Update to latest version

bin/gen_list.sh

@@ -1,7 +1,10 @@
 #!/bin/bash
 CERTMANAGER_VERSION="$(curl --silent "https://api.github.com/repos/jetstack/cert-manager/releases/latest" | jq {"name"} | sed -e '/^{/d' -e '/^}/d' -e 's|.*v\([0-9\.]*\).*|\1|')"
 CERTMANAGER_SHORTVERSION="$(echo "${CERTMANAGER_VERSION}" | sed 's/^\(.*\)\.[0-9]$/\1/')"
-wget https://github.com/jetstack/cert-manager/releases/download/v"${CERTMANAGER_VERSION}"/cert-manager.yaml
+#helm repo add jetstack https://charts.jetstack.io
+#helm repo update
+helm template cert-manager jetstack/cert-manager --namespace cert-manager --version "v${CERTMANAGER_VERSION}" --set installCRDs=true,global.podSecurityPolicy.enabled=true --set 'extraArgs={--dns01-recursive-nameservers=8.8.8.8:53\,1.1.1.1:53}' > cert-manager.yaml
+#wget https://github.com/jetstack/cert-manager/releases/download/v"${CERTMANAGER_VERSION}"/cert-manager.yaml
 kubernetes-split-yaml cert-manager.yaml > generated.log
 if [ -d templates/"${CERTMANAGER_SHORTVERSION}" ]; then
     rm -fr templates/"${CERTMANAGER_SHORTVERSION}"
@@ -10,6 +13,6 @@ mv generated templates/"${CERTMANAGER_SHORTVERSION}"
 echo -e "---\ncertmanager_${CERTMANAGER_SHORTVERSION}_list:" > vars/files_list_${CERTMANAGER_SHORTVERSION}.yml
 cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)|  - "'${CERTMANAGER_SHORTVERSION}'/\2"|' >> vars/files_list_${CERTMANAGER_SHORTVERSION}.yml
 
-sed '/args:/ a\          - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53' -i templates/"${CERTMANAGER_SHORTVERSION}"/cert-manager-Deployment.yaml
+#sed '/args:/ a\          - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53' -i templates/"${CERTMANAGER_SHORTVERSION}"/cert-manager-Deployment.yaml
 rm -f generated.log cert-manager.yaml
 

files/cert-manager-psp.yaml

@@ -0,0 +1,41 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: cert-namager
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/component: "controller"
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000

templates/1.0/cert-manager-Deployment.yaml

@@ -1,48 +1,54 @@
+# Source: cert-manager/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  name: cert-manager
+  namespace: "cert-manager"
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager
+    app.kubernetes.io/instance: cert-manager
-  namespace: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/component: controller
-      app.kubernetes.io/instance: cert-manager
       app.kubernetes.io/name: cert-manager
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: "controller"
   template:
     metadata:
-      annotations:
-        prometheus.io/path: /metrics
-        prometheus.io/port: "9402"
-        prometheus.io/scrape: "true"
       labels:
         app: cert-manager
-        app.kubernetes.io/component: controller
-        app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/component: "controller"
+        app.kubernetes.io/managed-by: Helm
+        helm.sh/chart: cert-manager-v1.0.4
+      annotations:
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
     spec:
+      serviceAccountName: cert-manager
       containers:
-      - args:
+        - name: cert-manager
+          image: "quay.io/jetstack/cert-manager-controller:v1.0.4"
+          imagePullPolicy: IfNotPresent
+          args:
           - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
           - --v=2
           - --cluster-resource-namespace=$(POD_NAMESPACE)
           - --leader-election-namespace=kube-system
+          ports:
+          - containerPort: 9402
+            protocol: TCP
           env:
           - name: POD_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.0.4
+          resources:
-        imagePullPolicy: IfNotPresent
+            {}
-        name: cert-manager
-        ports:
-        - containerPort: 9402
-          protocol: TCP
-        resources: {}
-      serviceAccountName: cert-manager

templates/1.0/cert-manager-Namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager

templates/1.0/cert-manager-PodSecurityPolicy.yaml

@@ -0,0 +1,47 @@
+# Source: cert-manager/templates/psp.yaml
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: cert-manager
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000

templates/1.0/cert-manager-Service.yaml

@@ -1,20 +1,23 @@
+# Source: cert-manager/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
+  name: cert-manager
+  namespace: "cert-manager"
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager
+    app.kubernetes.io/instance: cert-manager
-  namespace: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 spec:
+  type: ClusterIP
   ports:
-  - port: 9402
+    - protocol: TCP
-    protocol: TCP
+      port: 9402
       targetPort: 9402
   selector:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  type: ClusterIP
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "controller"

templates/1.0/cert-manager-ServiceAccount.yaml

@@ -1,10 +1,13 @@
+# Source: cert-manager/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  name: cert-manager
+  namespace: "cert-manager"
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager
+    app.kubernetes.io/instance: cert-manager
-  namespace: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4

