Update to version 0.11.0

2019-11-27 08:20:01 +01:00 · 2019-11-27 08:20:01 +01:00 · 202b4c9dc4
commit 202b4c9dc4
parent 29a85200b6
56 changed files with 11781 additions and 1428 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,8 +1,8 @@
-my_context: flamykubekube
+my_context: local
-ingress_domain: "local.dataminem.net"
+ingress_domain: "local"
 #ingress_whitelist:
 #  - 10.96.0.0/12
 #  - 10.244.0.0/16
 #  - 192.168.140.0/24
-certmanager_version: 0.9.0
+certmanager_version: "0.11.0"
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,7 +1,7 @@
 galaxy_info:
  author: Adrien Reslinger
-  description: Install cert manager to a cluster
+  description: Install cert manager to a kubernetes cluster
-  company: Flaminem
+  company: Personnal
-  min_ansible_version: 2.6
+  min_ansible_version: 2.8
  galaxy_tags: []
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -5,60 +5,18 @@
 - name: Cert Manager setup
  block:
-#  - name: namespace
+  - name: namespace
 #    k8s:
 #      context: "{{ my_context }}"    
 #      state: present
 #      name: cert-manager
 #      api_version: v1
 #      kind: Namespace
 #  tags: certmanager
  - name: Cert Manager files
    k8s:
      context: "{{ my_context }}"    
      state: present
-      context: "{{ my_context }}"
+      name: cert-manager
-      resource_definition: "{{ lookup('template', item) | from_yaml }}"
+      api_version: v1
-    with_items:
+      kind: Namespace
-    - "cert-manager-crd-crt-{{ certmanager_version }}.yaml"
+    tags: certmanager
-    - "cert-manager-crd-crtreq-{{ certmanager_version }}.yaml"
+
-    - "cert-manager-crd-challenges-{{ certmanager_version }}.yaml"
+  - name: install / uninstall version 0.11.0
-    - "cert-manager-crd-clusterissuers-{{ certmanager_version }}.yaml"
+    include_tasks: "version_0.11.0.yml"
-    - "cert-manager-crd-issuers-{{ certmanager_version }}.yaml"
+    when:
-    - "cert-manager-crd-orders-{{ certmanager_version }}.yaml"
+      - certmanager_version == "0.11.0"
-    - "cert-manager-ns-{{ certmanager_version }}.yaml"
+#      - certmanager_version == 0.11.0 or certmanager_actual_version.stdout == 0.11.0
    - "cert-manager-sa-cainjector-{{ certmanager_version }}.yaml"
    - "cert-manager-sa-webhook-{{ certmanager_version }}.yaml"
    - "cert-manager-sa-certmanager-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-cainjector-{{ certmanager_version }}.yaml"
    - "cert-manager-crb-cainjector-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-certmanager-leaderelection-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-certmanager-controlerissuers-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-certmanager-controlerclusterissuers-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-certmanager-certificates-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-certmanager-orders-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-certmanager-challenges-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-certmanager-ingressshim-{{ certmanager_version }}.yaml"
    - "cert-manager-crb-certmanager-leaderelection-{{ certmanager_version }}.yaml"
    - "cert-manager-crb-certmanager-controlerissuers-{{ certmanager_version }}.yaml"
    - "cert-manager-crb-certmanager-controlerclusterissuers-{{ certmanager_version }}.yaml"
    - "cert-manager-crb-certmanager-certificates-{{ certmanager_version }}.yaml"
    - "cert-manager-crb-certmanager-orders-{{ certmanager_version }}.yaml"
    - "cert-manager-crb-certmanager-challenges-{{ certmanager_version }}.yaml"
    - "cert-manager-crb-certmanager-ingressshim-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-certmanager-view-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-certmanager-edit-{{ certmanager_version }}.yaml"
    - "cert-manager-crb-certmanager-webhook-{{ certmanager_version }}.yaml"
    - "cert-manager-rb-certmanager-webhook-{{ certmanager_version }}.yaml"
    - "cert-manager-cr-certmanager-webhook-{{ certmanager_version }}.yaml"
    - "cert-manager-svc-webhook-{{ certmanager_version }}.yaml"
    - "cert-manager-dp-cainjector-{{ certmanager_version }}.yaml"
    - "cert-manager-dp-webhook-{{ certmanager_version }}.yaml"
    - "cert-manager-dp-{{ certmanager_version }}.yaml"
    - "cert-manager-apiservice-{{ certmanager_version }}.yaml"
    - "cert-manager-issuer-webhookselfsign-{{ certmanager_version }}.yaml"
    - "cert-manager-certificat-webhookca-{{ certmanager_version }}.yaml"
    - "cert-manager-issuer-webhookca-{{ certmanager_version }}.yaml"
