Browse Source

[cert-manager] Upgrade to v1.8.0 (#8688)

pull/8692/head
rtsp 2 years ago
committed by GitHub
parent
commit
0481dd946f
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 170 additions and 59 deletions
  1. 2
      roles/download/defaults/main.yml
  2. 164
      roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.crds.yml.j2
  3. 63
      roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2

2
roles/download/defaults/main.yml

@ -914,7 +914,7 @@ ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/contro
ingress_nginx_controller_image_tag: "v1.1.1"
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
alb_ingress_image_tag: "v1.1.9"
cert_manager_version: "v1.7.2"
cert_manager_version: "v1.8.0"
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"

164
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.crds.yml.j2

@ -1,4 +1,4 @@
# Copyright 2022 The cert-manager Authors.
# Copyright 2021 The cert-manager Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -12,14 +12,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Source: cert-manager/templates/templates.out
# Source: cert-manager/templates/crd-templates.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: certificaterequests.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: '{{ cert_manager_namespace }}/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
@ -205,6 +202,9 @@ spec:
type:
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
type: string
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
failureTime:
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
type: string
@ -212,13 +212,11 @@ spec:
served: true
storage: true
---
# Source: cert-manager/templates/templates.out
# Source: cert-manager/templates/crd-templates.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: certificates.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: '{{ cert_manager_namespace }}/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
@ -408,6 +406,9 @@ spec:
rotationPolicy:
description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
type: string
enum:
- Never
- Always
size:
description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
type: integer
@ -550,6 +551,12 @@ spec:
type:
description: Type of the condition, known values are (`Ready`, `Issuing`).
type: string
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
failedIssuanceAttempts:
description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1).
type: integer
lastFailureTime:
description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
type: string
@ -575,13 +582,11 @@ spec:
served: true
storage: true
---
# Source: cert-manager/templates/templates.out
# Source: cert-manager/templates/crd-templates.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: challenges.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: '{{ cert_manager_namespace }}/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
@ -956,10 +961,49 @@ spec:
type: object
properties:
labels:
description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
type: object
additionalProperties:
type: string
parentRefs:
description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
type: array
items:
description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
type: object
required:
- name
properties:
group:
description: "Group is the group of the referent. \n Support: Core"
type: string
default: gateway.networking.k8s.io
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind:
description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)"
type: string
default: Gateway
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name:
description: "Name is the name of the referent. \n Support: Core"
type: string
maxLength: 253
minLength: 1
namespace:
description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
type: string
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
type: string
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
serviceType:
description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
type: string
@ -1573,13 +1617,11 @@ spec:
subresources:
status: {}
---
# Source: cert-manager/templates/templates.out
# Source: cert-manager/templates/crd-templates.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterissuers.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: '{{ cert_manager_namespace }}/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
@ -1989,10 +2031,49 @@ spec:
type: object
properties:
labels:
description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
type: object
additionalProperties:
type: string
parentRefs:
description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
type: array
items:
description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
type: object
required:
- name
properties:
group:
description: "Group is the group of the referent. \n Support: Core"
type: string
default: gateway.networking.k8s.io
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind:
description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)"
type: string
default: Gateway
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name:
description: "Name is the name of the referent. \n Support: Core"
type: string
maxLength: 253
minLength: 1
namespace:
description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
type: string
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
type: string
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
serviceType:
description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
type: string
@ -2780,10 +2861,13 @@ spec:
type:
description: Type of the condition, known values are (`Ready`).
type: string
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
served: true
storage: true
---
# Source: cert-manager/templates/templates.out
# Source: cert-manager/templates/crd-templates.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -3199,10 +3283,49 @@ spec:
type: object
properties:
labels:
description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
type: object
additionalProperties:
type: string
parentRefs:
description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
type: array
items:
description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
type: object
required:
- name
properties:
group:
description: "Group is the group of the referent. \n Support: Core"
type: string
default: gateway.networking.k8s.io
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
kind:
description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)"
type: string
default: Gateway
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
name:
description: "Name is the name of the referent. \n Support: Core"
type: string
maxLength: 253
minLength: 1
namespace:
description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
type: string
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
sectionName:
description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
type: string
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
serviceType:
description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
type: string
@ -3990,10 +4113,13 @@ spec:
type:
description: Type of the condition, known values are (`Ready`).
type: string
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
served: true
storage: true
---
# Source: cert-manager/templates/templates.out
# Source: cert-manager/templates/crd-templates.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:

63
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2

@ -103,9 +103,6 @@ rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["auditregistration.k8s.io"]
resources: ["auditsinks"]
verbs: ["get", "list", "watch", "update"]
---
# Source: cert-manager/templates/rbac.yaml
# Issuer controller role
@ -122,7 +119,7 @@ metadata:
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
@ -148,7 +145,7 @@ metadata:
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
@ -174,7 +171,7 @@ metadata:
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
@ -209,7 +206,7 @@ metadata:
rules:
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update"]
verbs: ["update", "patch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
@ -248,7 +245,7 @@ rules:
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update"]
verbs: ["update", "patch"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
@ -272,7 +269,7 @@ rules:
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: [ "networking.x-k8s.io" ]
- apiGroups: [ "gateway.networking.k8s.io" ]
resources: [ "httproutes" ]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# We require the ability to specify a custom hostname when we are creating
@ -320,10 +317,10 @@ rules:
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: ["networking.x-k8s.io"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways", "httproutes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.x-k8s.io"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways/finalizers", "httproutes/finalizers"]
verbs: ["update"]
- apiGroups: [""]
@ -369,6 +366,9 @@ rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates/status"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
@ -411,7 +411,7 @@ rules:
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/status"]
verbs: ["update"]
verbs: ["update", "patch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
@ -656,14 +656,6 @@ rules:
# see cmd/cainjector/start.go#L113
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
# see cmd/cainjector/start.go#L137
# See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
@ -685,15 +677,6 @@ metadata:
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "{{ cert_manager_version }}"
rules:
# Used for leader election by the controller
# See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-controller"]
@ -809,10 +792,10 @@ metadata:
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 9402
name: tcp-prometheus-servicemonitor
targetPort: 9402
- protocol: TCP
port: 9402
name: tcp-prometheus-servicemonitor
targetPort: 9402
selector:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
@ -885,8 +868,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}
securityContext:
allowPrivilegeEscalation: false
{% if cert_manager_tolerations %}
tolerations:
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
@ -945,6 +928,7 @@ spec:
spec:
serviceAccountName: cert-manager
securityContext:
runAsNonRoot: true
containers:
- name: cert-manager
@ -956,14 +940,15 @@ spec:
- --leader-election-namespace={{ cert_manager_leader_election_namespace }}
ports:
- containerPort: 9402
name: http-metrics
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}
{% if cert_manager_tolerations %}
tolerations:
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
@ -1053,13 +1038,13 @@ spec:
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
securityContext:
allowPrivilegeEscalation: false
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}
{% if cert_manager_tolerations %}
tolerations:
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}

Loading…
Cancel
Save