templates/1.0/cert-manager-cainjector-ClusterRole.yaml

@@ -1,72 +1,34 @@
+# Source: cert-manager/templates/cainjector-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  name: cert-manager-cainjector
   labels:
     app: cainjector
-    app.kubernetes.io/component: cainjector
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cainjector
-  name: cert-manager-cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "cainjector"
+    helm.sh/chart: cert-manager-v1.0.4
 rules:
-- apiGroups:
+  - apiGroups: ["cert-manager.io"]
-  - cert-manager.io
+    resources: ["certificates"]
-  resources:
+    verbs: ["get", "list", "watch"]
-  - certificates
+  - apiGroups: [""]
-  verbs:
+    resources: ["secrets"]
-  - get
+    verbs: ["get", "list", "watch"]
-  - list
+  - apiGroups: [""]
-  - watch
+    resources: ["events"]
-- apiGroups:
+    verbs: ["get", "create", "update", "patch"]
-  - ""
+  - apiGroups: ["admissionregistration.k8s.io"]
-  resources:
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
-  - secrets
+    verbs: ["get", "list", "watch", "update"]
-  verbs:
+  - apiGroups: ["apiregistration.k8s.io"]
-  - get
+    resources: ["apiservices"]
-  - list
+    verbs: ["get", "list", "watch", "update"]
-  - watch
+  - apiGroups: ["apiextensions.k8s.io"]
-- apiGroups:
+    resources: ["customresourcedefinitions"]
-  - ""
+    verbs: ["get", "list", "watch", "update"]
-  resources:
+  - apiGroups: ["auditregistration.k8s.io"]
-  - events
+    resources: ["auditsinks"]
-  verbs:
+    verbs: ["get", "list", "watch", "update"]
-  - get
-  - create
-  - update
-  - patch
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  - mutatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-- apiGroups:
-  - apiregistration.k8s.io
-  resources:
-  - apiservices
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-- apiGroups:
-  - auditregistration.k8s.io
-  resources:
-  - auditsinks
-  verbs:
-  - get
-  - list
-  - watch
-  - update

templates/1.0/cert-manager-cainjector-ClusterRoleBinding.yaml

@@ -1,17 +1,20 @@
+# Source: cert-manager/templates/cainjector-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  name: cert-manager-cainjector
   labels:
     app: cainjector
-    app.kubernetes.io/component: cainjector
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cainjector
-  name: cert-manager-cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "cainjector"
+    helm.sh/chart: cert-manager-v1.0.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-cainjector
 subjects:
-- kind: ServiceAccount
+  - name: cert-manager-cainjector
-  name: cert-manager-cainjector
+    namespace: "cert-manager"
-  namespace: cert-manager
+    kind: ServiceAccount

templates/1.0/cert-manager-cainjector-Deployment.yaml

@@ -1,30 +1,39 @@
+# Source: cert-manager/templates/cainjector-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  name: cert-manager-cainjector
+  namespace: "cert-manager"
   labels:
     app: cainjector
-    app.kubernetes.io/component: cainjector
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cainjector
-  name: cert-manager-cainjector
+    app.kubernetes.io/instance: cert-manager
-  namespace: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "cainjector"
+    helm.sh/chart: cert-manager-v1.0.4
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/component: cainjector
-      app.kubernetes.io/instance: cert-manager
       app.kubernetes.io/name: cainjector
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: "cainjector"
   template:
     metadata:
       labels:
         app: cainjector
-        app.kubernetes.io/component: cainjector
-        app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: "cainjector"
+        helm.sh/chart: cert-manager-v1.0.4
     spec:
+      serviceAccountName: cert-manager-cainjector
       containers:
-      - args:
+        - name: cert-manager
+          image: "quay.io/jetstack/cert-manager-cainjector:v1.0.4"
+          imagePullPolicy: IfNotPresent
+          args:
           - --v=2
           - --leader-election-namespace=kube-system
           env:
@@ -32,8 +41,5 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.0.4
+          resources:
-        imagePullPolicy: IfNotPresent
+            {}
-        name: cert-manager
-        resources: {}
-      serviceAccountName: cert-manager-cainjector

templates/1.0/cert-manager-cainjector-PodSecurityPolicy.yaml

@@ -0,0 +1,47 @@
+# Source: cert-manager/templates/cainjector-psp.yaml
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: cert-manager-cainjector
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "cainjector"
+    helm.sh/chart: cert-manager-v1.0.4
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000

templates/1.0/cert-manager-cainjector-ServiceAccount.yaml

@@ -1,10 +1,13 @@
+# Source: cert-manager/templates/cainjector-serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  name: cert-manager-cainjector
+  namespace: "cert-manager"
   labels:
     app: cainjector
-    app.kubernetes.io/component: cainjector
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cainjector
-  name: cert-manager-cainjector
+    app.kubernetes.io/instance: cert-manager
-  namespace: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "cainjector"
+    helm.sh/chart: cert-manager-v1.0.4