    - "cert-manager-certificat-webhook-{{ certmanager_version }}.yaml"
    - "cert-manager-validatewebhook-{{ certmanager_version }}.yaml"
    tags: certmanager
--- a/tasks/version_0.11.0.yml
+++ b/tasks/version_0.11.0.yml
@ -0,0 +1,59 @@
 ---
 - set_fact:
    certmanager_0_11_0_state: "present"
  when:
    - certmanager_version == "0.11.0"
 - set_fact:
    certmanager_0_11_0_state: "absent"
  when:
    - certmanager_version != "0.11.0"
 - name: Cert Manager files
  k8s:
    state: "{{ certmanager_0_11_0_state }}"
    context: "{{ my_context }}"
    resource_definition: "{{ lookup('template', item) | from_yaml }}"
  with_items:
    - "0.11.0/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml"
    - "0.11.0/orders.acme.cert-manager.io-CustomResourceDefinition.yaml"
    - "0.11.0/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml"
    - "0.11.0/certificates.cert-manager.io-CustomResourceDefinition.yaml"
    - "0.11.0/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml"
    - "0.11.0/issuers.cert-manager.io-CustomResourceDefinition.yaml"
 #    - "0.11.0/cert-manager-Namespace.yaml"
    - "0.11.0/cert-manager-cainjector-ServiceAccount.yaml"
    - "0.11.0/cert-manager-ServiceAccount.yaml"
    - "0.11.0/cert-manager-webhook-ServiceAccount.yaml"
    - "0.11.0/cert-manager-cainjector-ClusterRole.yaml"
    - "0.11.0/cert-manager-cainjector-ClusterRoleBinding.yaml"
    - "0.11.0/cert-manager-cainjector:leaderelection-Role.yaml"
    - "0.11.0/cert-manager-cainjector:leaderelection-RoleBinding.yaml"
    - "0.11.0/cert-manager-webhook:auth-delegator-ClusterRoleBinding.yaml"
    - "0.11.0/cert-manager-webhook:webhook-authentication-reader-RoleBinding.yaml"
    - "0.11.0/cert-manager-webhook:webhook-requester-ClusterRole.yaml"
    - "0.11.0/cert-manager:leaderelection-Role.yaml"
    - "0.11.0/cert-manager:leaderelection-RoleBinding.yaml"
    - "0.11.0/cert-manager-controller-issuers-ClusterRole.yaml"
    - "0.11.0/cert-manager-controller-clusterissuers-ClusterRole.yaml"
    - "0.11.0/cert-manager-controller-certificates-ClusterRole.yaml"
    - "0.11.0/cert-manager-controller-orders-ClusterRole.yaml"
    - "0.11.0/cert-manager-controller-challenges-ClusterRole.yaml"
    - "0.11.0/cert-manager-controller-ingress-shim-ClusterRole.yaml"
    - "0.11.0/cert-manager-leaderelection-ClusterRoleBinding.yaml"
    - "0.11.0/cert-manager-controller-issuers-ClusterRoleBinding.yaml"
    - "0.11.0/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml"
    - "0.11.0/cert-manager-controller-certificates-ClusterRoleBinding.yaml"
    - "0.11.0/cert-manager-controller-orders-ClusterRoleBinding.yaml"
    - "0.11.0/cert-manager-controller-challenges-ClusterRoleBinding.yaml"
    - "0.11.0/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml"
    - "0.11.0/cert-manager-view-ClusterRole.yaml"
    - "0.11.0/cert-manager-edit-ClusterRole.yaml"
    - "0.11.0/cert-manager-Service.yaml"
    - "0.11.0/cert-manager-webhook-Service.yaml"
    - "0.11.0/cert-manager-cainjector-Deployment.yaml"
    - "0.11.0/cert-manager-Deployment.yaml"
    - "0.11.0/cert-manager-webhook-Deployment.yaml"
    - "0.11.0/v1beta1.webhook.cert-manager.io-APIService.yaml"
    - "0.11.0/cert-manager-webhook-MutatingWebhookConfiguration.yaml"
    - "0.11.0/cert-manager-webhook-ValidatingWebhookConfiguration.yaml"
--- a/templates/0.11.0/cert-manager-Deployment.yaml
+++ b/templates/0.11.0/cert-manager-Deployment.yaml
@ -9,7 +9,7 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 spec:
  replicas: 1
  selector:
@ -25,7 +25,7 @@ spec:
        app.kubernetes.io/name: cert-manager
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
-        helm.sh/chart: cert-manager-v0.9.0
+        helm.sh/chart: cert-manager-v0.11.0
      annotations:
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
@ -34,12 +34,16 @@ spec:
      serviceAccountName: cert-manager
      containers:
        - name: cert-manager
-          image: "quay.io/jetstack/cert-manager-controller:v0.9.0"
+          image: "quay.io/jetstack/cert-manager-controller:v0.11.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --cluster-resource-namespace=$(POD_NAMESPACE)
-          - --leader-election-namespace=$(POD_NAMESPACE)
+          - --leader-election-namespace=kube-system
          - --webhook-namespace=$(POD_NAMESPACE)
          - --webhook-ca-secret=cert-manager-webhook-ca
          - --webhook-serving-secret=cert-manager-webhook-tls
          - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
