richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7851 Commits
34 Branches
82 Tags
155 MiB
Tree: ebdc599b05
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ebdc599b05'
${ noResults }
kubespray/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2

1259 lines
42 KiB
Raw Normal View History

[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
feat: update cert-manager to 1.7.0 (#8491) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
feat: update cert-manager to 1.7.0 (#8491) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
feat: update cert-manager to 1.7.0 (#8491) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
cert-manager: Fix incorrect leader election namespace lead to insufficient permission (#8433)
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
feat: update cert-manager to 1.7.0 (#8491) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
cert-manager: Fix incorrect leader election namespace lead to insufficient permission (#8433)
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
cert-manager: Fix incorrect leader election namespace lead to insufficient permission (#8433)
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
feat: update cert-manager to 1.7.0 (#8491) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
cert-manager: Fix incorrect leader election namespace lead to insufficient permission (#8433)
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
feat: update cert-manager to 1.7.0 (#8491) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
feat: update cert-manager to 1.7.0 (#8491) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
cert-manager: Allow to change leader election namespace for GKE Autopilot support (#8424) More information: - kubernetes-sigs/kubespray#8393 - jetstack/cert-manager#4102 - jetstack/cert-manager#3717
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
Solves #2933: Allow http_proxy, https_proxy and no_proxy environment variables in cert-manager playbook (#10162)
1 year ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
Specify securityContext for cert-manager (#9404) On hardening environments, cert-manager pods could not be created from the corresponding deployments. This adds the securityContext to solve the issue.
2 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
Specify securityContext for cert-manager (#9404) On hardening environments, cert-manager pods could not be created from the corresponding deployments. This adds the securityContext to solve the issue.
2 years ago
fix: add tolerations / affinity to cert-manager (#8389) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
cert-manager: add trusted internal ca when configured (#8135) * cert-manager: add trusted internal ca when configured * wrong check for inventory variable * Update documentation
3 years ago
DeprecationWarning occurs when indentfirst=None is specified in coredns-config.yml.j2 (#8224)
3 years ago
cert-manager: add trusted internal ca when configured (#8135) * cert-manager: add trusted internal ca when configured * wrong check for inventory variable * Update documentation
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
cert-manager: Allow to change leader election namespace for GKE Autopilot support (#8424) More information: - kubernetes-sigs/kubespray#8393 - jetstack/cert-manager#4102 - jetstack/cert-manager#3717
3 years ago
cert-manager controller args: (#10049) - Adding in the ability to feed extra-args to cert-manager-controller.
1 year ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
Specify securityContext for cert-manager (#9404) On hardening environments, cert-manager pods could not be created from the corresponding deployments. This adds the securityContext to solve the issue.
2 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
Specify securityContext for cert-manager (#9404) On hardening environments, cert-manager pods could not be created from the corresponding deployments. This adds the securityContext to solve the issue.
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
Solves #2933: Allow http_proxy, https_proxy and no_proxy environment variables in cert-manager playbook (#10162)
1 year ago
fix(cert manager): Fix manifest if cert_manager_trusted_internal_ca is provided (#9922)
1 year ago
fix: add tolerations / affinity to cert-manager (#8389) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
Add dns configuration for cert manager (#9673) Signed-off-by: bo.jiang <bo.jiang@daocloud.io> Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] upgrade to v1.13.2 (#10616)
1 year ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] Upgrade to v1.8.0 (#8688)
2 years ago
Specify securityContext for cert-manager (#9404) On hardening environments, cert-manager pods could not be created from the corresponding deployments. This adds the securityContext to solve the issue.
2 years ago
[cert-manager] Upgrade to v1.10.1 (#9512)
2 years ago
Specify securityContext for cert-manager (#9404) On hardening environments, cert-manager pods could not be created from the corresponding deployments. This adds the securityContext to solve the issue.
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
Solves #2933: Allow http_proxy, https_proxy and no_proxy environment variables in cert-manager playbook (#10162)
1 year ago
fix: add tolerations / affinity to cert-manager (#8389) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
feat: update cert-manager to 1.7.0 (#8491) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
[cert-manager] update cert-manager to v1.11.0 (#9661)
2 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
feat: update cert-manager to 1.7.0 (#8491) Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
3 years ago
cert-manager: upgrade to 1.5.4 (#8069) * cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
3 years ago
  1. # Copyright 2022 The cert-manager Authors.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.
  15. ---
  16. apiVersion: v1
  17. kind: Namespace
  18. metadata:
  19. name: {{ cert_manager_namespace }}
  20. ---
  21. # Source: cert-manager/deploy/charts/cert-manager/templates/cainjector-serviceaccount.yaml
  22. apiVersion: v1
  23. kind: ServiceAccount
  24. automountServiceAccountToken: true
  25. metadata:
  26. name: cert-manager-cainjector
  27. namespace: {{ cert_manager_namespace }}
  28. labels:
  29. app: cainjector
  30. app.kubernetes.io/name: cainjector
  31. app.kubernetes.io/instance: cert-manager
  32. app.kubernetes.io/component: "cainjector"
  33. app.kubernetes.io/version: "{{ cert_manager_version }}"
  34. ---
  35. # Source: cert-manager/deploy/charts/cert-manager/templates/serviceaccount.yaml
  36. apiVersion: v1
  37. kind: ServiceAccount
