adrien/ansible-role-k8s-cert-manager
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update to latest version
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2020-12-01 20:50:11 +01:00
parent 9f97c2a6e3
commit 1160fb12eb
51 changed files with 14846 additions and 25798 deletions
Download patch file Download diff file Expand all files Collapse all files

7
bin/gen_list.sh
View file

@ -1,7 +1,10 @@
#!/bin/bash
CERTMANAGER_VERSION="$(curl --silent "https://api.github.com/repos/jetstack/cert-manager/releases/latest" | jq {"name"} | sed -e '/^{/d' -e '/^}/d' -e 's|.*v\([0-9\.]*\).*|\1|')"
CERTMANAGER_SHORTVERSION="$(echo "${CERTMANAGER_VERSION}" | sed 's/^\(.*\)\.[0-9]$/\1/')"
wget https://github.com/jetstack/cert-manager/releases/download/v"${CERTMANAGER_VERSION}"/cert-manager.yaml
#helm repo add jetstack https://charts.jetstack.io
#helm repo update
helm template cert-manager jetstack/cert-manager --namespace cert-manager --version "v${CERTMANAGER_VERSION}" --set installCRDs=true,global.podSecurityPolicy.enabled=true --set 'extraArgs={--dns01-recursive-nameservers=8.8.8.8:53\,1.1.1.1:53}' > cert-manager.yaml
#wget https://github.com/jetstack/cert-manager/releases/download/v"${CERTMANAGER_VERSION}"/cert-manager.yaml
kubernetes-split-yaml cert-manager.yaml > generated.log
if [ -d templates/"${CERTMANAGER_SHORTVERSION}" ]; then
rm -fr templates/"${CERTMANAGER_SHORTVERSION}"
@ -10,6 +13,6 @@ mv generated templates/"${CERTMANAGER_SHORTVERSION}"
echo -e "---\ncertmanager_${CERTMANAGER_SHORTVERSION}_list:" > vars/files_list_${CERTMANAGER_SHORTVERSION}.yml
cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "'${CERTMANAGER_SHORTVERSION}'/\2"|' >> vars/files_list_${CERTMANAGER_SHORTVERSION}.yml
sed '/args:/ a\ - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53' -i templates/"${CERTMANAGER_SHORTVERSION}"/cert-manager-Deployment.yaml
#sed '/args:/ a\ - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53' -i templates/"${CERTMANAGER_SHORTVERSION}"/cert-manager-Deployment.yaml
rm -f generated.log cert-manager.yaml

41
files/cert-manager-psp.yaml Normal file
View file

@ -0,0 +1,41 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cert-namager
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/component: "controller"
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000

66
templates/1.0/cert-manager-Deployment.yaml
View file

@ -1,48 +1,54 @@
# Source: cert-manager/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager
namespace: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
template:
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "9402"
prometheus.io/scrape: "true"
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.0.4
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
prometheus.io/port: '9402'
spec:
containers:
- args:
- --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: quay.io/jetstack/cert-manager-controller:v1.0.4
imagePullPolicy: IfNotPresent
name: cert-manager
ports:
- containerPort: 9402
protocol: TCP
resources: {}
serviceAccountName: cert-manager
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-controller:v1.0.4"
imagePullPolicy: IfNotPresent
args:
- --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
ports:
- containerPort: 9402
protocol: TCP
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}

4
templates/1.0/cert-manager-Namespace.yaml
View file

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager

47
templates/1.0/cert-manager-PodSecurityPolicy.yaml Normal file
View file

@ -0,0 +1,47 @@
# Source: cert-manager/templates/psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cert-manager
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000

27
templates/1.0/cert-manager-Service.yaml
View file

@ -1,20 +1,23 @@
# Source: cert-manager/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager
namespace: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
spec:
ports:
- port: 9402
protocol: TCP
targetPort: 9402
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
type: ClusterIP
ports:
- protocol: TCP
port: 9402
targetPort: 9402
selector:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"