          ports:
          - containerPort: 9402
          env:
@ -51,3 +55,5 @@ spec:
            requests:
              cpu: 10m
              memory: 32Mi
--- a/templates/0.11.0/cert-manager-Namespace.yaml
+++ b/templates/0.11.0/cert-manager-Namespace.yaml
@ -2,5 +2,4 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: cert-manager
-  labels:
+
    certmanager.k8s.io/disable-validation: "true"
--- a/templates/0.11.0/cert-manager-Service.yaml
+++ b/templates/0.11.0/cert-manager-Service.yaml
@ -0,0 +1,23 @@
 # Source: cert-manager/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 spec:
  type: ClusterIP
  ports:
    - protocol: TCP
      port: 9402
      targetPort: 9402
  selector:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
--- a/templates/0.11.0/cert-manager-ServiceAccount.yaml
+++ b/templates/0.11.0/cert-manager-ServiceAccount.yaml
@ -4,9 +4,11 @@ kind: ServiceAccount
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  annotations:
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
--- a/templates/0.11.0/cert-manager-cainjector-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-cainjector-ClusterRole.yaml
@ -8,16 +8,16 @@ metadata:
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cainjector-v0.9.0
+    helm.sh/chart: cainjector-v0.11.0
 rules:
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
-    resources: ["configmaps", "events"]
+    resources: ["events"]
    verbs: ["get", "create", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
--- a/templates/0.11.0/cert-manager-cainjector-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-cainjector-ClusterRoleBinding.yaml
@ -7,7 +7,7 @@ metadata:
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cainjector-v0.9.0
+    helm.sh/chart: cainjector-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -16,3 +16,4 @@ subjects:
  - name: cert-manager-cainjector
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-cainjector-Deployment.yaml
+++ b/templates/0.11.0/cert-manager-cainjector-Deployment.yaml
@ -9,7 +9,7 @@ metadata:
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cainjector-v0.9.0
+    helm.sh/chart: cainjector-v0.11.0
 spec:
  replicas: 1
  selector:
@ -25,17 +25,17 @@ spec:
        app.kubernetes.io/name: cainjector
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
-        helm.sh/chart: cainjector-v0.9.0
+        helm.sh/chart: cainjector-v0.11.0
      annotations:
    spec:
      serviceAccountName: cert-manager-cainjector
      containers:
        - name: cainjector
-          image: "quay.io/jetstack/cert-manager-cainjector:v0.9.0"
+          image: "quay.io/jetstack/cert-manager-cainjector:v0.11.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
-          - --leader-election-namespace=$(POD_NAMESPACE)
+          - --leader-election-namespace=kube-system
          env:
          - name: POD_NAMESPACE
            valueFrom:
@ -43,3 +43,5 @@ spec:
                fieldPath: metadata.namespace
          resources:
            {}
--- a/templates/0.11.0/cert-manager-cainjector-ServiceAccount.yaml
+++ b/templates/0.11.0/cert-manager-cainjector-ServiceAccount.yaml
@ -9,4 +9,5 @@ metadata:
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cainjector-v0.9.0
+    helm.sh/chart: cainjector-v0.11.0
--- a/templates/0.11.0/cert-manager-cainjector:leaderelection-Role.yaml
+++ b/templates/0.11.0/cert-manager-cainjector:leaderelection-Role.yaml
@ -0,0 +1,19 @@
 # leader election rules
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.11.0
 rules:
  # Used for leader election by the controller
  # TODO: refine the permission to *just* the leader election configmap
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]
--- a/templates/0.11.0/cert-manager-cainjector:leaderelection-RoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-cainjector:leaderelection-RoleBinding.yaml
@ -0,0 +1,23 @@
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-cainjector:leaderelection
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager-cainjector
    namespace: cert-manager
--- a/templates/0.11.0/cert-manager-controller-certificates-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-certificates-ClusterRole.yaml
@ -1,3 +1,4 @@
 # Certificates controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@ -8,26 +9,27 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 rules:
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
    verbs: ["update"]
