
+ description: Presented will be set to true if the challenge
values for
+ this challenge are currently 'presented'. This *does not*
imply the
+ self check is passing. Only that the values have been
'submitted'
+ for the appropriate challenge mechanism (i.e. the DNS01 TXT
record
+ has been presented, or the HTTP01 configuration has been
configured).
+ type: boolean
+ processing:
+ description: Processing is used to denote whether this challenge
should
+ be processed or not. This field will only be set to true by
the 'scheduling'
+ component. It will only be set to false by the 'challenges'
controller,
+ after the challenge has reached a final state or timed out. If
this
+ field is set to false, the challenge controller will not take
any
+ more action.
+ type: boolean
+ reason:
+ description: Reason contains human readable information on why
the Challenge
+ is in the current state.
+ type: string
+ state:
+ description: State contains the current 'state' of the
challenge. If
+ not set, the state of the challenge is unknown.
+ enum:
+ - ""
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ required:
+ - processing
+ - presented
+ - reason
+ type: object
+ required:
+ - metadata
+ - spec
+ - status
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: clusterissuers.certmanager.k8s.io
+spec:
+ group: certmanager.k8s.io
+ names:
+ kind: ClusterIssuer
+ plural: clusterissuers
+ scope: Cluster
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ acme:
+ properties:
+ email:
+ description: Email is the email for this account
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a secret containing
the private
+ key for this user account.
+ properties:
+ key:
+ description: The key of the secret to select from. Must
be a
+ valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ required:
+ - name
+ type: object
+ server:
+ description: Server is the ACME server URL
+ type: string
+ skipTLSVerify:
+ description: If true, skip verifying the ACME server TLS
certificate
+ type: boolean
+ solvers:
+ description: Solvers is a list of challenge solvers that
will be
+ used to solve ACME challenges for the matching domains.
+ items:
+ properties:
+ selector:
+ description: Selector selects a set of DNSNames on the
Certificate
+ resource that should be solved using this challenge
solver.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver
will be
+ used to solve. If specified and a match is
found, a
+ dnsNames selector will take precedence over a
dnsZones
+ selector. If multiple solvers match with the
same dnsNames
+ value, the solver with the most matching labels
in matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver
will be
+ used to solve. The most specific DNS zone match
specified
+ here will take precedence over other DNS zone
matches,
+ so a solver specifying sys.example.com will be
selected
+ over one specifying example.com for the domain
www.sys.example.com.
+ If multiple solvers match with the same dnsZones
value,
+ the solver with the most matching labels in
matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ description: A label selector that is used to
refine the
+ set of certificate's that this challenge solver
will
+ apply to.
+ type: object
+ type: object
+ type: object
+ type: array
+ required:
+ - server
+ - privateKeySecretRef
+ type: object
+ ca:
+ properties:
+ secretName:
+ description: SecretName is the name of the secret used to
sign Certificates
+ issued by this Issuer.
+ type: string
+ required:
+ - secretName
+ type: object
+ selfSigned:
+ type: object
+ vault:
+ properties:
+ auth:
+ description: Vault authentication
+ properties:
+ appRole:
+ description: This Secret contains a AppRole and Secret
+ properties:
+ path:
+ description: Where the authentication path is
mounted in
+ Vault.
+ type: string
+ roleId:
+ type: string
+ secretRef:
+ properties:
+ key:
+ description: The key of the secret to select
from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion,
kind, uid?'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ type: object
+ tokenSecretRef:
+ description: This Secret contains the Vault token key
+ properties:
+ key:
+ description: The key of the secret to select from.
Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ caBundle:
+ description: Base64 encoded CA bundle to validate Vault
server certificate.
+ Only used if the Server URL is using HTTPS protocol. This
parameter
+ is ignored for plain HTTP protocol connection. If not set
the
+ system root certificates are used to validate the TLS
connection.
+ format: byte
+ type: string
+ path:
+ description: Vault URL path to the certificate role
+ type: string
+ server:
+ description: Server is the vault connection address
+ type: string
+ required:
+ - auth
+ - server
+ - path
+ type: object
+ venafi:
+ properties:
+ cloud:
+ description: Cloud specifies the Venafi cloud configuration
settings.
+ Only one of TPP or Cloud may be specified.
+ properties:
+ apiTokenSecretRef:
+ description: APITokenSecretRef is a secret key selector
for
+ the Venafi Cloud API token.
+ properties:
+ key:
+ description: The key of the secret to select from.
Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ url:
+ description: URL is the base URL for Venafi Cloud
+ type: string
+ required:
+ - url
+ - apiTokenSecretRef
+ type: object
+ tpp:
+ description: TPP specifies Trust Protection Platform
configuration
+ settings. Only one of TPP or Cloud may be specified.
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded TLS certifiate to
use
+ to verify connections to the TPP instance. If
specified, system
+ roots will not be used and the issuing CA for the TPP
instance
+ must be verifiable using the provided root. If not
specified,
+ the connection will be verified using the cert-manager
system
+ root certificates.
+ format: byte
+ type: string
+ credentialsRef:
+ description: CredentialsRef is a reference to a Secret
containing
+ the username and password for the TPP server. The
secret must
+ contain two keys, 'username' and 'password'.
+ properties:
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ url:
+ description: URL is the base URL for the Venafi TPP
instance
+ type: string
+ required:
+ - url
+ - credentialsRef
+ type: object
+ zone:
+ description: Zone is the Venafi Policy Zone to use for this
issuer.
+ All requests made to the Venafi platform will be
restricted by
+ the named zone policy. This field is required.
+ type: string
+ required:
+ - zone
+ type: object
+ type: object
+ status:
+ properties:
+ acme:
+ properties:
+ lastRegisteredEmail:
+ description: LastRegisteredEmail is the email associated
with the
+ latest registered ACME account, in order to track changes
made
+ to registered account associated with the Issuer
+ type: string
+ uri:
+ description: URI is the unique account identifier, which can
also
+ be used to retrieve account details from the CA
+ type: string
+ type: object
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp
corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of
the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable
explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True',
'False',
+ 'Unknown').