  38. automountServiceAccountToken: true
  39. metadata:
  40. name: cert-manager
  41. namespace: {{ cert_manager_namespace }}
  42. labels:
  43. app: cert-manager
  44. app.kubernetes.io/name: cert-manager
  45. app.kubernetes.io/instance: cert-manager
  46. app.kubernetes.io/component: "controller"
  47. app.kubernetes.io/version: "{{ cert_manager_version }}"
  48. ---
  49. # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-serviceaccount.yaml
  50. apiVersion: v1
  51. kind: ServiceAccount
  52. automountServiceAccountToken: true
  53. metadata:
  54. name: cert-manager-webhook
  55. namespace: {{ cert_manager_namespace }}
  56. labels:
  57. app: webhook
  58. app.kubernetes.io/name: webhook
  59. app.kubernetes.io/instance: cert-manager
  60. app.kubernetes.io/component: "webhook"
  61. app.kubernetes.io/version: "{{ cert_manager_version }}"
  62. ---
  63. # Source: cert-manager/deploy/charts/cert-manager/templates/controller-config.yaml
  64. apiVersion: v1
  65. kind: ConfigMap
  66. metadata:
  67. name: cert-manager
  68. namespace: {{ cert_manager_namespace }}
  69. labels:
  70. app: cert-manager
  71. app.kubernetes.io/name: cert-manager
  72. app.kubernetes.io/instance: cert-manager
  73. app.kubernetes.io/component: "controller"
  74. app.kubernetes.io/version: "{{ cert_manager_version }}"
  75. data:
  76. ---
  77. # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-config.yaml
  78. apiVersion: v1
  79. kind: ConfigMap
  80. metadata:
  81. name: cert-manager-webhook
  82. namespace: {{ cert_manager_namespace }}
  83. labels:
  84. app: webhook
  85. app.kubernetes.io/name: webhook
  86. app.kubernetes.io/instance: cert-manager
  87. app.kubernetes.io/component: "webhook"
  88. app.kubernetes.io/version: "{{ cert_manager_version }}"
  89. data:
  90. ---
  91. # Source: cert-manager/deploy/charts/cert-manager/templates/cainjector-rbac.yaml
  92. apiVersion: rbac.authorization.k8s.io/v1
  93. kind: ClusterRole
  94. metadata:
  95. name: cert-manager-cainjector
  96. labels:
  97. app: cainjector
  98. app.kubernetes.io/name: cainjector
  99. app.kubernetes.io/instance: cert-manager
  100. app.kubernetes.io/component: "cainjector"
  101. app.kubernetes.io/version: "{{ cert_manager_version }}"
  102. rules:
  103. - apiGroups: ["cert-manager.io"]
  104. resources: ["certificates"]
  105. verbs: ["get", "list", "watch"]
  106. - apiGroups: [""]
  107. resources: ["secrets"]
  108. verbs: ["get", "list", "watch"]
  109. - apiGroups: [""]
  110. resources: ["events"]
  111. verbs: ["get", "create", "update", "patch"]
  112. - apiGroups: ["admissionregistration.k8s.io"]
  113. resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
  114. verbs: ["get", "list", "watch", "update", "patch"]
  115. - apiGroups: ["apiregistration.k8s.io"]
  116. resources: ["apiservices"]
  117. verbs: ["get", "list", "watch", "update", "patch"]
  118. - apiGroups: ["apiextensions.k8s.io"]
  119. resources: ["customresourcedefinitions"]
  120. verbs: ["get", "list", "watch", "update", "patch"]
  121. ---
  122. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  123. # Issuer controller role
  124. apiVersion: rbac.authorization.k8s.io/v1
  125. kind: ClusterRole
  126. metadata:
  127. name: cert-manager-controller-issuers
  128. labels:
  129. app: cert-manager
  130. app.kubernetes.io/name: cert-manager
  131. app.kubernetes.io/instance: cert-manager
  132. app.kubernetes.io/component: "controller"
  133. app.kubernetes.io/version: "{{ cert_manager_version }}"
  134. rules:
  135. - apiGroups: ["cert-manager.io"]
  136. resources: ["issuers", "issuers/status"]
  137. verbs: ["update", "patch"]
  138. - apiGroups: ["cert-manager.io"]
  139. resources: ["issuers"]
  140. verbs: ["get", "list", "watch"]
  141. - apiGroups: [""]
  142. resources: ["secrets"]
  143. verbs: ["get", "list", "watch", "create", "update", "delete"]
  144. - apiGroups: [""]
  145. resources: ["events"]
  146. verbs: ["create", "patch"]
  147. ---
  148. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  149. # ClusterIssuer controller role
  150. apiVersion: rbac.authorization.k8s.io/v1
  151. kind: ClusterRole
  152. metadata:
  153. name: cert-manager-controller-clusterissuers
  154. labels:
  155. app: cert-manager
  156. app.kubernetes.io/name: cert-manager
  157. app.kubernetes.io/instance: cert-manager
  158. app.kubernetes.io/component: "controller"
  159. app.kubernetes.io/version: "{{ cert_manager_version }}"
  160. rules:
  161. - apiGroups: ["cert-manager.io"]
  162. resources: ["clusterissuers", "clusterissuers/status"]
  163. verbs: ["update", "patch"]
  164. - apiGroups: ["cert-manager.io"]
  165. resources: ["clusterissuers"]
  166. verbs: ["get", "list", "watch"]
  167. - apiGroups: [""]
  168. resources: ["secrets"]
  169. verbs: ["get", "list", "watch", "create", "update", "delete"]
  170. - apiGroups: [""]
  171. resources: ["events"]
  172. verbs: ["create", "patch"]
  173. ---
  174. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  175. # Certificates controller role
  176. apiVersion: rbac.authorization.k8s.io/v1
  177. kind: ClusterRole
  178. metadata:
  179. name: cert-manager-controller-certificates
  180. labels:
  181. app: cert-manager
  182. app.kubernetes.io/name: cert-manager
  183. app.kubernetes.io/instance: cert-manager
  184. app.kubernetes.io/component: "controller"
  185. app.kubernetes.io/version: "{{ cert_manager_version }}"
  186. rules:
  187. - apiGroups: ["cert-manager.io"]
  188. resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
  189. verbs: ["update", "patch"]
  190. - apiGroups: ["cert-manager.io"]
  191. resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
  192. verbs: ["get", "list", "watch"]
  193. # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  194. # admission controller enabled:
  195. # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  196. - apiGroups: ["cert-manager.io"]
  197. resources: ["certificates/finalizers", "certificaterequests/finalizers"]
  198. verbs: ["update"]
  199. - apiGroups: ["acme.cert-manager.io"]
  200. resources: ["orders"]
  201. verbs: ["create", "delete", "get", "list", "watch"]
  202. - apiGroups: [""]
  203. resources: ["secrets"]
  204. verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
  205. - apiGroups: [""]
  206. resources: ["events"]
  207. verbs: ["create", "patch"]
  208. ---
  209. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  210. # Orders controller role
  211. apiVersion: rbac.authorization.k8s.io/v1
  212. kind: ClusterRole
  213. metadata:
  214. name: cert-manager-controller-orders
  215. labels:
  216. app: cert-manager
  217. app.kubernetes.io/name: cert-manager