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers", "orders"]
+    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
+  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["certificates/finalizers"]
    verbs: ["update"]
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders"]
-    verbs: ["create", "delete"]
+    verbs: ["create", "delete", "get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.11.0/cert-manager-controller-certificates-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-certificates-ClusterRoleBinding.yaml
@ -1,3 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@ -7,7 +8,7 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -16,3 +17,4 @@ subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-controller-challenges-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-challenges-ClusterRole.yaml
@ -1,3 +1,4 @@
 # Challenges controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@ -8,15 +9,19 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 rules:
  # Use to update challenge resource status
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "challenges/status"]
    verbs: ["update"]
  # Used to watch challenge resources
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["get", "list", "watch"]
  # Used to watch challenges, issuer and clusterissuer resources
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
-    resources: ["challenges", "issuers", "clusterissuers"]
+    resources: ["issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  # Need to be able to retrieve ACME account private key to complete challenges
  - apiGroups: [""]
@ -34,12 +39,13 @@ rules:
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
+  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges/finalizers"]
    verbs: ["update"]
-  # DNS01 rules (duplicated above)
+  # DNS01 rules (duplicated above)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
--- a/templates/0.11.0/cert-manager-controller-challenges-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-challenges-ClusterRoleBinding.yaml
@ -1,3 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@ -7,7 +8,7 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -16,3 +17,4 @@ subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-controller-clusterissuers-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-clusterissuers-ClusterRole.yaml
@ -1,3 +1,4 @@
 # ClusterIssuer controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@ -8,12 +9,12 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 rules:
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "clusterissuers/status"]
    verbs: ["update"]
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
@ -22,3 +23,4 @@ rules:
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.11.0/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml
@ -1,3 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@ -7,7 +8,7 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -16,3 +17,4 @@ subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-controller-ingress-shim-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-ingress-shim-ClusterRole.yaml
@ -1,3 +1,4 @@
 # ingress-shim controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@ -8,19 +9,19 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 rules:
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests"]
    verbs: ["create", "update", "delete"]
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
+  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["extensions"]
    resources: ["ingresses/finalizers"]
@ -28,3 +29,4 @@ rules:
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.11.0/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml
@ -1,3 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@ -7,7 +8,7 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -16,3 +17,4 @@ subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-controller-issuers-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-issuers-ClusterRole.yaml
@ -1,3 +1,4 @@
 # Issuer controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@ -8,12 +9,12 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 rules:
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "issuers/status"]
    verbs: ["update"]
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
@ -22,3 +23,4 @@ rules:
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.11.0/cert-manager-controller-issuers-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-issuers-ClusterRoleBinding.yaml