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ type: string
+ required:
+ - type
+ - status
+ type: object
+ type: array
+ type: object
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: issuers.certmanager.k8s.io
+spec:
+ group: certmanager.k8s.io
+ names:
+ kind: Issuer
+ plural: issuers
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ acme:
+ properties:
+ email:
+ description: Email is the email for this account
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a secret containing
the private
+ key for this user account.
+ properties:
+ key:
+ description: The key of the secret to select from. Must
be a
+ valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ required:
+ - name
+ type: object
+ server:
+ description: Server is the ACME server URL
+ type: string
+ skipTLSVerify:
+ description: If true, skip verifying the ACME server TLS
certificate
+ type: boolean
+ solvers:
+ description: Solvers is a list of challenge solvers that
will be
+ used to solve ACME challenges for the matching domains.
+ items:
+ properties:
+ selector:
+ description: Selector selects a set of DNSNames on the
Certificate
+ resource that should be solved using this challenge
solver.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver
will be
+ used to solve. If specified and a match is
found, a
+ dnsNames selector will take precedence over a
dnsZones
+ selector. If multiple solvers match with the
same dnsNames
+ value, the solver with the most matching labels
in matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver
will be
+ used to solve. The most specific DNS zone match
specified
+ here will take precedence over other DNS zone
matches,
+ so a solver specifying sys.example.com will be
selected
+ over one specifying example.com for the domain
www.sys.example.com.
+ If multiple solvers match with the same dnsZones
value,
+ the solver with the most matching labels in
matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ description: A label selector that is used to
refine the
+ set of certificate's that this challenge solver
will
+ apply to.
+ type: object
+ type: object
+ type: object
+ type: array
+ required:
+ - server
+ - privateKeySecretRef
+ type: object
+ ca:
+ properties:
+ secretName:
+ description: SecretName is the name of the secret used to
sign Certificates
+ issued by this Issuer.
+ type: string
+ required:
+ - secretName
+ type: object
+ selfSigned:
+ type: object
+ vault:
+ properties:
+ auth:
+ description: Vault authentication
+ properties:
+ appRole:
+ description: This Secret contains a AppRole and Secret
+ properties:
+ path:
+ description: Where the authentication path is
mounted in
+ Vault.
+ type: string
+ roleId:
+ type: string
+ secretRef:
+ properties:
+ key:
+ description: The key of the secret to select
from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion,
kind, uid?'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ type: object
+ tokenSecretRef:
+ description: This Secret contains the Vault token key
+ properties:
+ key:
+ description: The key of the secret to select from.
Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ caBundle:
+ description: Base64 encoded CA bundle to validate Vault
server certificate.
+ Only used if the Server URL is using HTTPS protocol. This
parameter
+ is ignored for plain HTTP protocol connection. If not set
the
+ system root certificates are used to validate the TLS
connection.
+ format: byte
+ type: string
+ path:
+ description: Vault URL path to the certificate role
+ type: string
+ server:
+ description: Server is the vault connection address
+ type: string
+ required:
+ - auth
+ - server
+ - path
+ type: object
+ venafi:
+ properties:
+ cloud:
+ description: Cloud specifies the Venafi cloud configuration
settings.
+ Only one of TPP or Cloud may be specified.
+ properties:
+ apiTokenSecretRef:
+ description: APITokenSecretRef is a secret key selector
for
+ the Venafi Cloud API token.
+ properties:
+ key:
+ description: The key of the secret to select from.
Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ url:
+ description: URL is the base URL for Venafi Cloud
+ type: string
+ required:
+ - url
+ - apiTokenSecretRef
+ type: object
+ tpp:
+ description: TPP specifies Trust Protection Platform
configuration
+ settings. Only one of TPP or Cloud may be specified.
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded TLS certifiate to
use
+ to verify connections to the TPP instance. If
specified, system
+ roots will not be used and the issuing CA for the TPP
instance
+ must be verifiable using the provided root. If not
specified,
+ the connection will be verified using the cert-manager
system
+ root certificates.
+ format: byte
+ type: string
+ credentialsRef:
+ description: CredentialsRef is a reference to a Secret
containing
+ the username and password for the TPP server. The
secret must
+ contain two keys, 'username' and 'password'.
+ properties:
+ name:
+ description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
uid?'
+ type: string
+ required:
+ - name
+ type: object
+ url:
+ description: URL is the base URL for the Venafi TPP
instance
+ type: string
+ required:
+ - url
+ - credentialsRef
+ type: object
+ zone:
+ description: Zone is the Venafi Policy Zone to use for this
issuer.
+ All requests made to the Venafi platform will be
restricted by
+ the named zone policy. This field is required.
+ type: string
+ required:
+ - zone
+ type: object
+ type: object
+ status:
+ properties:
+ acme:
+ properties:
+ lastRegisteredEmail:
+ description: LastRegisteredEmail is the email associated
with the
+ latest registered ACME account, in order to track changes
made
+ to registered account associated with the Issuer
+ type: string
+ uri:
+ description: URI is the unique account identifier, which can
also
+ be used to retrieve account details from the CA
+ type: string
+ type: object
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp
corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of
the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable
explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True',
'False',
+ 'Unknown').
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ type: string
+ required:
+ - type
+ - status
+ type: object
+ type: array
+ type: object
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ labels:
+ controller-tools.k8s.io: "1.0"
+ name: orders.certmanager.k8s.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.state
+ name: State
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - JSONPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time
when
+ this object was created. It is not guaranteed to be set in
happens-before order
+ across separate operations. Clients may not set this value. It is
represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ names:
+ kind: Order
+ plural: orders
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ commonName:
+ description: CommonName is the common name as specified on the
DER encoded
+ CSR. If CommonName is not specified, the first DNSName
specified will
+ be used as the CommonName. At least one of CommonName or a
DNSNames
+ must be set. This field must match the corresponding field on
the
+ DER encoded CSR.