11
templates/1.0/cert-manager-ServiceAccount.yaml
View file

@ -1,10 +1,13 @@
# Source: cert-manager/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager
namespace: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4

92
templates/1.0/cert-manager-cainjector-ClusterRole.yaml
View file

@ -1,72 +1,34 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- get
- create
- update
- patch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- update
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- watch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- apiGroups:
- auditregistration.k8s.io
resources:
- auditsinks
verbs:
- get
- list
- watch
- update
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["auditregistration.k8s.io"]
resources: ["auditsinks"]
verbs: ["get", "list", "watch", "update"]

15
templates/1.0/cert-manager-cainjector-ClusterRoleBinding.yaml
View file

@ -1,17 +1,20 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-cainjector
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: cert-manager
- name: cert-manager-cainjector
namespace: "cert-manager"
kind: ServiceAccount

48
templates/1.0/cert-manager-cainjector-Deployment.yaml
View file

@ -1,39 +1,45 @@
# Source: cert-manager/templates/cainjector-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-cainjector
namespace: "cert-manager"
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
namespace: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.0.4
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
template:
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.0.4
spec:
containers:
- args:
- --v=2
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: quay.io/jetstack/cert-manager-cainjector:v1.0.4
imagePullPolicy: IfNotPresent
name: cert-manager
resources: {}
serviceAccountName: cert-manager-cainjector
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-cainjector:v1.0.4"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}

47
templates/1.0/cert-manager-cainjector-PodSecurityPolicy.yaml Normal file
View file

@ -0,0 +1,47 @@
# Source: cert-manager/templates/cainjector-psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.0.4
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000

11
templates/1.0/cert-manager-cainjector-ServiceAccount.yaml
View file

@ -1,10 +1,13 @@
# Source: cert-manager/templates/cainjector-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager-cainjector
namespace: "cert-manager"
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector
namespace: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.0.4

18
templates/1.0/cert-manager-cainjector-psp-ClusterRole.yaml Normal file
View file

@ -0,0 +1,18 @@
# Source: cert-manager/templates/cainjector-psp-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-cainjector-psp
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- cert-manager-cainjector

20
templates/1.0/cert-manager-cainjector-psp-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,20 @@
# Source: cert-manager/templates/cainjector-psp-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-cainjector-psp
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-cainjector-psp
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: cert-manager

43
templates/1.0/cert-manager-cainjector:leaderelection-Role.yaml
View file

@ -1,28 +1,27 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
# leader election rules
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups:
- ""
resourceNames:
- cert-manager-cainjector-leader-election
- cert-manager-cainjector-leader-election-core
resources:
- configmaps
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
# Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
# see cmd/cainjector/start.go#L113
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
# see cmd/cainjector/start.go#L137
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]

21
templates/1.0/cert-manager-cainjector:leaderelection-RoleBinding.yaml
View file

@ -1,18 +1,23 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-cainjector:leaderelection
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: cert-manager
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: cert-manager

86
templates/1.0/cert-manager-controller-certificates-ClusterRole.yaml
View file

@ -1,65 +1,35 @@
# Source: cert-manager/templates/rbac.yaml
# Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-certificates
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificates/status
- certificaterequests
- certificaterequests/status
verbs:
- update
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- clusterissuers
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- certificates/finalizers
- certificaterequests/finalizers
verbs:
- update
- apiGroups:
- acme.cert-manager.io
resources:
- orders
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

15
templates/1.0/cert-manager-controller-certificates-ClusterRoleBinding.yaml
View file

@ -1,17 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-certificates
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-certificates
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