@ -1,3 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@ -7,7 +8,7 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -16,3 +17,4 @@ subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-controller-orders-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-orders-ClusterRole.yaml
@ -1,3 +1,4 @@
 # Orders controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@ -8,21 +9,24 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 rules:
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "orders/status"]
    verbs: ["update"]
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["orders", "clusterissuers", "issuers", "challenges"]
+    resources: ["orders", "challenges"]
    verbs: ["get", "list", "watch"]
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["create", "delete"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
+  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
@ -31,3 +35,4 @@ rules:
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.11.0/cert-manager-controller-orders-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-orders-ClusterRoleBinding.yaml
@ -1,3 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@ -7,7 +8,7 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -16,3 +17,4 @@ subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/cert-manager-cr-certmanager-edit-0.9.0.yaml
+++ b/templates/cert-manager-cr-certmanager-edit-0.9.0.yaml
@ -1,3 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -7,10 +8,11 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
--- a/templates/0.11.0/cert-manager-leaderelection-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-leaderelection-ClusterRoleBinding.yaml
@ -1,3 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@ -7,7 +8,7 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -16,3 +17,4 @@ subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/cert-manager-cr-certmanager-view-0.9.0.yaml
+++ b/templates/cert-manager-cr-certmanager-view-0.9.0.yaml
@ -1,3 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -7,11 +8,12 @@ metadata:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
-  - apiGroups: ["certmanager.k8s.io"]
+  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["get", "list", "watch"]
--- a/templates/0.11.0/cert-manager-webhook-Deployment.yaml
+++ b/templates/0.11.0/cert-manager-webhook-Deployment.yaml
@ -1,4 +1,4 @@
-# Source: cert-manager/charts/webhook/templates/deployment.yaml
+# Source: cert-manager/templates/webhook-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -9,7 +9,7 @@ metadata:
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: webhook-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 spec:
  replicas: 1
  selector:
@ -25,13 +25,13 @@ spec:
        app.kubernetes.io/name: webhook
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
-        helm.sh/chart: webhook-v0.9.0
+        helm.sh/chart: cert-manager-v0.11.0
      annotations:
    spec:
      serviceAccountName: cert-manager-webhook
      containers:
-        - name: webhook
+        - name: cert-manager
-          image: "quay.io/jetstack/cert-manager-webhook:v0.9.0"
+          image: "quay.io/jetstack/cert-manager-webhook:v0.11.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
@ -52,4 +52,4 @@ spec:
      volumes:
      - name: certs
        secret:
-          secretName: cert-manager-webhook-webhook-tls
+          secretName: cert-manager-webhook-tls
--- a/templates/0.11.0/cert-manager-webhook-MutatingWebhookConfiguration.yaml
+++ b/templates/0.11.0/cert-manager-webhook-MutatingWebhookConfiguration.yaml
@ -0,0 +1,36 @@
 # Source: cert-manager/templates/webhook-mutating-webhook.yaml
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
  annotations:
    cert-manager.io/inject-apiserver-ca: "true"
 webhooks:
  - name: webhook.cert-manager.io
    rules:
      - apiGroups:
          - "cert-manager.io"
        apiVersions:
          - v1alpha2
        operations:
          - CREATE
          - UPDATE
        resources:
          - certificates
          - issuers
          - clusterissuers
          - orders
          - challenges
          - certificaterequests
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/webhook.cert-manager.io/v1beta1/mutations
--- a/templates/0.11.0/cert-manager-webhook-Service.yaml
+++ b/templates/0.11.0/cert-manager-webhook-Service.yaml
@ -1,4 +1,4 @@
-# Source: cert-manager/charts/webhook/templates/service.yaml
+# Source: cert-manager/templates/webhook-service.yaml