templates/1.0/cert-manager-cainjector-psp-ClusterRole.yaml

@@ -0,0 +1,18 @@
+# Source: cert-manager/templates/cainjector-psp-clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-cainjector-psp
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "cainjector"
+    helm.sh/chart: cert-manager-v1.0.4
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - cert-manager-cainjector

templates/1.0/cert-manager-cainjector-psp-ClusterRoleBinding.yaml

@@ -0,0 +1,20 @@
+# Source: cert-manager/templates/cainjector-psp-clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-cainjector-psp
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "cainjector"
+    helm.sh/chart: cert-manager-v1.0.4
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-cainjector-psp
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager-cainjector
+    namespace: cert-manager

templates/1.0/cert-manager-cainjector:leaderelection-Role.yaml

@@ -1,28 +1,27 @@
+# Source: cert-manager/templates/cainjector-rbac.yaml
+# leader election rules
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  labels:
-    app: cainjector
-    app.kubernetes.io/component: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/name: cainjector
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "cainjector"
+    helm.sh/chart: cert-manager-v1.0.4
 rules:
-- apiGroups:
+  # Used for leader election by the controller
-  - ""
+  # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
-  resourceNames:
+  #   see cmd/cainjector/start.go#L113
-  - cert-manager-cainjector-leader-election
+  # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
-  - cert-manager-cainjector-leader-election-core
+  #   see cmd/cainjector/start.go#L137
-  resources:
+  - apiGroups: [""]
-  - configmaps
+    resources: ["configmaps"]
-  verbs:
+    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
-  - get
+    verbs: ["get", "update", "patch"]
-  - update
+  - apiGroups: [""]
-  - patch
+    resources: ["configmaps"]
-- apiGroups:
+    verbs: ["create"]
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create

templates/1.0/cert-manager-cainjector:leaderelection-RoleBinding.yaml

@@ -1,18 +1,23 @@
+# Source: cert-manager/templates/cainjector-rbac.yaml
+# grant cert-manager permission to manage the leaderelection configmap in the
+# leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  labels:
-    app: cainjector
-    app.kubernetes.io/component: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/name: cainjector
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "cainjector"
+    helm.sh/chart: cert-manager-v1.0.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cert-manager-cainjector:leaderelection
 subjects:
-- kind: ServiceAccount
+  - kind: ServiceAccount
     name: cert-manager-cainjector
     namespace: cert-manager

templates/1.0/cert-manager-controller-certificates-ClusterRole.yaml

@@ -1,65 +1,35 @@
+# Source: cert-manager/templates/rbac.yaml
+# Certificates controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  name: cert-manager-controller-certificates
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-certificates
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 rules:
-- apiGroups:
+  - apiGroups: ["cert-manager.io"]
-  - cert-manager.io
+    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
-  resources:
+    verbs: ["update"]
-  - certificates
+  - apiGroups: ["cert-manager.io"]
-  - certificates/status
+    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
-  - certificaterequests
+    verbs: ["get", "list", "watch"]
-  - certificaterequests/status
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  verbs:
+  # admission controller enabled:
-  - update
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-- apiGroups:
+  - apiGroups: ["cert-manager.io"]
-  - cert-manager.io
+    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
-  resources:
+    verbs: ["update"]
-  - certificates
+  - apiGroups: ["acme.cert-manager.io"]
-  - certificaterequests
+    resources: ["orders"]
-  - clusterissuers
+    verbs: ["create", "delete", "get", "list", "watch"]
-  - issuers
+  - apiGroups: [""]
-  verbs:
+    resources: ["secrets"]
-  - get
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
-  - list
+  - apiGroups: [""]
-  - watch
+    resources: ["events"]
-- apiGroups:
+    verbs: ["create", "patch"]
-  - cert-manager.io
-  resources:
-  - certificates/finalizers
-  - certificaterequests/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - acme.cert-manager.io
-  resources:
-  - orders
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch

templates/1.0/cert-manager-controller-certificates-ClusterRoleBinding.yaml

@@ -1,17 +1,20 @@
+# Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  name: cert-manager-controller-certificates
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-certificates
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-certificates
 subjects:
-- kind: ServiceAccount
+  - name: cert-manager
-  name: cert-manager
+    namespace: "cert-manager"
-  namespace: cert-manager
+    kind: ServiceAccount