+ type: string
+ config:
+ description: 'Config specifies a mapping from DNS identifiers to
how
+ those identifiers should be solved when performing ACME
challenges.
+ A config entry must exist for each domain listed in DNSNames
and CommonName.
+ Only **one** of ''config'' or ''solvers'' may be specified,
and if
+ both are specified then no action will be performed on the
Order resource. This
+ field will be removed when support for solver config specified
on
+ the Certificate under certificate.spec.acme has been removed.
DEPRECATED:
+ this field will be removed in future. Solver configuration
must instead
+ be provided on ACME Issuer resources.'
+ items:
+ properties:
+ domains:
+ description: Domains is the list of domains that this
SolverConfig
+ applies to.
+ items:
+ type: string
+ type: array
+ required:
+ - domains
+ type: object
+ type: array
+ csr:
+ description: Certificate signing request bytes in DER encoding.
This
+ will be used when finalizing the order. This field must be set
on
+ the order.
+ format: byte
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS names that should be
included
+ as part of the Order validation process. If CommonName is not
specified,
+ the first DNSName specified will be used as the CommonName. At
least
+ one of CommonName or a DNSNames must be set. This field must
match
+ the corresponding field on the DER encoded CSR.
+ items:
+ type: string
+ type: array
+ issuerRef:
+ description: IssuerRef references a properly configured
ACME-type Issuer
+ which should be used to create this Order. If the Issuer does
not
+ exist, processing will be retried. If the Issuer is not an
'ACME'
+ Issuer, an error will be returned and the Order will be marked
as
+ failed.
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - csr
+ - issuerRef
+ type: object
+ status:
+ properties:
+ certificate:
+ description: Certificate is a copy of the PEM encoded
certificate for
+ this Order. This field will be populated after the order has
been
+ successfully finalized with the ACME server, and the order has
transitioned
+ to the 'valid' state.
+ format: byte
+ type: string
+ challenges:
+ description: Challenges is a list of ChallengeSpecs for
Challenges that
+ must be created in order to complete this Order.
+ items:
+ properties:
+ authzURL:
+ description: AuthzURL is the URL to the ACME Authorization
resource
+ that this challenge is a part of.
+ type: string
+ config:
+ description: 'Config specifies the solver configuration
for this
+ challenge. Only **one** of ''config'' or ''solver'' may
be specified,
+ and if both are specified then no action will be
performed on
+ the Challenge resource. DEPRECATED: the ''solver'' field
should
+ be specified instead'
+ type: object
+ dnsName:
+ description: DNSName is the identifier that this challenge
is
+ for, e.g. example.com.
+ type: string
+ issuerRef:
+ description: IssuerRef references a properly configured
ACME-type
+ Issuer which should be used to create this Challenge. If
the
+ Issuer does not exist, processing will be retried. If
the Issuer
+ is not an 'ACME' Issuer, an error will be returned and
the Challenge
+ will be marked as failed.
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ key:
+ description: Key is the ACME challenge key for this
challenge
+ type: string
+ solver:
+ description: Solver contains the domain solving
configuration
+ that should be used to solve this challenge resource.
Only **one**
+ of 'config' or 'solver' may be specified, and if both
are specified
+ then no action will be performed on the Challenge
resource.
+ properties:
+ selector:
+ description: Selector selects a set of DNSNames on the
Certificate
+ resource that should be solved using this challenge
solver.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver
will be
+ used to solve. If specified and a match is
found, a
+ dnsNames selector will take precedence over a
dnsZones
+ selector. If multiple solvers match with the
same dnsNames
+ value, the solver with the most matching labels
in matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver
will be
+ used to solve. The most specific DNS zone match
specified
+ here will take precedence over other DNS zone
matches,
+ so a solver specifying sys.example.com will be
selected
+ over one specifying example.com for the domain
www.sys.example.com.
+ If multiple solvers match with the same dnsZones
value,
+ the solver with the most matching labels in
matchLabels
+ will be selected. If neither has more matches,
the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ description: A label selector that is used to
refine the
+ set of certificate's that this challenge solver
will
+ apply to.
+ type: object
+ type: object
+ type: object
+ token:
+ description: Token is the ACME challenge token for this
challenge.
+ type: string
+ type:
+ description: Type is the type of ACME challenge this
resource
+ represents, e.g. "dns01" or "http01"
+ type: string
+ url:
+ description: URL is the URL of the ACME Challenge resource
for
+ this challenge. This can be used to lookup details about
the
+ status of this challenge.
+ type: string
+ wildcard:
+ description: Wildcard will be true if this challenge is
for a
+ wildcard identifier, for example '*.example.com'
+ type: boolean
+ required:
+ - authzURL
+ - type
+ - url
+ - dnsName
+ - token
+ - key
+ - wildcard
+ - issuerRef
+ type: object
+ type: array
+ failureTime:
+ description: FailureTime stores the time that this order failed.
This
+ is used to influence garbage collection and back-off.
+ format: date-time
+ type: string
+ finalizeURL:
+ description: FinalizeURL of the Order. This is used to obtain
certificates
+ for this order once it has been completed.
+ type: string
+ reason:
+ description: Reason optionally provides more information about a
why
+ the order is in the current state.
+ type: string
+ state:
+ description: State contains the current state of this Order
resource.
+ States 'success' and 'expired' are 'final'
+ enum:
+ - ""
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ url:
+ description: URL of the Order. This will initially be empty when
the
+ resource is first created. The Order controller will populate
this
+ field when the Order is first processed. This field will be
immutable
+ after it is initially set.