  218. app.kubernetes.io/instance: cert-manager
  219. app.kubernetes.io/component: "controller"
  220. app.kubernetes.io/version: "{{ cert_manager_version }}"
  221. rules:
  222. - apiGroups: ["acme.cert-manager.io"]
  223. resources: ["orders", "orders/status"]
  224. verbs: ["update", "patch"]
  225. - apiGroups: ["acme.cert-manager.io"]
  226. resources: ["orders", "challenges"]
  227. verbs: ["get", "list", "watch"]
  228. - apiGroups: ["cert-manager.io"]
  229. resources: ["clusterissuers", "issuers"]
  230. verbs: ["get", "list", "watch"]
  231. - apiGroups: ["acme.cert-manager.io"]
  232. resources: ["challenges"]
  233. verbs: ["create", "delete"]
  234. # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  235. # admission controller enabled:
  236. # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  237. - apiGroups: ["acme.cert-manager.io"]
  238. resources: ["orders/finalizers"]
  239. verbs: ["update"]
  240. - apiGroups: [""]
  241. resources: ["secrets"]
  242. verbs: ["get", "list", "watch"]
  243. - apiGroups: [""]
  244. resources: ["events"]
  245. verbs: ["create", "patch"]
  246. ---
  247. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  248. # Challenges controller role
  249. apiVersion: rbac.authorization.k8s.io/v1
  250. kind: ClusterRole
  251. metadata:
  252. name: cert-manager-controller-challenges
  253. labels:
  254. app: cert-manager
  255. app.kubernetes.io/name: cert-manager
  256. app.kubernetes.io/instance: cert-manager
  257. app.kubernetes.io/component: "controller"
  258. app.kubernetes.io/version: "{{ cert_manager_version }}"
  259. rules:
  260. # Use to update challenge resource status
  261. - apiGroups: ["acme.cert-manager.io"]
  262. resources: ["challenges", "challenges/status"]
  263. verbs: ["update", "patch"]
  264. # Used to watch challenge resources
  265. - apiGroups: ["acme.cert-manager.io"]
  266. resources: ["challenges"]
  267. verbs: ["get", "list", "watch"]
  268. # Used to watch challenges, issuer and clusterissuer resources
  269. - apiGroups: ["cert-manager.io"]
  270. resources: ["issuers", "clusterissuers"]
  271. verbs: ["get", "list", "watch"]
  272. # Need to be able to retrieve ACME account private key to complete challenges
  273. - apiGroups: [""]
  274. resources: ["secrets"]
  275. verbs: ["get", "list", "watch"]
  276. # Used to create events
  277. - apiGroups: [""]
  278. resources: ["events"]
  279. verbs: ["create", "patch"]
  280. # HTTP01 rules
  281. - apiGroups: [""]
  282. resources: ["pods", "services"]
  283. verbs: ["get", "list", "watch", "create", "delete"]
  284. - apiGroups: ["networking.k8s.io"]
  285. resources: ["ingresses"]
  286. verbs: ["get", "list", "watch", "create", "delete", "update"]
  287. - apiGroups: [ "gateway.networking.k8s.io" ]
  288. resources: [ "httproutes" ]
  289. verbs: ["get", "list", "watch", "create", "delete", "update"]
  290. # We require the ability to specify a custom hostname when we are creating
  291. # new ingress resources.
  292. # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
  293. - apiGroups: ["route.openshift.io"]
  294. resources: ["routes/custom-host"]
  295. verbs: ["create"]
  296. # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  297. # admission controller enabled:
  298. # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  299. - apiGroups: ["acme.cert-manager.io"]
  300. resources: ["challenges/finalizers"]
  301. verbs: ["update"]
  302. # DNS01 rules (duplicated above)
  303. - apiGroups: [""]
  304. resources: ["secrets"]
  305. verbs: ["get", "list", "watch"]
  306. ---
  307. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  308. # ingress-shim controller role
  309. apiVersion: rbac.authorization.k8s.io/v1
  310. kind: ClusterRole
  311. metadata:
  312. name: cert-manager-controller-ingress-shim
  313. labels:
  314. app: cert-manager
  315. app.kubernetes.io/name: cert-manager
  316. app.kubernetes.io/instance: cert-manager
  317. app.kubernetes.io/component: "controller"
  318. app.kubernetes.io/version: "{{ cert_manager_version }}"
  319. rules:
  320. - apiGroups: ["cert-manager.io"]
  321. resources: ["certificates", "certificaterequests"]
  322. verbs: ["create", "update", "delete"]
  323. - apiGroups: ["cert-manager.io"]
  324. resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
  325. verbs: ["get", "list", "watch"]
  326. - apiGroups: ["networking.k8s.io"]
  327. resources: ["ingresses"]
  328. verbs: ["get", "list", "watch"]
  329. # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  330. # admission controller enabled:
  331. # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  332. - apiGroups: ["networking.k8s.io"]
  333. resources: ["ingresses/finalizers"]
  334. verbs: ["update"]
  335. - apiGroups: ["gateway.networking.k8s.io"]
  336. resources: ["gateways", "httproutes"]
  337. verbs: ["get", "list", "watch"]
  338. - apiGroups: ["gateway.networking.k8s.io"]
  339. resources: ["gateways/finalizers", "httproutes/finalizers"]
  340. verbs: ["update"]
  341. - apiGroups: [""]
  342. resources: ["events"]
  343. verbs: ["create", "patch"]
  344. ---
  345. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  346. apiVersion: rbac.authorization.k8s.io/v1
  347. kind: ClusterRole
  348. metadata:
  349. name: cert-manager-cluster-view
  350. labels:
  351. app: cert-manager
  352. app.kubernetes.io/name: cert-manager
  353. app.kubernetes.io/instance: cert-manager
  354. app.kubernetes.io/component: "controller"
  355. app.kubernetes.io/version: "{{ cert_manager_version }}"
  356. rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
  357. rules:
  358. - apiGroups: ["cert-manager.io"]
  359. resources: ["clusterissuers"]
  360. verbs: ["get", "list", "watch"]
  361. ---
  362. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  363. apiVersion: rbac.authorization.k8s.io/v1
  364. kind: ClusterRole
  365. metadata:
  366. name: cert-manager-view
  367. labels:
  368. app: cert-manager
  369. app.kubernetes.io/name: cert-manager
  370. app.kubernetes.io/instance: cert-manager
  371. app.kubernetes.io/component: "controller"
  372. app.kubernetes.io/version: "{{ cert_manager_version }}"
  373. rbac.authorization.k8s.io/aggregate-to-view: "true"
  374. rbac.authorization.k8s.io/aggregate-to-edit: "true"
  375. rbac.authorization.k8s.io/aggregate-to-admin: "true"
  376. rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
  377. rules:
  378. - apiGroups: ["cert-manager.io"]
  379. resources: ["certificates", "certificaterequests", "issuers"]
  380. verbs: ["get", "list", "watch"]
  381. - apiGroups: ["acme.cert-manager.io"]
  382. resources: ["challenges", "orders"]