134
templates/1.0/cert-manager-controller-challenges-ClusterRole.yaml
View file

@ -1,91 +1,57 @@
# Source: cert-manager/templates/rbac.yaml
# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-challenges
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups:
- acme.cert-manager.io
resources:
- challenges
- challenges/status
verbs:
- update
- apiGroups:
- acme.cert-manager.io
resources:
- challenges
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- issuers
- clusterissuers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- route.openshift.io
resources:
- routes/custom-host
verbs:
- create
- apiGroups:
- acme.cert-manager.io
resources:
- challenges/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["get", "list", "watch"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Used to create events
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# HTTP01 rules
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# We require the ability to specify a custom hostname when we are creating
# new ingress resources.
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- apiGroups: ["route.openshift.io"]
resources: ["routes/custom-host"]
verbs: ["create"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]

15
templates/1.0/cert-manager-controller-challenges-ClusterRoleBinding.yaml
View file

@ -1,17 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-challenges
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-challenges
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

55
templates/1.0/cert-manager-controller-clusterissuers-ClusterRole.yaml
View file

@ -1,43 +1,26 @@
# Source: cert-manager/templates/rbac.yaml
# ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-clusterissuers
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
- clusterissuers/status
verbs:
- update
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

15
templates/1.0/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml
View file

@ -1,17 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-clusterissuers
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-clusterissuers
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

69
templates/1.0/cert-manager-controller-ingress-shim-ClusterRole.yaml
View file

@ -1,51 +1,32 @@
# Source: cert-manager/templates/rbac.yaml
# ingress-shim controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-ingress-shim
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
verbs:
- create
- update
- delete
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- issuers
- clusterissuers
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["extensions"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

15
templates/1.0/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml
View file

@ -1,17 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-ingress-shim
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-ingress-shim
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

55
templates/1.0/cert-manager-controller-issuers-ClusterRole.yaml
View file

@ -1,43 +1,26 @@
# Source: cert-manager/templates/rbac.yaml
# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-issuers
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups:
- cert-manager.io
resources:
- issuers
- issuers/status
verbs:
- update
- apiGroups:
- cert-manager.io
resources:
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

15
templates/1.0/cert-manager-controller-issuers-ClusterRoleBinding.yaml
View file

@ -1,17 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-issuers
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-issuers
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

87
templates/1.0/cert-manager-controller-orders-ClusterRole.yaml
View file

@ -1,63 +1,38 @@
# Source: cert-manager/templates/rbac.yaml
# Orders controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-orders
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups:
- acme.cert-manager.io
resources:
- orders
- orders/status
verbs:
- update
- apiGroups:
- acme.cert-manager.io
resources:
- orders
- challenges
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- acme.cert-manager.io
resources:
- challenges
verbs:
- create
- delete
- apiGroups:
- acme.cert-manager.io
resources:
- orders/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["create", "delete"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

15
templates/1.0/cert-manager-controller-orders-ClusterRoleBinding.yaml
View file

@ -1,17 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager-controller-orders
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-orders
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

26
templates/1.0/cert-manager-edit-ClusterRole.yaml
View file

@ -1,24 +1,18 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-edit
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: cert-manager-edit
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- issuers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]

18
templates/1.0/cert-manager-psp-ClusterRole.yaml Normal file
View file

@ -0,0 +1,18 @@
# Source: cert-manager/templates/psp-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-psp
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- cert-manager

20
templates/1.0/cert-manager-psp-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,20 @@
# Source: cert-manager/templates/psp-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-psp
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-psp
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager

26
templates/1.0/cert-manager-view-ClusterRole.yaml
View file

@ -1,23 +1,19 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-view
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: cert-manager-view
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- issuers
verbs:
- get
- list
- watch
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["get", "list", "watch"]

100
templates/1.0/cert-manager-webhook-Deployment.yaml
View file

@ -1,65 +1,71 @@
# Source: cert-manager/templates/webhook-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
namespace: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
template:
metadata:
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4
spec:
containers:
- args:
- --v=2
- --secure-port=10250
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: quay.io/jetstack/cert-manager-webhook:v1.0.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /livez
port: 6080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: cert-manager
ports:
- containerPort: 10250
name: https
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 6080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources: {}
serviceAccountName: cert-manager-webhook
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-webhook:v1.0.4"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --secure-port=10250
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
ports:
- name: https
containerPort: 10250
livenessProbe:
httpGet:
path: /livez
port: 6080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: 6080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}