+ type: string
+ type: object
+ required:
+ - metadata
+ - spec
+ - status
+ version: v1alpha1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cert-manager
+ labels:
+ certmanager.k8s.io/disable-validation: "true"
+
+---
+---
+# Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: cert-manager-cainjector
+ namespace: "cert-manager"
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cainjector-v0.9.1
+
+---
+# Source: cert-manager/charts/webhook/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: cert-manager-webhook
+ namespace: "cert-manager"
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+
+---
+# Source: cert-manager/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: cert-manager
+ namespace: "cert-manager"
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+
+---
+# Source: cert-manager/charts/cainjector/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-cainjector
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cainjector-v0.9.1
+rules:
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["certificates"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["configmaps", "events"]
+ verbs: ["get", "create", "update", "patch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations",
"mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["apiregistration.k8s.io"]
+ resources: ["apiservices"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-cainjector
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cainjector-v0.9.1
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-cainjector
+subjects:
+ - name: cert-manager-cainjector
+ namespace: "cert-manager"
+ kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-leaderelection
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+rules:
+ # Used for leader election by the controller
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "create", "update", "patch"]
+
+---
+
+# Issuer controller role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-issuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+rules:
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["issuers", "issuers/status"]
+ verbs: ["update"]
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["issuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch", "create", "update", "delete"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+
+---
+
+# ClusterIssuer controller role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-clusterissuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+rules:
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["clusterissuers", "clusterissuers/status"]
+ verbs: ["update"]
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["clusterissuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch", "create", "update", "delete"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+
+---
+
+# Certificates controller role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-certificates
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+rules:
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["certificates", "certificates/status", "certificaterequests",
"certificaterequests/status"]
+ verbs: ["update"]
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["certificates", "certificaterequests", "clusterissuers",
"issuers", "orders"]
+ verbs: ["get", "list", "watch"]
+ # We require these rules to support users with the
OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ #
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["certificates/finalizers"]
+ verbs: ["update"]
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["orders"]
+ verbs: ["create", "delete"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch", "create", "update", "delete"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+
+---
+
+# Orders controller role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-orders
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+rules:
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["orders", "orders/status"]
+ verbs: ["update"]
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["orders", "clusterissuers", "issuers", "challenges"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["challenges"]
+ verbs: ["create", "delete"]
+ # We require these rules to support users with the
OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ #
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["orders/finalizers"]
+ verbs: ["update"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+
+---
+
+# Challenges controller role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-challenges
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+rules:
+ # Use to update challenge resource status
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["challenges", "challenges/status"]
+ verbs: ["update"]
+ # Used to watch challenges, issuer and clusterissuer resources
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["challenges", "issuers", "clusterissuers"]
+ verbs: ["get", "list", "watch"]
+ # Need to be able to retrieve ACME account private key to complete challenges
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ # Used to create events
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+ # HTTP01 rules
+ - apiGroups: [""]
+ resources: ["pods", "services"]
+ verbs: ["get", "list", "watch", "create", "delete"]
+ - apiGroups: ["extensions"]
+ resources: ["ingresses"]
+ verbs: ["get", "list", "watch", "create", "delete", "update"]
+ # We require these rules to support users with the
OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ #
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["challenges/finalizers"]
+ verbs: ["update"]
+ # DNS01 rules (duplicated above)
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+
+---
+
+# ingress-shim controller role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-ingress-shim
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+rules:
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["certificates", "certificaterequests"]
+ verbs: ["create", "update", "delete"]
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["certificates", "certificaterequests", "issuers",
"clusterissuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["extensions"]
+ resources: ["ingresses"]
+ verbs: ["get", "list", "watch"]
+ # We require these rules to support users with the
OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ #
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["extensions"]
+ resources: ["ingresses/finalizers"]
+ verbs: ["update"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-leaderelection
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-leaderelection
+subjects:
+ - name: cert-manager
+ namespace: "cert-manager"
+ kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-issuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-issuers
+subjects:
+ - name: cert-manager
+ namespace: "cert-manager"
+ kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-clusterissuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-clusterissuers
+subjects:
+ - name: cert-manager
+ namespace: "cert-manager"
+ kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-certificates
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-certificates
+subjects:
+ - name: cert-manager
+ namespace: "cert-manager"
+ kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-orders
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-orders
+subjects:
+ - name: cert-manager
+ namespace: "cert-manager"
+ kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-challenges
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-challenges
+subjects:
+ - name: cert-manager
+ namespace: "cert-manager"
+ kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-ingress-shim
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-ingress-shim
+subjects:
+ - name: cert-manager
+ namespace: "cert-manager"
+ kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-view
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["certificates", "certificaterequests", "issuers"]