  383. verbs: ["get", "list", "watch"]
  384. ---
  385. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  386. apiVersion: rbac.authorization.k8s.io/v1
  387. kind: ClusterRole
  388. metadata:
  389. name: cert-manager-edit
  390. labels:
  391. app: cert-manager
  392. app.kubernetes.io/name: cert-manager
  393. app.kubernetes.io/instance: cert-manager
  394. app.kubernetes.io/component: "controller"
  395. app.kubernetes.io/version: "{{ cert_manager_version }}"
  396. rbac.authorization.k8s.io/aggregate-to-edit: "true"
  397. rbac.authorization.k8s.io/aggregate-to-admin: "true"
  398. rules:
  399. - apiGroups: ["cert-manager.io"]
  400. resources: ["certificates", "certificaterequests", "issuers"]
  401. verbs: ["create", "delete", "deletecollection", "patch", "update"]
  402. - apiGroups: ["cert-manager.io"]
  403. resources: ["certificates/status"]
  404. verbs: ["update"]
  405. - apiGroups: ["acme.cert-manager.io"]
  406. resources: ["challenges", "orders"]
  407. verbs: ["create", "delete", "deletecollection", "patch", "update"]
  408. ---
  409. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  410. # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
  411. apiVersion: rbac.authorization.k8s.io/v1
  412. kind: ClusterRole
  413. metadata:
  414. name: cert-manager-controller-approve:cert-manager-io
  415. labels:
  416. app: cert-manager
  417. app.kubernetes.io/name: cert-manager
  418. app.kubernetes.io/instance: cert-manager
  419. app.kubernetes.io/component: "cert-manager"
  420. app.kubernetes.io/version: "{{ cert_manager_version }}"
  421. rules:
  422. - apiGroups: ["cert-manager.io"]
  423. resources: ["signers"]
  424. verbs: ["approve"]
  425. resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
  426. ---
  427. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  428. # Permission to:
  429. # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
  430. # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
  431. apiVersion: rbac.authorization.k8s.io/v1
  432. kind: ClusterRole
  433. metadata:
  434. name: cert-manager-controller-certificatesigningrequests
  435. labels:
  436. app: cert-manager
  437. app.kubernetes.io/name: cert-manager
  438. app.kubernetes.io/instance: cert-manager
  439. app.kubernetes.io/component: "cert-manager"
  440. app.kubernetes.io/version: "{{ cert_manager_version }}"
  441. rules:
  442. - apiGroups: ["certificates.k8s.io"]
  443. resources: ["certificatesigningrequests"]
  444. verbs: ["get", "list", "watch", "update"]
  445. - apiGroups: ["certificates.k8s.io"]
  446. resources: ["certificatesigningrequests/status"]
  447. verbs: ["update", "patch"]
  448. - apiGroups: ["certificates.k8s.io"]
  449. resources: ["signers"]
  450. resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
  451. verbs: ["sign"]
  452. - apiGroups: ["authorization.k8s.io"]
  453. resources: ["subjectaccessreviews"]
  454. verbs: ["create"]
  455. ---
  456. # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-rbac.yaml
  457. apiVersion: rbac.authorization.k8s.io/v1
  458. kind: ClusterRole
  459. metadata:
  460. name: cert-manager-webhook:subjectaccessreviews
  461. labels:
  462. app: webhook
  463. app.kubernetes.io/name: webhook
  464. app.kubernetes.io/instance: cert-manager
  465. app.kubernetes.io/component: "webhook"
  466. app.kubernetes.io/version: "{{ cert_manager_version }}"
  467. rules:
  468. - apiGroups: ["authorization.k8s.io"]
  469. resources: ["subjectaccessreviews"]
  470. verbs: ["create"]
  471. ---
  472. # Source: cert-manager/deploy/charts/cert-manager/templates/cainjector-rbac.yaml
  473. apiVersion: rbac.authorization.k8s.io/v1
  474. kind: ClusterRoleBinding
  475. metadata:
  476. name: cert-manager-cainjector
  477. labels:
  478. app: cainjector
  479. app.kubernetes.io/name: cainjector
  480. app.kubernetes.io/instance: cert-manager
  481. app.kubernetes.io/component: "cainjector"
  482. app.kubernetes.io/version: "{{ cert_manager_version }}"
  483. roleRef:
  484. apiGroup: rbac.authorization.k8s.io
  485. kind: ClusterRole
  486. name: cert-manager-cainjector
  487. subjects:
  488. - name: cert-manager-cainjector
  489. namespace: {{ cert_manager_namespace }}
  490. kind: ServiceAccount
  491. ---
  492. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  493. apiVersion: rbac.authorization.k8s.io/v1
  494. kind: ClusterRoleBinding
  495. metadata:
  496. name: cert-manager-controller-issuers
  497. labels:
  498. app: cert-manager
  499. app.kubernetes.io/name: cert-manager
  500. app.kubernetes.io/instance: cert-manager
  501. app.kubernetes.io/component: "controller"
  502. app.kubernetes.io/version: "{{ cert_manager_version }}"
  503. roleRef:
  504. apiGroup: rbac.authorization.k8s.io
  505. kind: ClusterRole
  506. name: cert-manager-controller-issuers
  507. subjects:
  508. - name: cert-manager
  509. namespace: {{ cert_manager_namespace }}
  510. kind: ServiceAccount
  511. ---
  512. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  513. apiVersion: rbac.authorization.k8s.io/v1
  514. kind: ClusterRoleBinding
  515. metadata:
  516. name: cert-manager-controller-clusterissuers
  517. labels:
  518. app: cert-manager
  519. app.kubernetes.io/name: cert-manager
  520. app.kubernetes.io/instance: cert-manager
  521. app.kubernetes.io/component: "controller"
  522. app.kubernetes.io/version: "{{ cert_manager_version }}"
  523. roleRef:
  524. apiGroup: rbac.authorization.k8s.io
  525. kind: ClusterRole
  526. name: cert-manager-controller-clusterissuers
  527. subjects:
  528. - name: cert-manager
  529. namespace: {{ cert_manager_namespace }}
  530. kind: ServiceAccount
  531. ---
  532. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  533. apiVersion: rbac.authorization.k8s.io/v1
  534. kind: ClusterRoleBinding
  535. metadata:
  536. name: cert-manager-controller-certificates
  537. labels:
  538. app: cert-manager
  539. app.kubernetes.io/name: cert-manager
  540. app.kubernetes.io/instance: cert-manager
  541. app.kubernetes.io/component: "controller"
  542. app.kubernetes.io/version: "{{ cert_manager_version }}"
  543. roleRef:
  544. apiGroup: rbac.authorization.k8s.io
  545. kind: ClusterRole
  546. name: cert-manager-controller-certificates
  547. subjects:
  548. - name: cert-manager
  549. namespace: {{ cert_manager_namespace }}
  550. kind: ServiceAccount
  551. ---
  552. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  553. apiVersion: rbac.authorization.k8s.io/v1
  554. kind: ClusterRoleBinding
  555. metadata:
  556. name: cert-manager-controller-orders
  557. labels:
  558. app: cert-manager
  559. app.kubernetes.io/name: cert-manager