56
templates/1.0/cert-manager-webhook-MutatingWebhookConfiguration.yaml
View file

@ -1,34 +1,36 @@
# Source: cert-manager/templates/webhook-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cert-manager-webhook
namespace: cert-manager
path: /mutate
failurePolicy: Fail
name: webhook.cert-manager.io
rules:
- apiGroups:
- cert-manager.io
- acme.cert-manager.io
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- '*/*'
sideEffects: None
- name: webhook.cert-manager.io
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1", "v1beta1"]
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
service:
name: cert-manager-webhook
namespace: "cert-manager"
path: /mutate

47
templates/1.0/cert-manager-webhook-PodSecurityPolicy.yaml Normal file
View file

@ -0,0 +1,47 @@
# Source: cert-manager/templates/webhook-psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000

17
templates/1.0/cert-manager-webhook-Service.yaml
View file

@ -1,20 +1,23 @@
# Source: cert-manager/templates/webhook-service.yaml
apiVersion: v1
kind: Service
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
namespace: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4
spec:
type: ClusterIP
ports:
- name: https
port: 443
targetPort: 10250
selector:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
type: ClusterIP
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"

11
templates/1.0/cert-manager-webhook-ServiceAccount.yaml
View file

@ -1,10 +1,13 @@
# Source: cert-manager/templates/webhook-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
namespace: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4

77
templates/1.0/cert-manager-webhook-ValidatingWebhookConfiguration.yaml
View file

@ -1,45 +1,46 @@
# Source: cert-manager/templates/webhook-validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cert-manager-webhook
namespace: cert-manager
path: /validate
failurePolicy: Fail
name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- key: cert-manager.io/disable-validation
operator: NotIn
values:
- "true"
- key: name
operator: NotIn
values:
- cert-manager
rules:
- apiGroups:
- cert-manager.io
- acme.cert-manager.io
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- '*/*'
sideEffects: None
- name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- key: "cert-manager.io/disable-validation"
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- cert-manager
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1", "v1beta1"]
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
service:
name: cert-manager-webhook
namespace: "cert-manager"
path: /validate

18
templates/1.0/cert-manager-webhook-psp-ClusterRole.yaml Normal file
View file

@ -0,0 +1,18 @@
# Source: cert-manager/templates/webhook-psp-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-webhook-psp
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- cert-manager-webhook

20
templates/1.0/cert-manager-webhook-psp-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,20 @@
# Source: cert-manager/templates/webhook-psp-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-webhook-psp
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook-psp
subjects:
- kind: ServiceAccount
name: cert-manager-webhook
namespace: cert-manager

35
templates/1.0/cert-manager-webhook:dynamic-serving-Role.yaml
View file

@ -1,28 +1,23 @@
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook:dynamic-serving
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook:dynamic-serving
namespace: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups:
- ""
- apiGroups: [""]
resources: ["secrets"]
resourceNames:
- cert-manager-webhook-ca
resources:
- secrets
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- 'cert-manager-webhook-ca'
verbs: ["get", "list", "watch", "update"]
# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]

11
templates/1.0/cert-manager-webhook:dynamic-serving-RoleBinding.yaml
View file

@ -1,13 +1,16 @@
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook:dynamic-serving
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
name: cert-manager-webhook:dynamic-serving
namespace: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role

37
templates/1.0/cert-manager:leaderelection-Role.yaml
View file

@ -1,27 +1,22 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
rules:
- apiGroups:
- ""
resourceNames:
- cert-manager-controller
resources:
- configmaps
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
# Used for leader election by the controller
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]