+ verbs: ["get", "list", "watch"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-edit
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["certificates", "certificaterequests", "issuers"]
+ verbs: ["create", "delete", "deletecollection", "patch", "update"]
+
+---
+# Source: cert-manager/charts/webhook/templates/rbac.yaml
+### Webhook ###
+---
+# apiserver gets the auth-delegator role to delegate auth decisions to
+# the core apiserver
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-webhook:auth-delegator
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+subjects:
+- apiGroup: ""
+ kind: ServiceAccount
+ name: cert-manager-webhook
+ namespace: cert-manager
+
+---
+
+# apiserver gets the ability to read authentication. This allows it to
+# read the specific configmap that has the requestheader-* entries to
+# api agg
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: cert-manager-webhook:webhook-authentication-reader
+ namespace: kube-system
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: extension-apiserver-authentication-reader
+subjects:
+- apiGroup: ""
+ kind: ServiceAccount
+ name: cert-manager-webhook
+ namespace: cert-manager
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-webhook:webhook-requester
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+rules:
+- apiGroups:
+ - admission.certmanager.k8s.io
+ resources:
+ - certificates
+ - certificaterequests
+ - issuers
+ - clusterissuers
+ verbs:
+ - create
+
+---
+# Source: cert-manager/charts/webhook/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: cert-manager-webhook
+ namespace: "cert-manager"
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+spec:
+ type: ClusterIP
+ ports:
+ - name: https
+ port: 443
+ targetPort: 6443
+ selector:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+
+---
+# Source: cert-manager/charts/cainjector/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cert-manager-cainjector
+ namespace: "cert-manager"
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cainjector-v0.9.1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ template:
+ metadata:
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cainjector-v0.9.1
+ annotations:
+ spec:
+ serviceAccountName: cert-manager-cainjector
+ containers:
+ - name: cainjector
+ image: "quay.io/jetstack/cert-manager-cainjector:v0.9.1"
+ imagePullPolicy: IfNotPresent
+ args:
+ - --v=2
+ - --leader-election-namespace=$(POD_NAMESPACE)
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ resources:
+ {}
+
+
+---
+# Source: cert-manager/charts/webhook/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cert-manager-webhook
+ namespace: "cert-manager"
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ template:
+ metadata:
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+ annotations:
+ spec:
+ serviceAccountName: cert-manager-webhook
+ containers:
+ - name: webhook
+ image: "quay.io/jetstack/cert-manager-webhook:v0.9.1"
+ imagePullPolicy: IfNotPresent
+ args:
+ - --v=2
+ - --secure-port=6443
+ - --tls-cert-file=/certs/tls.crt
+ - --tls-private-key-file=/certs/tls.key
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ resources:
+ {}
+
+ volumeMounts:
+ - name: certs
+ mountPath: /certs
+ volumes:
+ - name: certs
+ secret:
+ secretName: cert-manager-webhook-webhook-tls
+
+---
+# Source: cert-manager/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cert-manager
+ namespace: "cert-manager"
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ template:
+ metadata:
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: cert-manager-v0.9.1
+ annotations:
+ prometheus.io/path: "/metrics"
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '9402'
+ spec:
+ serviceAccountName: cert-manager
+ containers:
+ - name: cert-manager
+ image: "quay.io/jetstack/cert-manager-controller:v0.9.1"
+ imagePullPolicy: IfNotPresent
+ args:
+ - --v=2
+ - --cluster-resource-namespace=$(POD_NAMESPACE)
+ - --leader-election-namespace=$(POD_NAMESPACE)
+ ports:
+ - containerPort: 9402
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+
+
+---
+# Source: cert-manager/charts/webhook/templates/apiservice.yaml
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+ name: v1beta1.admission.certmanager.k8s.io
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+ annotations:
+ certmanager.k8s.io/inject-ca-from:
"cert-manager/cert-manager-webhook-webhook-tls"
+spec:
+ group: admission.certmanager.k8s.io
+ groupPriorityMinimum: 1000
+ versionPriority: 15
+ service:
+ name: cert-manager-webhook
+ namespace: "cert-manager"
+ version: v1beta1
+
+---
+# Source: cert-manager/charts/webhook/templates/pki.yaml
+---
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+ name: cert-manager-webhook-selfsign
+ namespace: "cert-manager"
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+spec:
+ selfSigned: {}
+
+---
+
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+ name: cert-manager-webhook-ca
+ namespace: "cert-manager"
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+spec:
+ secretName: cert-manager-webhook-ca
+ duration: 43800h # 5y
+ issuerRef:
+ name: cert-manager-webhook-selfsign
+ commonName: "ca.webhook.cert-manager"
+ isCA: true
+
+---
+
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+ name: cert-manager-webhook-ca
+ namespace: "cert-manager"
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+spec:
+ ca:
+ secretName: cert-manager-webhook-ca
+
+---
+
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+ name: cert-manager-webhook-webhook-tls
+ namespace: "cert-manager"
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+spec:
+ secretName: cert-manager-webhook-webhook-tls
+ duration: 8760h # 1y
+ issuerRef:
+ name: cert-manager-webhook-ca
+ dnsNames:
+ - cert-manager-webhook
+ - cert-manager-webhook.cert-manager
+ - cert-manager-webhook.cert-manager.svc
+
+---
+# Source: cert-manager/templates/servicemonitor.yaml
+
+
+---
+# Source: cert-manager/charts/webhook/templates/validating-webhook.yaml
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: cert-manager-webhook
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Tiller
+ helm.sh/chart: webhook-v0.9.1
+ annotations:
+ certmanager.k8s.io/inject-apiserver-ca: "true"
+webhooks:
+ - name: certificates.admission.certmanager.k8s.io
+ namespaceSelector:
+ matchExpressions:
+ - key: "certmanager.k8s.io/disable-validation"
+ operator: "NotIn"
+ values:
+ - "true"
+ - key: "name"
+ operator: "NotIn"
+ values:
+ - cert-manager
+ rules:
+ - apiGroups:
+ - "certmanager.k8s.io"
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - certificates
+ failurePolicy: Fail
+ clientConfig:
+ service:
+ name: kubernetes
+ namespace: default
+ path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
+ - name: issuers.admission.certmanager.k8s.io
+ namespaceSelector:
+ matchExpressions:
+ - key: "certmanager.k8s.io/disable-validation"
+ operator: "NotIn"
+ values:
+ - "true"
+ - key: "name"
+ operator: "NotIn"
+ values:
+ - cert-manager
+ rules:
+ - apiGroups:
+ - "certmanager.k8s.io"
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - issuers
+ failurePolicy: Fail
+ clientConfig:
+ service:
+ name: kubernetes
+ namespace: default
+ path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
+ - name: clusterissuers.admission.certmanager.k8s.io
+ namespaceSelector:
+ matchExpressions:
+ - key: "certmanager.k8s.io/disable-validation"
+ operator: "NotIn"
+ values:
+ - "true"
+ - key: "name"
+ operator: "NotIn"
+ values:
+ - cert-manager
+ rules:
+ - apiGroups:
+ - "certmanager.k8s.io"
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - clusterissuers
+ failurePolicy: Fail
+ clientConfig:
+ service:
+ name: kubernetes
+ namespace: default
+ path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers
+
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/values.yaml
similarity index 58%
copy from infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/values.yaml
index 8cdf66b..0c6d2cf 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager-chart/values.yaml