templates/1.0/cert-manager-controller-challenges-ClusterRole.yaml

@@ -1,91 +1,57 @@
+# Source: cert-manager/templates/rbac.yaml
+# Challenges controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  name: cert-manager-controller-challenges
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-challenges
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 rules:
-- apiGroups:
+  # Use to update challenge resource status
-  - acme.cert-manager.io
+  - apiGroups: ["acme.cert-manager.io"]
-  resources:
+    resources: ["challenges", "challenges/status"]
-  - challenges
+    verbs: ["update"]
-  - challenges/status
+  # Used to watch challenge resources
-  verbs:
+  - apiGroups: ["acme.cert-manager.io"]
-  - update
+    resources: ["challenges"]
-- apiGroups:
+    verbs: ["get", "list", "watch"]
-  - acme.cert-manager.io
+  # Used to watch challenges, issuer and clusterissuer resources
-  resources:
+  - apiGroups: ["cert-manager.io"]
-  - challenges
+    resources: ["issuers", "clusterissuers"]
-  verbs:
+    verbs: ["get", "list", "watch"]
-  - get
+  # Need to be able to retrieve ACME account private key to complete challenges
-  - list
+  - apiGroups: [""]
-  - watch
+    resources: ["secrets"]
-- apiGroups:
+    verbs: ["get", "list", "watch"]
-  - cert-manager.io
+  # Used to create events
-  resources:
+  - apiGroups: [""]
-  - issuers
+    resources: ["events"]
-  - clusterissuers
+    verbs: ["create", "patch"]
-  verbs:
+  # HTTP01 rules
-  - get
+  - apiGroups: [""]
-  - list
+    resources: ["pods", "services"]
-  - watch
+    verbs: ["get", "list", "watch", "create", "delete"]
-- apiGroups:
+  - apiGroups: ["extensions"]
-  - ""
+    resources: ["ingresses"]
-  resources:
+    verbs: ["get", "list", "watch", "create", "delete", "update"]
-  - secrets
+  # We require the ability to specify a custom hostname when we are creating
-  verbs:
+  # new ingress resources.
-  - get
+  # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
-  - list
+  - apiGroups: ["route.openshift.io"]
-  - watch
+    resources: ["routes/custom-host"]
-- apiGroups:
+    verbs: ["create"]
-  - ""
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  resources:
+  # admission controller enabled:
-  - events
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  verbs:
+  - apiGroups: ["acme.cert-manager.io"]
-  - create
+    resources: ["challenges/finalizers"]
-  - patch
+    verbs: ["update"]
-- apiGroups:
+  # DNS01 rules (duplicated above)
-  - ""
+  - apiGroups: [""]
-  resources:
+    resources: ["secrets"]
-  - pods
+    verbs: ["get", "list", "watch"]
-  - services
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - delete
-- apiGroups:
-  - extensions
-  resources:
-  - ingresses
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - delete
-  - update
-- apiGroups:
-  - route.openshift.io
-  resources:
-  - routes/custom-host
-  verbs:
-  - create
-- apiGroups:
-  - acme.cert-manager.io
-  resources:
-  - challenges/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch

templates/1.0/cert-manager-controller-challenges-ClusterRoleBinding.yaml

@@ -1,17 +1,20 @@
+# Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  name: cert-manager-controller-challenges
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-challenges
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-challenges
 subjects:
-- kind: ServiceAccount
+  - name: cert-manager
-  name: cert-manager
+    namespace: "cert-manager"
-  namespace: cert-manager
+    kind: ServiceAccount

templates/1.0/cert-manager-controller-clusterissuers-ClusterRole.yaml

@@ -1,43 +1,26 @@
+# Source: cert-manager/templates/rbac.yaml
+# ClusterIssuer controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  name: cert-manager-controller-clusterissuers
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-clusterissuers
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 rules:
-- apiGroups:
+  - apiGroups: ["cert-manager.io"]
-  - cert-manager.io
+    resources: ["clusterissuers", "clusterissuers/status"]
-  resources:
+    verbs: ["update"]
-  - clusterissuers
+  - apiGroups: ["cert-manager.io"]
-  - clusterissuers/status
+    resources: ["clusterissuers"]
-  verbs:
+    verbs: ["get", "list", "watch"]
-  - update
+  - apiGroups: [""]
-- apiGroups:
+    resources: ["secrets"]
-  - cert-manager.io
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
-  resources:
+  - apiGroups: [""]
-  - clusterissuers
+    resources: ["events"]
-  verbs:
+    verbs: ["create", "patch"]
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch

templates/1.0/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml

@@ -1,17 +1,20 @@
+# Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  name: cert-manager-controller-clusterissuers
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-clusterissuers
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-clusterissuers
 subjects:
-- kind: ServiceAccount
+  - name: cert-manager
-  name: cert-manager
+    namespace: "cert-manager"
-  namespace: cert-manager
+    kind: ServiceAccount

templates/1.0/cert-manager-controller-ingress-shim-ClusterRole.yaml

@@ -1,51 +1,32 @@
+# Source: cert-manager/templates/rbac.yaml
+# ingress-shim controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  name: cert-manager-controller-ingress-shim
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-ingress-shim
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 rules:
-- apiGroups:
+  - apiGroups: ["cert-manager.io"]
-  - cert-manager.io
+    resources: ["certificates", "certificaterequests"]
-  resources:
+    verbs: ["create", "update", "delete"]
-  - certificates
+  - apiGroups: ["cert-manager.io"]
-  - certificaterequests
+    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
-  verbs:
+    verbs: ["get", "list", "watch"]
-  - create
+  - apiGroups: ["extensions"]
-  - update
+    resources: ["ingresses"]
-  - delete
+    verbs: ["get", "list", "watch"]
-- apiGroups:
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  - cert-manager.io
+  # admission controller enabled:
-  resources:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - certificates
+  - apiGroups: ["extensions"]
-  - certificaterequests
+    resources: ["ingresses/finalizers"]
-  - issuers
+    verbs: ["update"]
-  - clusterissuers
+  - apiGroups: [""]
-  verbs:
+    resources: ["events"]
-  - get
+    verbs: ["create", "patch"]
-  - list
-  - watch
-- apiGroups:
-  - extensions
-  resources:
-  - ingresses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - extensions
-  resources:
-  - ingresses/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch

templates/1.0/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml

@@ -1,17 +1,20 @@
+# Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  name: cert-manager-controller-ingress-shim
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-ingress-shim
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-ingress-shim
 subjects:
-- kind: ServiceAccount
+  - name: cert-manager
-  name: cert-manager
+    namespace: "cert-manager"
-  namespace: cert-manager
+    kind: ServiceAccount

templates/1.0/cert-manager-controller-issuers-ClusterRole.yaml

@@ -1,43 +1,26 @@
+# Source: cert-manager/templates/rbac.yaml
+# Issuer controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  name: cert-manager-controller-issuers
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-issuers
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 rules:
-- apiGroups:
+  - apiGroups: ["cert-manager.io"]
-  - cert-manager.io
+    resources: ["issuers", "issuers/status"]
-  resources:
+    verbs: ["update"]
-  - issuers
+  - apiGroups: ["cert-manager.io"]
-  - issuers/status
+    resources: ["issuers"]
-  verbs:
+    verbs: ["get", "list", "watch"]
-  - update
+  - apiGroups: [""]
-- apiGroups:
+    resources: ["secrets"]
-  - cert-manager.io
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
-  resources:
+  - apiGroups: [""]
-  - issuers
+    resources: ["events"]
-  verbs:
+    verbs: ["create", "patch"]
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch

templates/1.0/cert-manager-controller-issuers-ClusterRoleBinding.yaml

@@ -1,17 +1,20 @@
+# Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  name: cert-manager-controller-issuers
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-issuers
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-issuers
 subjects:
-- kind: ServiceAccount
+  - name: cert-manager
-  name: cert-manager
+    namespace: "cert-manager"
-  namespace: cert-manager
+    kind: ServiceAccount

templates/1.0/cert-manager-controller-orders-ClusterRole.yaml

@@ -1,63 +1,38 @@
+# Source: cert-manager/templates/rbac.yaml
+# Orders controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  name: cert-manager-controller-orders
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-orders
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 rules:
-- apiGroups:
+  - apiGroups: ["acme.cert-manager.io"]
-  - acme.cert-manager.io
+    resources: ["orders", "orders/status"]
-  resources:
+    verbs: ["update"]
-  - orders
+  - apiGroups: ["acme.cert-manager.io"]
-  - orders/status
+    resources: ["orders", "challenges"]
-  verbs:
+    verbs: ["get", "list", "watch"]
-  - update
+  - apiGroups: ["cert-manager.io"]
-- apiGroups:
+    resources: ["clusterissuers", "issuers"]
-  - acme.cert-manager.io
+    verbs: ["get", "list", "watch"]
-  resources:
+  - apiGroups: ["acme.cert-manager.io"]
-  - orders
+    resources: ["challenges"]
-  - challenges
+    verbs: ["create", "delete"]
-  verbs:
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  - get
+  # admission controller enabled:
-  - list
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - watch
+  - apiGroups: ["acme.cert-manager.io"]
-- apiGroups:
+    resources: ["orders/finalizers"]
-  - cert-manager.io
+    verbs: ["update"]
-  resources:
+  - apiGroups: [""]
-  - clusterissuers
+    resources: ["secrets"]
-  - issuers
+    verbs: ["get", "list", "watch"]
-  verbs:
+  - apiGroups: [""]
-  - get
+    resources: ["events"]
-  - list
+    verbs: ["create", "patch"]
-  - watch
-- apiGroups:
-  - acme.cert-manager.io
-  resources:
-  - challenges
-  verbs:
-  - create
-  - delete
-- apiGroups:
-  - acme.cert-manager.io
-  resources:
-  - orders/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch

templates/1.0/cert-manager-controller-orders-ClusterRoleBinding.yaml

@@ -1,17 +1,20 @@
+# Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  name: cert-manager-controller-orders
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-  name: cert-manager-controller-orders
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-orders
 subjects:
-- kind: ServiceAccount
+  - name: cert-manager
-  name: cert-manager
+    namespace: "cert-manager"
-  namespace: cert-manager
+    kind: ServiceAccount

templates/1.0/cert-manager-edit-ClusterRole.yaml

@@ -1,24 +1,18 @@
+# Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  name: cert-manager-edit
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
-  name: cert-manager-edit
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
-- apiGroups:
+  - apiGroups: ["cert-manager.io"]
-  - cert-manager.io
+    resources: ["certificates", "certificaterequests", "issuers"]
-  resources:
+    verbs: ["create", "delete", "deletecollection", "patch", "update"]
-  - certificates
-  - certificaterequests
-  - issuers
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - patch
-  - update