23
templates/1.0/cert-manager:leaderelection-RoleBinding.yaml
View file

@ -1,19 +1,24 @@
# Source: cert-manager/templates/rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.0.4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: cert-manager
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: cert-manager

1378
templates/1.0/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml
View file

File diff suppressed because it is too large Load diff

2824
templates/1.0/certificates.cert-manager.io-CustomResourceDefinition.yaml
View file

File diff suppressed because it is too large Load diff

9311
templates/1.0/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml
View file

File diff suppressed because it is too large Load diff

12013
templates/1.0/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml
View file

File diff suppressed because it is too large Load diff

12009
templates/1.0/issuers.cert-manager.io-CustomResourceDefinition.yaml
View file

File diff suppressed because it is too large Load diff

1457
templates/1.0/orders.acme.cert-manager.io-CustomResourceDefinition.yaml
View file

File diff suppressed because it is too large Load diff

16
vars/files_list_1.0.yml
View file

@ -1,16 +1,20 @@
---
certmanager_1.0_list:
- "1.0/cert-manager-cainjector-PodSecurityPolicy.yaml"
- "1.0/cert-manager-PodSecurityPolicy.yaml"
- "1.0/cert-manager-webhook-PodSecurityPolicy.yaml"
- "1.0/cert-manager-cainjector-ServiceAccount.yaml"
- "1.0/cert-manager-ServiceAccount.yaml"
- "1.0/cert-manager-webhook-ServiceAccount.yaml"
- "1.0/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml"
- "1.0/certificates.cert-manager.io-CustomResourceDefinition.yaml"
- "1.0/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml"
- "1.0/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml"
- "1.0/issuers.cert-manager.io-CustomResourceDefinition.yaml"
- "1.0/orders.acme.cert-manager.io-CustomResourceDefinition.yaml"
- "1.0/cert-manager-Namespace.yaml"
- "1.0/cert-manager-cainjector-ServiceAccount.yaml"
- "1.0/cert-manager-ServiceAccount.yaml"
- "1.0/cert-manager-webhook-ServiceAccount.yaml"
- "1.0/cert-manager-cainjector-psp-ClusterRole.yaml"
- "1.0/cert-manager-cainjector-ClusterRole.yaml"
- "1.0/cert-manager-psp-ClusterRole.yaml"
- "1.0/cert-manager-controller-issuers-ClusterRole.yaml"
- "1.0/cert-manager-controller-clusterissuers-ClusterRole.yaml"
- "1.0/cert-manager-controller-certificates-ClusterRole.yaml"
@ -19,13 +23,17 @@ certmanager_1.0_list:
- "1.0/cert-manager-controller-ingress-shim-ClusterRole.yaml"
- "1.0/cert-manager-view-ClusterRole.yaml"
- "1.0/cert-manager-edit-ClusterRole.yaml"
- "1.0/cert-manager-webhook-psp-ClusterRole.yaml"
- "1.0/cert-manager-cainjector-psp-ClusterRoleBinding.yaml"
- "1.0/cert-manager-cainjector-ClusterRoleBinding.yaml"
- "1.0/cert-manager-psp-ClusterRoleBinding.yaml"
- "1.0/cert-manager-controller-issuers-ClusterRoleBinding.yaml"
- "1.0/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml"
- "1.0/cert-manager-controller-certificates-ClusterRoleBinding.yaml"
- "1.0/cert-manager-controller-orders-ClusterRoleBinding.yaml"
- "1.0/cert-manager-controller-challenges-ClusterRoleBinding.yaml"
- "1.0/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml"
- "1.0/cert-manager-webhook-psp-ClusterRoleBinding.yaml"
- "1.0/cert-manager-cainjector:leaderelection-Role.yaml"
- "1.0/cert-manager:leaderelection-Role.yaml"
- "1.0/cert-manager-webhook:dynamic-serving-Role.yaml"