@@ -18,36 +18,9 @@
# under the License.
#
#
******************************************************************************
-provider "helm" {
- install_tiller = true
- namespace = "kube-system"
- service_account = "tiller"
- tiller_image = "gcr.io/kubernetes-helm/tiller:v2.14.1"
-}
-provider "kubernetes" {}
+replicaCount: 1
-resource "kubernetes_namespace" "dlab-namespace" {
- metadata {
- annotations = {
- name = var.namespace_name
- }
-
- name = var.namespace_name
- }
-}
-
-resource "kubernetes_storage_class" "dlab-storage-class" {
- metadata {
- name = "aws-ebs"
- }
- storage_provisioner = "kubernetes.io/aws-ebs"
- reclaim_policy = "Delete"
- parameters = {
- type = "gp2"
- }
-}
-
-output "keycloak_client_secret" {
- value = random_uuid.keycloak_client_secret.result
-}
\ No newline at end of file
+ingress:
+ enabled: false
+labels: {}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
similarity index 59%
copy from infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
index 8cdf66b..b459f4e 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/cert-manager.tf
@@ -18,36 +18,18 @@
# under the License.
#
#
******************************************************************************
-provider "helm" {
- install_tiller = true
- namespace = "kube-system"
- service_account = "tiller"
- tiller_image = "gcr.io/kubernetes-helm/tiller:v2.14.1"
-}
-
-provider "kubernetes" {}
-
-resource "kubernetes_namespace" "dlab-namespace" {
- metadata {
- annotations = {
- name = var.namespace_name
- }
- name = var.namespace_name
- }
+data "template_file" "cert_manager_values" {
+ template = file("./cert-manager-chart/values.yaml")
}
-resource "kubernetes_storage_class" "dlab-storage-class" {
- metadata {
- name = "aws-ebs"
- }
- storage_provisioner = "kubernetes.io/aws-ebs"
- reclaim_policy = "Delete"
- parameters = {
- type = "gp2"
- }
-}
+resource "helm_release" "cert-manager" {
+ name = "cert-manager"
+ chart = "./cert-manager-chart"
+ namespace = kubernetes_namespace.cert-manager-namespace.metadata[0].name
+ wait = true
-output "keycloak_client_secret" {
- value = random_uuid.keycloak_client_secret.result
-}
\ No newline at end of file
+ values = [
+ data.template_file.cert_manager_values.rendered
+ ]
+}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
index 8cdf66b..b84e6c3 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
@@ -37,6 +37,16 @@ resource "kubernetes_namespace" "dlab-namespace" {
}
}
+resource "kubernetes_namespace" "cert-manager-namespace" {
+ metadata {
+ annotations = {
+ name = "cert-manager"
+ }
+
+ name = "cert-manager"
+ }
+}
+
resource "kubernetes_storage_class" "dlab-storage-class" {
metadata {
name = "aws-ebs"
@@ -47,7 +57,3 @@ resource "kubernetes_storage_class" "dlab-storage-class" {
type = "gp2"
}
}
-
-output "keycloak_client_secret" {
- value = random_uuid.keycloak_client_secret.result
-}
\ No newline at end of file
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/outputs.tf
similarity index 64%
copy from infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/outputs.tf
index 8cdf66b..bda498a 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/outputs.tf
@@ -18,35 +18,6 @@
# under the License.
#
#
******************************************************************************
-provider "helm" {
- install_tiller = true
- namespace = "kube-system"
- service_account = "tiller"
- tiller_image = "gcr.io/kubernetes-helm/tiller:v2.14.1"
-}
-
-provider "kubernetes" {}
-
-resource "kubernetes_namespace" "dlab-namespace" {
- metadata {
- annotations = {
- name = var.namespace_name
- }
-
- name = var.namespace_name
- }
-}
-
-resource "kubernetes_storage_class" "dlab-storage-class" {
- metadata {
- name = "aws-ebs"
- }
- storage_provisioner = "kubernetes.io/aws-ebs"
- reclaim_policy = "Delete"
- parameters = {
- type = "gp2"
- }
-}
output "keycloak_client_secret" {
value = random_uuid.keycloak_client_secret.result
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-ca.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-ca.tf
index 631814b..66054a1 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-ca.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-ca.tf
@@ -39,6 +39,7 @@ resource "helm_release" "step_ca" {
// repository = data.helm_repository.smallstep.metadata.0.name
chart = "./step-ca-chart"
namespace = kubernetes_namespace.dlab-namespace.metadata[0].name
+ depends_on = [helm_release.cert-manager]
wait = false
timeout = 600
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/.helmignore
similarity index 58%
copy from infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/.helmignore
index 8cdf66b..4976779 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/.helmignore
@@ -18,36 +18,26 @@
# under the License.
#
#
******************************************************************************
-provider "helm" {
- install_tiller = true
- namespace = "kube-system"
- service_account = "tiller"
- tiller_image = "gcr.io/kubernetes-helm/tiller:v2.14.1"
-}
-provider "kubernetes" {}
-
-resource "kubernetes_namespace" "dlab-namespace" {
- metadata {
- annotations = {
- name = var.namespace_name
- }
-
- name = var.namespace_name
- }
-}
-
-resource "kubernetes_storage_class" "dlab-storage-class" {
- metadata {
- name = "aws-ebs"
- }
- storage_provisioner = "kubernetes.io/aws-ebs"
- reclaim_policy = "Delete"
- parameters = {
- type = "gp2"
- }
-}
-
-output "keycloak_client_secret" {
- value = random_uuid.keycloak_client_secret.result
-}
\ No newline at end of file
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/Chart.yaml
similarity index 58%
copy from infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/Chart.yaml
index 8cdf66b..832b44c 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/Chart.yaml