templates/1.0/cert-manager-psp-ClusterRole.yaml

@@ -0,0 +1,18 @@
+# Source: cert-manager/templates/psp-clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-psp
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - cert-manager

templates/1.0/cert-manager-psp-ClusterRoleBinding.yaml

@@ -0,0 +1,20 @@
+# Source: cert-manager/templates/psp-clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-psp
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-psp
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager
+    namespace: cert-manager

templates/1.0/cert-manager-view-ClusterRole.yaml

@@ -1,23 +1,19 @@
+# Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  name: cert-manager-view
   labels:
     app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: cert-manager
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app.kubernetes.io/instance: cert-manager
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
     rbac.authorization.k8s.io/aggregate-to-view: "true"
-  name: cert-manager-view
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
-- apiGroups:
+  - apiGroups: ["cert-manager.io"]
-  - cert-manager.io
+    resources: ["certificates", "certificaterequests", "issuers"]
-  resources:
+    verbs: ["get", "list", "watch"]
-  - certificates
-  - certificaterequests
-  - issuers
-  verbs:
-  - get
-  - list
-  - watch

templates/1.0/cert-manager-webhook-Deployment.yaml

@@ -1,65 +1,71 @@
+# Source: cert-manager/templates/webhook-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  name: cert-manager-webhook
+  namespace: "cert-manager"
   labels:
     app: webhook
-    app.kubernetes.io/component: webhook
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: webhook
-  name: cert-manager-webhook
+    app.kubernetes.io/instance: cert-manager
-  namespace: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "webhook"
+    helm.sh/chart: cert-manager-v1.0.4
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/component: webhook
-      app.kubernetes.io/instance: cert-manager
       app.kubernetes.io/name: webhook
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: "webhook"
   template:
     metadata:
       labels:
         app: webhook
-        app.kubernetes.io/component: webhook
-        app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: "webhook"
+        helm.sh/chart: cert-manager-v1.0.4
     spec:
+      serviceAccountName: cert-manager-webhook
       containers:
-      - args:
+        - name: cert-manager
+          image: "quay.io/jetstack/cert-manager-webhook:v1.0.4"
+          imagePullPolicy: IfNotPresent
+          args:
           - --v=2
           - --secure-port=10250
           - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
           - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
           - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
-        env:
+          ports:
-        - name: POD_NAMESPACE
+          - name: https
-          valueFrom:
+            containerPort: 10250
-            fieldRef:
-              fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.0.4
-        imagePullPolicy: IfNotPresent
           livenessProbe:
-          failureThreshold: 3
             httpGet:
               path: /livez
               port: 6080
               scheme: HTTP
             initialDelaySeconds: 60
             periodSeconds: 10
-          successThreshold: 1
             timeoutSeconds: 1
-        name: cert-manager
+            successThreshold: 1
-        ports:
-        - containerPort: 10250
-          name: https
-        readinessProbe:
             failureThreshold: 3
+          readinessProbe:
             httpGet:
               path: /healthz
               port: 6080
               scheme: HTTP
             initialDelaySeconds: 5
             periodSeconds: 5
-          successThreshold: 1
             timeoutSeconds: 1
-        resources: {}
+            successThreshold: 1
-      serviceAccountName: cert-manager-webhook
+            failureThreshold: 3
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          resources:
+            {}

templates/1.0/cert-manager-webhook-MutatingWebhookConfiguration.yaml

@@ -1,34 +1,36 @@
+# Source: cert-manager/templates/webhook-mutating-webhook.yaml
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  annotations:
+  name: cert-manager-webhook
-    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
   labels:
     app: webhook
-    app.kubernetes.io/component: webhook
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: webhook
-  name: cert-manager-webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "webhook"
+    helm.sh/chart: cert-manager-v1.0.4
+  annotations:
+    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
 webhooks:
-- admissionReviewVersions:
+  - name: webhook.cert-manager.io
-  - v1
-  - v1beta1
-  clientConfig:
-    service:
-      name: cert-manager-webhook
-      namespace: cert-manager
-      path: /mutate
-  failurePolicy: Fail
-  name: webhook.cert-manager.io
     rules:
       - apiGroups:
-    - cert-manager.io
+          - "cert-manager.io"
-    - acme.cert-manager.io
+          - "acme.cert-manager.io"
         apiVersions:
-    - '*'
+          - "*"
         operations:
           - CREATE
           - UPDATE
         resources:
-    - '*/*'
+          - "*/*"
+    admissionReviewVersions: ["v1", "v1beta1"]
+    failurePolicy: Fail
+    # Only include 'sideEffects' field in Kubernetes 1.12+
     sideEffects: None
+    clientConfig:
+      service:
+        name: cert-manager-webhook
+        namespace: "cert-manager"
+        path: /mutate