  560. app.kubernetes.io/instance: cert-manager
  561. app.kubernetes.io/component: "controller"
  562. app.kubernetes.io/version: "{{ cert_manager_version }}"
  563. roleRef:
  564. apiGroup: rbac.authorization.k8s.io
  565. kind: ClusterRole
  566. name: cert-manager-controller-orders
  567. subjects:
  568. - name: cert-manager
  569. namespace: {{ cert_manager_namespace }}
  570. kind: ServiceAccount
  571. ---
  572. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  573. apiVersion: rbac.authorization.k8s.io/v1
  574. kind: ClusterRoleBinding
  575. metadata:
  576. name: cert-manager-controller-challenges
  577. labels:
  578. app: cert-manager
  579. app.kubernetes.io/name: cert-manager
  580. app.kubernetes.io/instance: cert-manager
  581. app.kubernetes.io/component: "controller"
  582. app.kubernetes.io/version: "{{ cert_manager_version }}"
  583. roleRef:
  584. apiGroup: rbac.authorization.k8s.io
  585. kind: ClusterRole
  586. name: cert-manager-controller-challenges
  587. subjects:
  588. - name: cert-manager
  589. namespace: {{ cert_manager_namespace }}
  590. kind: ServiceAccount
  591. ---
  592. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  593. apiVersion: rbac.authorization.k8s.io/v1
  594. kind: ClusterRoleBinding
  595. metadata:
  596. name: cert-manager-controller-ingress-shim
  597. labels:
  598. app: cert-manager
  599. app.kubernetes.io/name: cert-manager
  600. app.kubernetes.io/instance: cert-manager
  601. app.kubernetes.io/component: "controller"
  602. app.kubernetes.io/version: "{{ cert_manager_version }}"
  603. roleRef:
  604. apiGroup: rbac.authorization.k8s.io
  605. kind: ClusterRole
  606. name: cert-manager-controller-ingress-shim
  607. subjects:
  608. - name: cert-manager
  609. namespace: {{ cert_manager_namespace }}
  610. kind: ServiceAccount
  611. ---
  612. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  613. apiVersion: rbac.authorization.k8s.io/v1
  614. kind: ClusterRoleBinding
  615. metadata:
  616. name: cert-manager-controller-approve:cert-manager-io
  617. labels:
  618. app: cert-manager
  619. app.kubernetes.io/name: cert-manager
  620. app.kubernetes.io/instance: cert-manager
  621. app.kubernetes.io/component: "cert-manager"
  622. app.kubernetes.io/version: "{{ cert_manager_version }}"
  623. roleRef:
  624. apiGroup: rbac.authorization.k8s.io
  625. kind: ClusterRole
  626. name: cert-manager-controller-approve:cert-manager-io
  627. subjects:
  628. - name: cert-manager
  629. namespace: {{ cert_manager_namespace }}
  630. kind: ServiceAccount
  631. ---
  632. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  633. apiVersion: rbac.authorization.k8s.io/v1
  634. kind: ClusterRoleBinding
  635. metadata:
  636. name: cert-manager-controller-certificatesigningrequests
  637. labels:
  638. app: cert-manager
  639. app.kubernetes.io/name: cert-manager
  640. app.kubernetes.io/instance: cert-manager
  641. app.kubernetes.io/component: "cert-manager"
  642. app.kubernetes.io/version: "{{ cert_manager_version }}"
  643. roleRef:
  644. apiGroup: rbac.authorization.k8s.io
  645. kind: ClusterRole
  646. name: cert-manager-controller-certificatesigningrequests
  647. subjects:
  648. - name: cert-manager
  649. namespace: {{ cert_manager_namespace }}
  650. kind: ServiceAccount
  651. ---
  652. # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-rbac.yaml
  653. apiVersion: rbac.authorization.k8s.io/v1
  654. kind: ClusterRoleBinding
  655. metadata:
  656. name: cert-manager-webhook:subjectaccessreviews
  657. labels:
  658. app: webhook
  659. app.kubernetes.io/name: webhook
  660. app.kubernetes.io/instance: cert-manager
  661. app.kubernetes.io/component: "webhook"
  662. app.kubernetes.io/version: "{{ cert_manager_version }}"
  663. roleRef:
  664. apiGroup: rbac.authorization.k8s.io
  665. kind: ClusterRole
  666. name: cert-manager-webhook:subjectaccessreviews
  667. subjects:
  668. - apiGroup: ""
  669. kind: ServiceAccount
  670. name: cert-manager-webhook
  671. namespace: {{ cert_manager_namespace }}
  672. ---
  673. # Source: cert-manager/deploy/charts/cert-manager/templates/cainjector-rbac.yaml
  674. # leader election rules
  675. apiVersion: rbac.authorization.k8s.io/v1
  676. kind: Role
  677. metadata:
  678. name: cert-manager-cainjector:leaderelection
  679. namespace: {{ cert_manager_leader_election_namespace }}
  680. labels:
  681. app: cainjector
  682. app.kubernetes.io/name: cainjector
  683. app.kubernetes.io/instance: cert-manager
  684. app.kubernetes.io/component: "cainjector"
  685. app.kubernetes.io/version: "{{ cert_manager_version }}"
  686. rules:
  687. # Used for leader election by the controller
  688. # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
  689. # see cmd/cainjector/start.go#L113
  690. # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
  691. # see cmd/cainjector/start.go#L137
  692. - apiGroups: ["coordination.k8s.io"]
  693. resources: ["leases"]
  694. resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
  695. verbs: ["get", "update", "patch"]
  696. - apiGroups: ["coordination.k8s.io"]
  697. resources: ["leases"]
  698. verbs: ["create"]
  699. ---
  700. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  701. apiVersion: rbac.authorization.k8s.io/v1
  702. kind: Role
  703. metadata:
  704. name: cert-manager:leaderelection
  705. namespace: {{ cert_manager_leader_election_namespace }}
  706. labels:
  707. app: cert-manager
  708. app.kubernetes.io/name: cert-manager
  709. app.kubernetes.io/instance: cert-manager
  710. app.kubernetes.io/component: "controller"
  711. app.kubernetes.io/version: "{{ cert_manager_version }}"
  712. rules:
  713. - apiGroups: ["coordination.k8s.io"]
  714. resources: ["leases"]
  715. resourceNames: ["cert-manager-controller"]
  716. verbs: ["get", "update", "patch"]
  717. - apiGroups: ["coordination.k8s.io"]
  718. resources: ["leases"]
  719. verbs: ["create"]
  720. ---
  721. # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-rbac.yaml
  722. apiVersion: rbac.authorization.k8s.io/v1
  723. kind: Role
  724. metadata:
  725. name: cert-manager-webhook:dynamic-serving
  726. namespace: {{ cert_manager_namespace }}
  727. labels:
  728. app: webhook
  729. app.kubernetes.io/name: webhook
  730. app.kubernetes.io/instance: cert-manager
  731. app.kubernetes.io/component: "webhook"
  732. app.kubernetes.io/version: "{{ cert_manager_version }}"
  733. rules:
  734. - apiGroups: [""]
  735. resources: ["secrets"]
  736. resourceNames:
  737. - 'cert-manager-webhook-ca'
  738. verbs: ["get", "list", "watch", "update"]
  739. # It's not possible to grant CREATE permission on a single resourceName.