@@ -18,36 +18,9 @@
# under the License.
#
#
******************************************************************************
-provider "helm" {
- install_tiller = true
- namespace = "kube-system"
- service_account = "tiller"
- tiller_image = "gcr.io/kubernetes-helm/tiller:v2.14.1"
-}
-provider "kubernetes" {}
-
-resource "kubernetes_namespace" "dlab-namespace" {
- metadata {
- annotations = {
- name = var.namespace_name
- }
-
- name = var.namespace_name
- }
-}
-
-resource "kubernetes_storage_class" "dlab-storage-class" {
- metadata {
- name = "aws-ebs"
- }
- storage_provisioner = "kubernetes.io/aws-ebs"
- reclaim_policy = "Delete"
- parameters = {
- type = "gp2"
- }
-}
-
-output "keycloak_client_secret" {
- value = random_uuid.keycloak_client_secret.result
-}
\ No newline at end of file
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Kubernetes
+name: step-issuer
+version: 0.1.0
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/NOTES.txt
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/NOTES.txt
new file mode 100644
index 0000000..0b54971
--- /dev/null
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/NOTES.txt
@@ -0,0 +1,42 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+ {{- range .paths }}
+ http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+ {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o
jsonpath="{.spec.ports[0].nodePort}" services {{ include "step-issuer.fullname"
. }})
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o
jsonpath="{.items[0].status.addresses[0].address}")
+ echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ You can watch the status of by running 'kubectl get --namespace {{
.Release.Namespace }} svc -w {{ include "step-issuer.fullname" . }}'
+ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{
include "step-issuer.fullname" . }} -o
jsonpath='{.status.loadBalancer.ingress[0].ip}')
+ echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+ export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l
"app.kubernetes.io/name={{ include "step-issuer.name" .
}},app.kubernetes.io/instance={{ .Release.Name }}" -o
jsonpath="{.items[0].metadata.name}")
+ echo "Visit http://127.0.0.1:8080 to use your application"
+ kubectl port-forward $POD_NAME 8080:80
+{{- end }}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/_helpers.tpl
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/_helpers.tpl
new file mode 100644
index 0000000..9cd3910
--- /dev/null
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/_helpers.tpl
@@ -0,0 +1,65 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "step-issuer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "step-issuer.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "step-issuer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 |
trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "step-issuer.labels" -}}
+app.kubernetes.io/name: {{ include "step-issuer.name" . }}
+helm.sh/chart: {{ include "step-issuer.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/crd.yaml
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/crd.yaml
new file mode 100644
index 0000000..63744e9
--- /dev/null
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/crd.yaml
@@ -0,0 +1,148 @@
+{{- /*
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+*/ -}}
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: stepissuers.certmanager.step.sm
+spec:
+ group: certmanager.step.sm
+ names:
+ kind: StepIssuer
+ plural: stepissuers
+ scope: ""
+ validation:
+ openAPIV3Schema:
+ description: StepIssuer is the Schema for the stepissuers API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: StepIssuerSpec defines the desired state of StepIssuer
+ properties:
+ caBundle:
+ description: CABundle is a base64 encoded TLS certificate used
to verify
+ connections to the step certificates server. If not set the
system
+ root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ provisioner:
+ description: Provisioner contains the step certificates
provisioner
+ configuration.
+ properties:
+ kid:
+ description: KeyID is the kid property of the JWK
provisioner.
+ type: string
+ name:
+ description: Names is the name of the JWK provisioner.
+ type: string
+ passwordRef:
+ description: PasswordRef is a reference to a Secret
containing the
+ provisioner password used to decrypt the provisioner
private key.
+ properties:
+ key:
+ description: The key of the secret to select from. Must
be a
+ valid secret key.
+ type: string
+ name:
+ description: The name of the secret in the pod's
namespace to
+ select from.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - kid
+ - name
+ - passwordRef
+ type: object
+ url:
+ description: URL is the base URL for the step certificates
instance.
+ type: string
+ required:
+ - provisioner
+ - url
+ type: object
+ status:
+ description: StepIssuerStatus defines the observed state of
StepIssuer
+ properties:
+ conditions:
+ items:
+ description: StepIssuerCondition contains condition
information for
+ the step issuer.
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp
corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of
the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable
explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True',
'False',
+ 'Unknown').
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ enum:
+ - Ready
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/deployment.yaml
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/deployment.yaml
new file mode 100644
index 0000000..c010d77
--- /dev/null
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/templates/deployment.yaml
@@ -0,0 +1,360 @@
+{{- /*
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
******************************************************************************
+*/ -}}
+
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ control-plane: controller-manager
+ name: step-issuer-system
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: stepissuers.certmanager.step.sm
+spec:
+ group: certmanager.step.sm
+ names:
+ kind: StepIssuer
+ plural: stepissuers
+ scope: ""
+ validation:
+ openAPIV3Schema:
+ description: StepIssuer is the Schema for the stepissuers API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
representation
+ of an object. Servers should convert recognized schemas to the
latest
+ internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource
this
+ object represents. Servers may infer this from the endpoint the
client
+ submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: StepIssuerSpec defines the desired state of StepIssuer
+ properties:
+ caBundle:
+ description: CABundle is a base64 encoded TLS certificate used
to verify
+ connections to the step certificates server. If not set the
system
+ root certificates are used to validate the TLS connection.
+ format: byte
+ type: string
+ provisioner:
+ description: Provisioner contains the step certificates
provisioner
+ configuration.
+ properties:
+ kid:
+ description: KeyID is the kid property of the JWK
provisioner.
+ type: string
+ name:
+ description: Names is the name of the JWK provisioner.
+ type: string
+ passwordRef:
+ description: PasswordRef is a reference to a Secret
containing the
+ provisioner password used to decrypt the provisioner
private key.
+ properties:
+ key:
+ description: The key of the secret to select from. Must
be a
+ valid secret key.