templates/1.0/cert-manager-webhook-PodSecurityPolicy.yaml

@@ -0,0 +1,47 @@
+# Source: cert-manager/templates/webhook-psp.yaml
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: cert-manager-webhook
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "webhook"
+    helm.sh/chart: cert-manager-v1.0.4
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000

templates/1.0/cert-manager-webhook-Service.yaml

@@ -1,20 +1,23 @@
+# Source: cert-manager/templates/webhook-service.yaml
 apiVersion: v1
 kind: Service
 metadata:
+  name: cert-manager-webhook
+  namespace: "cert-manager"
   labels:
     app: webhook
-    app.kubernetes.io/component: webhook
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: webhook
-  name: cert-manager-webhook
+    app.kubernetes.io/instance: cert-manager
-  namespace: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "webhook"
+    helm.sh/chart: cert-manager-v1.0.4
 spec:
+  type: ClusterIP
   ports:
   - name: https
     port: 443
     targetPort: 10250
   selector:
-    app.kubernetes.io/component: webhook
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: webhook
-  type: ClusterIP
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: "webhook"

templates/1.0/cert-manager-webhook-ServiceAccount.yaml

@@ -1,10 +1,13 @@
+# Source: cert-manager/templates/webhook-serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  name: cert-manager-webhook
+  namespace: "cert-manager"
   labels:
     app: webhook
-    app.kubernetes.io/component: webhook
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: webhook
-  name: cert-manager-webhook
+    app.kubernetes.io/instance: cert-manager
-  namespace: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "webhook"
+    helm.sh/chart: cert-manager-v1.0.4

templates/1.0/cert-manager-webhook-ValidatingWebhookConfiguration.yaml

@@ -1,45 +1,46 @@
+# Source: cert-manager/templates/webhook-validating-webhook.yaml
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  annotations:
+  name: cert-manager-webhook
-    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
   labels:
     app: webhook
-    app.kubernetes.io/component: webhook
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: webhook
-  name: cert-manager-webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "webhook"
+    helm.sh/chart: cert-manager-v1.0.4
+  annotations:
+    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
 webhooks:
-- admissionReviewVersions:
+  - name: webhook.cert-manager.io
-  - v1
-  - v1beta1
-  clientConfig:
-    service:
-      name: cert-manager-webhook
-      namespace: cert-manager
-      path: /validate
-  failurePolicy: Fail
-  name: webhook.cert-manager.io
     namespaceSelector:
       matchExpressions:
-    - key: cert-manager.io/disable-validation
+      - key: "cert-manager.io/disable-validation"
-      operator: NotIn
+        operator: "NotIn"
         values:
         - "true"
-    - key: name
+      - key: "name"
-      operator: NotIn
+        operator: "NotIn"
         values:
         - cert-manager
     rules:
       - apiGroups:
-    - cert-manager.io
+          - "cert-manager.io"
-    - acme.cert-manager.io
+          - "acme.cert-manager.io"
         apiVersions:
-    - '*'
+          - "*"
         operations:
           - CREATE
           - UPDATE
         resources:
-    - '*/*'
+          - "*/*"
+    admissionReviewVersions: ["v1", "v1beta1"]
+    failurePolicy: Fail
+    # Only include 'sideEffects' field in Kubernetes 1.12+
     sideEffects: None
-
+    clientConfig:
+      service:
+        name: cert-manager-webhook
+        namespace: "cert-manager"
+        path: /validate

templates/1.0/cert-manager-webhook-psp-ClusterRole.yaml

@@ -0,0 +1,18 @@
+# Source: cert-manager/templates/webhook-psp-clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-manager-webhook-psp
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "webhook"
+    helm.sh/chart: cert-manager-v1.0.4
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - cert-manager-webhook

templates/1.0/cert-manager-webhook-psp-ClusterRoleBinding.yaml

@@ -0,0 +1,20 @@
+# Source: cert-manager/templates/webhook-psp-clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-psp
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "webhook"
+    helm.sh/chart: cert-manager-v1.0.4
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-psp
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager-webhook
+    namespace: cert-manager

templates/1.0/cert-manager-webhook:dynamic-serving-Role.yaml

@@ -1,28 +1,23 @@
+# Source: cert-manager/templates/webhook-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  name: cert-manager-webhook:dynamic-serving
+  namespace: "cert-manager"
   labels:
     app: webhook
-    app.kubernetes.io/component: webhook
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: webhook
-  name: cert-manager-webhook:dynamic-serving
+    app.kubernetes.io/instance: cert-manager
-  namespace: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "webhook"
+    helm.sh/chart: cert-manager-v1.0.4
 rules:
-- apiGroups:
+- apiGroups: [""]
-  - ""
+  resources: ["secrets"]
   resourceNames:
-  - cert-manager-webhook-ca
+  - 'cert-manager-webhook-ca'
-  resources:
+  verbs: ["get", "list", "watch", "update"]
-  - secrets
+# It's not possible to grant CREATE permission on a single resourceName.
-  verbs:
+- apiGroups: [""]
-  - get
+  resources: ["secrets"]
-  - list
+  verbs: ["create"]
-  - watch
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create