  740. - apiGroups: [""]
  741. resources: ["secrets"]
  742. verbs: ["create"]
  743. ---
  744. # Source: cert-manager/deploy/charts/cert-manager/templates/cainjector-rbac.yaml
  745. # grant cert-manager permission to manage the leaderelection configmap in the
  746. # leader election namespace
  747. apiVersion: rbac.authorization.k8s.io/v1
  748. kind: RoleBinding
  749. metadata:
  750. name: cert-manager-cainjector:leaderelection
  751. namespace: {{ cert_manager_leader_election_namespace }}
  752. labels:
  753. app: cainjector
  754. app.kubernetes.io/name: cainjector
  755. app.kubernetes.io/instance: cert-manager
  756. app.kubernetes.io/component: "cainjector"
  757. app.kubernetes.io/version: "{{ cert_manager_version }}"
  758. roleRef:
  759. apiGroup: rbac.authorization.k8s.io
  760. kind: Role
  761. name: cert-manager-cainjector:leaderelection
  762. subjects:
  763. - kind: ServiceAccount
  764. name: cert-manager-cainjector
  765. namespace: {{ cert_manager_namespace }}
  766. ---
  767. # Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
  768. # grant cert-manager permission to manage the leaderelection configmap in the
  769. # leader election namespace
  770. apiVersion: rbac.authorization.k8s.io/v1
  771. kind: RoleBinding
  772. metadata:
  773. name: cert-manager:leaderelection
  774. namespace: {{ cert_manager_leader_election_namespace }}
  775. labels:
  776. app: cert-manager
  777. app.kubernetes.io/name: cert-manager
  778. app.kubernetes.io/instance: cert-manager
  779. app.kubernetes.io/component: "controller"
  780. app.kubernetes.io/version: "{{ cert_manager_version }}"
  781. roleRef:
  782. apiGroup: rbac.authorization.k8s.io
  783. kind: Role
  784. name: cert-manager:leaderelection
  785. subjects:
  786. - apiGroup: ""
  787. kind: ServiceAccount
  788. name: cert-manager
  789. namespace: {{ cert_manager_namespace }}
  790. ---
  791. # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-rbac.yaml
  792. apiVersion: rbac.authorization.k8s.io/v1
  793. kind: RoleBinding
  794. metadata:
  795. name: cert-manager-webhook:dynamic-serving
  796. namespace: {{ cert_manager_namespace }}
  797. labels:
  798. app: webhook
  799. app.kubernetes.io/name: webhook
  800. app.kubernetes.io/instance: cert-manager
  801. app.kubernetes.io/component: "webhook"
  802. app.kubernetes.io/version: "{{ cert_manager_version }}"
  803. roleRef:
  804. apiGroup: rbac.authorization.k8s.io
  805. kind: Role
  806. name: cert-manager-webhook:dynamic-serving
  807. subjects:
  808. - apiGroup: ""
  809. kind: ServiceAccount
  810. name: cert-manager-webhook
  811. namespace: {{ cert_manager_namespace }}
  812. ---
  813. # Source: cert-manager/deploy/charts/cert-manager/templates/service.yaml
  814. apiVersion: v1
  815. kind: Service
  816. metadata:
  817. name: cert-manager
  818. namespace: {{ cert_manager_namespace }}
  819. labels:
  820. app: cert-manager
  821. app.kubernetes.io/name: cert-manager
  822. app.kubernetes.io/instance: cert-manager
  823. app.kubernetes.io/component: "controller"
  824. app.kubernetes.io/version: "{{ cert_manager_version }}"
  825. spec:
  826. type: ClusterIP
  827. ports:
  828. - protocol: TCP
  829. port: 9402
  830. name: tcp-prometheus-servicemonitor
  831. targetPort: 9402
  832. selector:
  833. app.kubernetes.io/name: cert-manager
  834. app.kubernetes.io/instance: cert-manager
  835. app.kubernetes.io/component: "controller"
  836. ---
  837. # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-service.yaml
  838. apiVersion: v1
  839. kind: Service
  840. metadata:
  841. name: cert-manager-webhook
  842. namespace: {{ cert_manager_namespace }}
  843. labels:
  844. app: webhook
  845. app.kubernetes.io/name: webhook
  846. app.kubernetes.io/instance: cert-manager
  847. app.kubernetes.io/component: "webhook"
  848. app.kubernetes.io/version: "{{ cert_manager_version }}"
  849. spec:
  850. type: ClusterIP
  851. ports:
  852. - name: https
  853. port: 443
  854. protocol: TCP
  855. targetPort: "https"
  856. selector:
  857. app.kubernetes.io/name: webhook
  858. app.kubernetes.io/instance: cert-manager
  859. app.kubernetes.io/component: "webhook"
  860. ---
  861. # Source: cert-manager/deploy/charts/cert-manager/templates/cainjector-deployment.yaml
  862. apiVersion: apps/v1
  863. kind: Deployment
  864. metadata:
  865. name: cert-manager-cainjector
  866. namespace: {{ cert_manager_namespace }}
  867. labels:
  868. app: cainjector
  869. app.kubernetes.io/name: cainjector
  870. app.kubernetes.io/instance: cert-manager
  871. app.kubernetes.io/component: "cainjector"
  872. app.kubernetes.io/version: "{{ cert_manager_version }}"
  873. spec:
  874. replicas: 1
  875. selector:
  876. matchLabels:
  877. app.kubernetes.io/name: cainjector
  878. app.kubernetes.io/instance: cert-manager
  879. app.kubernetes.io/component: "cainjector"
  880. template:
  881. metadata:
  882. labels:
  883. app: cainjector
  884. app.kubernetes.io/name: cainjector
  885. app.kubernetes.io/instance: cert-manager
  886. app.kubernetes.io/component: "cainjector"
  887. app.kubernetes.io/version: "{{ cert_manager_version }}"
  888. spec:
  889. serviceAccountName: cert-manager-cainjector
  890. enableServiceLinks: false
  891. securityContext:
  892. runAsNonRoot: true
  893. seccompProfile:
  894. type: RuntimeDefault
  895. containers:
  896. - name: cert-manager-cainjector
  897. image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
  898. imagePullPolicy: {{ k8s_image_pull_policy }}
  899. args:
  900. - --v=2
  901. - --leader-election-namespace={{ cert_manager_leader_election_namespace }}
  902. env:
  903. - name: POD_NAMESPACE
  904. valueFrom:
  905. fieldRef:
  906. fieldPath: metadata.namespace
  907. {% if cert_manager_http_proxy is defined and cert_manager_http_proxy != "" %}
  908. - name: HTTP_PROXY