+ type: string
+ name:
+ description: The name of the secret in the pod's
namespace to
+ select from.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - kid
+ - name
+ - passwordRef
+ type: object
+ url:
+ description: URL is the base URL for the step certificates
instance.
+ type: string
+ required:
+ - provisioner
+ - url
+ type: object
+ status:
+ description: StepIssuerStatus defines the observed state of
StepIssuer
+ properties:
+ conditions:
+ items:
+ description: StepIssuerCondition contains condition
information for
+ the step issuer.
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp
corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of
the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable
explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True',
'False',
+ 'Unknown').
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ enum:
+ - Ready
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: step-issuer-leader-election-role
+ namespace: step-issuer-system
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - configmaps/status
+ verbs:
+ - get
+ - update
+ - patch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ creationTimestamp: null
+ name: step-issuer-manager-role
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - certmanager.k8s.io
+ resources:
+ - certificaterequests
+ verbs:
+ - get
+ - list
+ - update
+ - watch
+- apiGroups:
+ - certmanager.k8s.io
+ resources:
+ - certificaterequests/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - certmanager.step.sm
+ resources:
+ - stepissuers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - certmanager.step.sm
+ resources:
+ - stepissuers/status
+ verbs:
+ - get
+ - patch
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: step-issuer-proxy-role
+rules:
+- apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: step-issuer-leader-election-rolebinding
+ namespace: step-issuer-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: step-issuer-leader-election-role
+subjects:
+- kind: ServiceAccount
+ name: default
+ namespace: step-issuer-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: step-issuer-manager-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: step-issuer-manager-role
+subjects:
+- kind: ServiceAccount
+ name: default
+ namespace: step-issuer-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: step-issuer-proxy-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: step-issuer-proxy-role
+subjects:
+- kind: ServiceAccount
+ name: default
+ namespace: step-issuer-system
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ prometheus.io/port: "8443"
+ prometheus.io/scheme: https
+ prometheus.io/scrape: "true"
+ labels:
+ control-plane: controller-manager
+ name: step-issuer-controller-manager-metrics-service
+ namespace: step-issuer-system
+spec:
+ ports:
+ - name: https
+ port: 8443
+ targetPort: https
+ selector:
+ control-plane: controller-manager
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ control-plane: controller-manager
+ name: step-issuer-controller-manager
+ namespace: step-issuer-system
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ control-plane: controller-manager
+ template:
+ metadata:
+ labels:
+ control-plane: controller-manager
+ spec:
+ containers:
+ - args:
+ - --secure-listen-address=0.0.0.0:8443
+ - --upstream=http://127.0.0.1:8080/
+ - --logtostderr=true
+ - --v=10
+ image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
+ name: kube-rbac-proxy
+ ports:
+ - containerPort: 8443
+ name: https
+ - args:
+ - --metrics-addr=127.0.0.1:8080
+ - --enable-leader-election
+ command:
+ - /manager
+ image: smallstep/step-issuer:0.1.0
+ name: manager
+ resources:
+ limits:
+ cpu: 100m
+ memory: 30Mi
+ requests:
+ cpu: 100m
+ memory: 20Mi
+ terminationGracePeriodSeconds: 10
\ No newline at end of file
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/values.yaml
similarity index 58%
copy from infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/values.yaml
index 8cdf66b..0c6d2cf 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer-chart/values.yaml
@@ -18,36 +18,9 @@
# under the License.
#
#
******************************************************************************
-provider "helm" {
- install_tiller = true
- namespace = "kube-system"
- service_account = "tiller"
- tiller_image = "gcr.io/kubernetes-helm/tiller:v2.14.1"
-}
-provider "kubernetes" {}
+replicaCount: 1
-resource "kubernetes_namespace" "dlab-namespace" {
- metadata {
- annotations = {
- name = var.namespace_name
- }
-
- name = var.namespace_name
- }
-}
-
-resource "kubernetes_storage_class" "dlab-storage-class" {
- metadata {
- name = "aws-ebs"
- }
- storage_provisioner = "kubernetes.io/aws-ebs"
- reclaim_policy = "Delete"
- parameters = {
- type = "gp2"
- }
-}
-
-output "keycloak_client_secret" {
- value = random_uuid.keycloak_client_secret.result
-}
\ No newline at end of file
+ingress:
+ enabled: false
+labels: {}
diff --git
a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer.tf
similarity index 59%
copy from infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
copy to
infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer.tf
index 8cdf66b..3b3fa3c 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/main.tf
+++
b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/step-issuer.tf
@@ -18,36 +18,18 @@
# under the License.
#
#
******************************************************************************
-provider "helm" {
- install_tiller = true
- namespace = "kube-system"
- service_account = "tiller"
- tiller_image = "gcr.io/kubernetes-helm/tiller:v2.14.1"
-}
-
-provider "kubernetes" {}
-
-resource "kubernetes_namespace" "dlab-namespace" {
- metadata {
- annotations = {
- name = var.namespace_name
- }
- name = var.namespace_name
- }
+data "template_file" "step_issuer_values" {
+ template = file("./cert-manager-chart/values.yaml")
}
-resource "kubernetes_storage_class" "dlab-storage-class" {
- metadata {
- name = "aws-ebs"
- }
- storage_provisioner = "kubernetes.io/aws-ebs"
- reclaim_policy = "Delete"
- parameters = {
- type = "gp2"
- }
-}
+resource "helm_release" "step-issuer" {
+ name = "step-issuer"
+ chart = "./step-issuer-chart"
+ wait = true
+ depends_on = [null_resource.step_ca_delay]
-output "keycloak_client_secret" {
- value = random_uuid.keycloak_client_secret.result
-}
\ No newline at end of file
+ values = [
+ data.template_file.step_issuer_values.rendered
+ ]
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@dlab.apache.org
For additional commands, e-mail: commits-h...@dlab.apache.org