templates/1.0/cert-manager-webhook:dynamic-serving-RoleBinding.yaml

@@ -1,13 +1,16 @@
+# Source: cert-manager/templates/webhook-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
+  name: cert-manager-webhook:dynamic-serving
+  namespace: "cert-manager"
   labels:
     app: webhook
-    app.kubernetes.io/component: webhook
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/name: webhook
-  name: cert-manager-webhook:dynamic-serving
+    app.kubernetes.io/instance: cert-manager
-  namespace: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "webhook"
+    helm.sh/chart: cert-manager-v1.0.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

templates/1.0/cert-manager:leaderelection-Role.yaml

@@ -1,27 +1,22 @@
+# Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  labels:
-    app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/name: cert-manager
   name: cert-manager:leaderelection
   namespace: kube-system
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 rules:
-- apiGroups:
+  # Used for leader election by the controller
-  - ""
+  - apiGroups: [""]
-  resourceNames:
+    resources: ["configmaps"]
-  - cert-manager-controller
+    resourceNames: ["cert-manager-controller"]
-  resources:
+    verbs: ["get", "update", "patch"]
-  - configmaps
+  - apiGroups: [""]
-  verbs:
+    resources: ["configmaps"]
-  - get
+    verbs: ["create"]
-  - update
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create

templates/1.0/cert-manager:leaderelection-RoleBinding.yaml

@@ -1,19 +1,24 @@
+# Source: cert-manager/templates/rbac.yaml
+# grant cert-manager permission to manage the leaderelection configmap in the
+# leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  labels:
-    app: cert-manager
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/name: cert-manager
   name: cert-manager:leaderelection
   namespace: kube-system
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: "controller"
+    helm.sh/chart: cert-manager-v1.0.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cert-manager:leaderelection
 subjects:
-- apiGroup: ""
+  - apiGroup: ""
     kind: ServiceAccount
     name: cert-manager
     namespace: cert-manager

vars/files_list_1.0.yml

@@ -1,16 +1,20 @@
 ---
 certmanager_1.0_list:
+  - "1.0/cert-manager-cainjector-PodSecurityPolicy.yaml"
+  - "1.0/cert-manager-PodSecurityPolicy.yaml"
+  - "1.0/cert-manager-webhook-PodSecurityPolicy.yaml"
+  - "1.0/cert-manager-cainjector-ServiceAccount.yaml"
+  - "1.0/cert-manager-ServiceAccount.yaml"
+  - "1.0/cert-manager-webhook-ServiceAccount.yaml"
   - "1.0/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml"
   - "1.0/certificates.cert-manager.io-CustomResourceDefinition.yaml"
   - "1.0/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml"
   - "1.0/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml"
   - "1.0/issuers.cert-manager.io-CustomResourceDefinition.yaml"
   - "1.0/orders.acme.cert-manager.io-CustomResourceDefinition.yaml"
-  - "1.0/cert-manager-Namespace.yaml"
+  - "1.0/cert-manager-cainjector-psp-ClusterRole.yaml"
-  - "1.0/cert-manager-cainjector-ServiceAccount.yaml"
-  - "1.0/cert-manager-ServiceAccount.yaml"
-  - "1.0/cert-manager-webhook-ServiceAccount.yaml"
   - "1.0/cert-manager-cainjector-ClusterRole.yaml"
+  - "1.0/cert-manager-psp-ClusterRole.yaml"
   - "1.0/cert-manager-controller-issuers-ClusterRole.yaml"
   - "1.0/cert-manager-controller-clusterissuers-ClusterRole.yaml"
   - "1.0/cert-manager-controller-certificates-ClusterRole.yaml"
@@ -19,13 +23,17 @@ certmanager_1.0_list:
   - "1.0/cert-manager-controller-ingress-shim-ClusterRole.yaml"
   - "1.0/cert-manager-view-ClusterRole.yaml"
   - "1.0/cert-manager-edit-ClusterRole.yaml"
+  - "1.0/cert-manager-webhook-psp-ClusterRole.yaml"
+  - "1.0/cert-manager-cainjector-psp-ClusterRoleBinding.yaml"
   - "1.0/cert-manager-cainjector-ClusterRoleBinding.yaml"
+  - "1.0/cert-manager-psp-ClusterRoleBinding.yaml"
   - "1.0/cert-manager-controller-issuers-ClusterRoleBinding.yaml"
   - "1.0/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml"
   - "1.0/cert-manager-controller-certificates-ClusterRoleBinding.yaml"
   - "1.0/cert-manager-controller-orders-ClusterRoleBinding.yaml"
   - "1.0/cert-manager-controller-challenges-ClusterRoleBinding.yaml"
   - "1.0/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml"
+  - "1.0/cert-manager-webhook-psp-ClusterRoleBinding.yaml"
   - "1.0/cert-manager-cainjector:leaderelection-Role.yaml"
   - "1.0/cert-manager:leaderelection-Role.yaml"
   - "1.0/cert-manager-webhook:dynamic-serving-Role.yaml"