  909. value: "{{ cert_manager_http_proxy }}"
  910. {% endif %}
  911. {% if cert_manager_https_proxy is defined and cert_manager_https_proxy != "" %}
  912. - name: HTTPS_PROXY
  913. value: "{{ cert_manager_https_proxy }}"
  914. {% endif %}
  915. {% if cert_manager_no_proxy is defined and cert_manager_no_proxy != "" %}
  916. - name: NO_PROXY
  917. value: "{{ cert_manager_no_proxy }}"
  918. {% endif %}
  919. securityContext:
  920. allowPrivilegeEscalation: false
  921. capabilities:
  922. drop:
  923. - ALL
  924. runAsNonRoot: true
  925. seccompProfile:
  926. type: RuntimeDefault
  927. {% if cert_manager_tolerations %}
  928. tolerations:
  929. {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
  930. {% endif %}
  931. {% if cert_manager_nodeselector %}
  932. nodeSelector:
  933. {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }}
  934. {% endif %}
  935. {% if cert_manager_affinity %}
  936. affinity:
  937. {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }}
  938. {% endif %}
  939. ---
  940. {% if cert_manager_trusted_internal_ca is defined %}
  941. apiVersion: v1
  942. data:
  943. internal-ca.pem: |
  944. {{ cert_manager_trusted_internal_ca | indent(width=4, first=False) }}
  945. kind: ConfigMap
  946. metadata:
  947. name: ca-internal-truststore
  948. namespace: {{ cert_manager_namespace }}
  949. ---
  950. {% endif %}
  951. # Source: cert-manager/deploy/charts/cert-manager/templates/deployment.yaml
  952. apiVersion: apps/v1
  953. kind: Deployment
  954. metadata:
  955. name: cert-manager
  956. namespace: {{ cert_manager_namespace }}
  957. labels:
  958. app: cert-manager
  959. app.kubernetes.io/name: cert-manager
  960. app.kubernetes.io/instance: cert-manager
  961. app.kubernetes.io/component: "controller"
  962. app.kubernetes.io/version: "{{ cert_manager_version }}"
  963. spec:
  964. replicas: 1
  965. selector:
  966. matchLabels:
  967. app.kubernetes.io/name: cert-manager
  968. app.kubernetes.io/instance: cert-manager
  969. app.kubernetes.io/component: "controller"
  970. template:
  971. metadata:
  972. labels:
  973. app: cert-manager
  974. app.kubernetes.io/name: cert-manager
  975. app.kubernetes.io/instance: cert-manager
  976. app.kubernetes.io/component: "controller"
  977. app.kubernetes.io/version: "{{ cert_manager_version }}"
  978. annotations:
  979. prometheus.io/path: "/metrics"
  980. prometheus.io/scrape: 'true'
  981. prometheus.io/port: '9402'
  982. spec:
  983. serviceAccountName: cert-manager
  984. enableServiceLinks: false
  985. securityContext:
  986. runAsNonRoot: true
  987. seccompProfile:
  988. type: RuntimeDefault
  989. containers:
  990. - name: cert-manager-controller
  991. image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
  992. imagePullPolicy: {{ k8s_image_pull_policy }}
  993. args:
  994. - --v=2
  995. - --cluster-resource-namespace=$(POD_NAMESPACE)
  996. - --leader-election-namespace={{ cert_manager_leader_election_namespace }}
  997. {% for extra_arg in cert_manager_controller_extra_args %}
  998. - {{ extra_arg }}
  999. {% endfor %}
  1000. ports:
  1001. - containerPort: 9402
  1002. name: http-metrics
  1003. protocol: TCP
  1004. - containerPort: 9403
  1005. name: http-healthz
  1006. protocol: TCP
  1007. securityContext:
  1008. allowPrivilegeEscalation: false
  1009. capabilities:
  1010. drop:
  1011. - ALL
  1012. runAsNonRoot: true
  1013. seccompProfile:
  1014. type: RuntimeDefault
  1015. env:
  1016. - name: POD_NAMESPACE
  1017. valueFrom:
  1018. fieldRef:
  1019. fieldPath: metadata.namespace
  1020. {% if cert_manager_http_proxy is defined and cert_manager_http_proxy != "" %}
  1021. - name: HTTP_PROXY
  1022. value: "{{ cert_manager_http_proxy }}"
  1023. {% endif %}
  1024. {% if cert_manager_https_proxy is defined and cert_manager_https_proxy != "" %}
  1025. - name: HTTPS_PROXY
  1026. value: "{{ cert_manager_https_proxy }}"
  1027. {% endif %}
  1028. {% if cert_manager_no_proxy is defined and cert_manager_no_proxy != "" %}
  1029. - name: NO_PROXY
  1030. value: "{{ cert_manager_no_proxy }}"
  1031. {% endif %}
  1032. {% if cert_manager_trusted_internal_ca is defined %}
  1033. volumeMounts:
  1034. - mountPath: /etc/ssl/certs/internal-ca.pem
  1035. name: ca-internal-truststore
  1036. subPath: internal-ca.pem
  1037. volumes:
  1038. - configMap:
  1039. defaultMode: 420
  1040. name: ca-internal-truststore
  1041. name: ca-internal-truststore
  1042. {% endif %}
  1043. {% if cert_manager_tolerations %}
  1044. tolerations:
  1045. {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
  1046. {% endif %}
  1047. {% if cert_manager_nodeselector %}
  1048. nodeSelector:
  1049. {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }}
  1050. {% endif %}
  1051. {% if cert_manager_affinity %}
  1052. affinity:
  1053. {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }}
  1054. {% endif %}
  1055. {% if cert_manager_dns_policy %}
  1056. dnsPolicy: {{ cert_manager_dns_policy }}
  1057. {% endif %}
  1058. {% if cert_manager_dns_config %}
  1059. dnsConfig:
  1060. {{ cert_manager_dns_config | to_nice_yaml | indent(width=8) }}
  1061. {% endif %}
  1062. ---
  1063. # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-deployment.yaml
  1064. apiVersion: apps/v1
  1065. kind: Deployment
  1066. metadata:
  1067. name: cert-manager-webhook
  1068. namespace: {{ cert_manager_namespace }}
  1069. labels:
  1070. app: webhook
  1071. app.kubernetes.io/name: webhook
  1072. app.kubernetes.io/instance: cert-manager
  1073. app.kubernetes.io/component: "webhook"
  1074. app.kubernetes.io/version: "{{ cert_manager_version }}"
  1075. spec:
  1076. replicas: 1
  1077. selector:
  1078. matchLabels:
  1079. app.kubernetes.io/name: webhook
  1080. app.kubernetes.io/instance: cert-manager
  1081. app.kubernetes.io/component: "webhook"
  1082. template:
  1083. metadata:
  1084. labels:
  1085. app: webhook
  1086. app.kubernetes.io/name: webhook
  1087. app.kubernetes.io/instance: cert-manager
  1088. app.kubernetes.io/component: "webhook"
  1089. app.kubernetes.io/version: "{{ cert_manager_version }}"
  1090. spec:
  1091. serviceAccountName: cert-manager-webhook
  1092. enableServiceLinks: false
  1093. securityContext:
  1094. runAsNonRoot: true
  1095. seccompProfile:
  1096. type: RuntimeDefault
  1097. containers:
  1098. - name: cert-manager-webhook
  1099. image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
  1100. imagePullPolicy: {{ k8s_image_pull_policy }}
  1101. args:
  1102. - --v=2
  1103. - --secure-port=10250
  1104. - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
  1105. - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
  1106. - --dynamic-serving-dns-names=cert-manager-webhook
  1107. - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE)
  1108. - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc
  1109. ports:
  1110. - name: https
  1111. protocol: TCP
  1112. containerPort: 10250
  1113. - name: healthcheck
  1114. protocol: TCP
  1115. containerPort: 6080
  1116. livenessProbe:
  1117. httpGet:
  1118. path: /livez
  1119. port: 6080
  1120. scheme: HTTP
  1121. initialDelaySeconds: 60
  1122. periodSeconds: 10
  1123. timeoutSeconds: 1
  1124. successThreshold: 1
  1125. failureThreshold: 3
  1126. readinessProbe:
  1127. httpGet:
  1128. path: /healthz
  1129. port: 6080
  1130. scheme: HTTP
  1131. initialDelaySeconds: 5
  1132. periodSeconds: 5
  1133. timeoutSeconds: 1
  1134. successThreshold: 1
  1135. failureThreshold: 3
  1136. securityContext:
  1137. allowPrivilegeEscalation: false
  1138. capabilities:
  1139. drop:
  1140. - ALL
  1141. runAsNonRoot: true
  1142. seccompProfile:
  1143. type: RuntimeDefault
  1144. env:
  1145. - name: POD_NAMESPACE
  1146. valueFrom:
  1147. fieldRef:
  1148. fieldPath: metadata.namespace
  1149. {% if cert_manager_http_proxy is defined and cert_manager_http_proxy != "" %}
  1150. - name: HTTP_PROXY
  1151. value: "{{ cert_manager_http_proxy }}"
  1152. {% endif %}
  1153. {% if cert_manager_https_proxy is defined and cert_manager_https_proxy != "" %}
  1154. - name: HTTPS_PROXY
  1155. value: "{{ cert_manager_https_proxy }}"
  1156. {% endif %}
  1157. {% if cert_manager_no_proxy is defined and cert_manager_no_proxy != "" %}
  1158. - name: NO_PROXY
  1159. value: "{{ cert_manager_no_proxy }}"
  1160. {% endif %}
  1161. {% if cert_manager_tolerations %}
  1162. tolerations:
  1163. {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
  1164. {% endif %}
  1165. {% if cert_manager_nodeselector %}
  1166. nodeSelector:
  1167. {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }}
  1168. {% endif %}
  1169. {% if cert_manager_affinity %}
  1170. affinity:
  1171. {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }}
  1172. {% endif %}
  1173. ---
  1174. # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml
  1175. apiVersion: admissionregistration.k8s.io/v1
  1176. kind: MutatingWebhookConfiguration
  1177. metadata:
  1178. name: cert-manager-webhook
  1179. labels:
  1180. app: webhook
  1181. app.kubernetes.io/name: webhook
  1182. app.kubernetes.io/instance: cert-manager
  1183. app.kubernetes.io/component: "webhook"
  1184. app.kubernetes.io/version: "{{ cert_manager_version }}"
  1185. annotations:
  1186. cert-manager.io/inject-ca-from-secret: "{{ cert_manager_namespace }}/cert-manager-webhook-ca"
  1187. webhooks:
  1188. - name: webhook.cert-manager.io
  1189. rules:
  1190. - apiGroups:
  1191. - "cert-manager.io"
  1192. - "acme.cert-manager.io"
  1193. apiVersions:
  1194. - "v1"
  1195. operations:
  1196. - CREATE
  1197. - UPDATE
  1198. resources:
  1199. - "*/*"
  1200. admissionReviewVersions: ["v1"]
  1201. # This webhook only accepts v1 cert-manager resources.
  1202. # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
  1203. # this webhook (after the resources have been converted to v1).
  1204. matchPolicy: Equivalent
  1205. timeoutSeconds: 10
  1206. failurePolicy: Fail
  1207. # Only include 'sideEffects' field in Kubernetes 1.12+
  1208. sideEffects: None
  1209. clientConfig:
  1210. service:
  1211. name: cert-manager-webhook
  1212. namespace: {{ cert_manager_namespace }}
  1213. path: /mutate
  1214. ---
  1215. # Source: cert-manager/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml
  1216. apiVersion: admissionregistration.k8s.io/v1
  1217. kind: ValidatingWebhookConfiguration
  1218. metadata:
  1219. name: cert-manager-webhook
  1220. labels:
  1221. app: webhook
  1222. app.kubernetes.io/name: webhook
  1223. app.kubernetes.io/instance: cert-manager
  1224. app.kubernetes.io/component: "webhook"
  1225. app.kubernetes.io/version: "{{ cert_manager_version }}"
  1226. annotations:
  1227. cert-manager.io/inject-ca-from-secret: "{{ cert_manager_namespace }}/cert-manager-webhook-ca"
  1228. webhooks:
  1229. - name: webhook.cert-manager.io
  1230. namespaceSelector:
  1231. matchExpressions:
  1232. - key: "cert-manager.io/disable-validation"
  1233. operator: "NotIn"
  1234. values:
  1235. - "true"
  1236. rules:
  1237. - apiGroups:
  1238. - "cert-manager.io"
  1239. - "acme.cert-manager.io"
  1240. apiVersions:
  1241. - "v1"
  1242. operations:
  1243. - CREATE
  1244. - UPDATE
  1245. resources:
  1246. - "*/*"
  1247. admissionReviewVersions: ["v1"]
  1248. # This webhook only accepts v1 cert-manager resources.
  1249. # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
  1250. # this webhook (after the resources have been converted to v1).
  1251. matchPolicy: Equivalent
  1252. timeoutSeconds: 10
  1253. failurePolicy: Fail
  1254. sideEffects: None
  1255. clientConfig:
  1256. service:
  1257. name: cert-manager-webhook
  1258. namespace: {{ cert_manager_namespace }}
  1259. path: /validate