 apiVersion: v1
 kind: Service
 metadata:
@ -9,7 +9,7 @@ metadata:
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: webhook-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 spec:
  type: ClusterIP
  ports:
--- a/templates/0.11.0/cert-manager-webhook-ServiceAccount.yaml
+++ b/templates/0.11.0/cert-manager-webhook-ServiceAccount.yaml
@ -1,4 +1,4 @@
-# Source: cert-manager/charts/webhook/templates/serviceaccount.yaml
+# Source: cert-manager/templates/webhook-serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@ -9,4 +9,4 @@ metadata:
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: webhook-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
--- a/templates/0.11.0/cert-manager-webhook-ValidatingWebhookConfiguration.yaml
+++ b/templates/0.11.0/cert-manager-webhook-ValidatingWebhookConfiguration.yaml
@ -0,0 +1,45 @@
 # Source: cert-manager/templates/webhook-validating-webhook.yaml
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
  annotations:
    cert-manager.io/inject-apiserver-ca: "true"
 webhooks:
  - name: webhook.cert-manager.io
    namespaceSelector:
      matchExpressions:
      - key: "cert-manager.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "cert-manager.io"
        apiVersions:
          - v1alpha2
        operations:
          - CREATE
          - UPDATE
        resources:
          - certificates
          - issuers
          - clusterissuers
          - certificaterequests
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/webhook.cert-manager.io/v1beta1/validations
--- a/templates/0.11.0/cert-manager-webhook:auth-delegator-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-webhook:auth-delegator-ClusterRoleBinding.yaml
@ -9,7 +9,7 @@ metadata:
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: webhook-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -19,3 +19,4 @@ subjects:
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: cert-manager
--- a/templates/0.11.0/cert-manager-webhook:webhook-authentication-reader-RoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-webhook:webhook-authentication-reader-RoleBinding.yaml
@ -1,3 +1,4 @@
 # apiserver gets the ability to read authentication. This allows it to
 # read the specific configmap that has the requestheader-* entries to
 # api agg
@ -11,7 +12,7 @@ metadata:
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: webhook-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -21,3 +22,4 @@ subjects:
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: cert-manager
--- a/templates/0.11.0/cert-manager-webhook:webhook-requester-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-webhook:webhook-requester-ClusterRole.yaml
@ -1,3 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -7,10 +8,10 @@ metadata:
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: webhook-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 rules:
 - apiGroups:
-  - admission.certmanager.k8s.io
+  - admission.cert-manager.io
  resources:
  - certificates
  - certificaterequests
--- a/templates/0.11.0/cert-manager.yaml
+++ b/templates/0.11.0/cert-manager.yaml
--- a/templates/cert-manager-cr-certmanager-leaderelection-0.9.0.yaml
+++ b/templates/cert-manager-cr-certmanager-leaderelection-0.9.0.yaml
@ -1,16 +1,19 @@
 # Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
+kind: Role
 metadata:
-  name: cert-manager-leaderelection
+  name: cert-manager:leaderelection
  namespace: kube-system
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: cert-manager-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
 rules:
  # Used for leader election by the controller
  # TODO: refine the permission to *just* the leader election configmap
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]
--- a/templates/0.11.0/cert-manager:leaderelection-RoleBinding.yaml
+++ b/templates/0.11.0/cert-manager:leaderelection-RoleBinding.yaml
@ -0,0 +1,24 @@
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager:leaderelection
  namespace: kube-system
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager:leaderelection
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
--- a/templates/0.11.0/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml
@ -2,9 +2,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
-  labels:
+  name: certificaterequests.cert-manager.io
    controller-tools.k8s.io: "1.0"
  name: certificaterequests.certmanager.k8s.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
@ -25,30 +23,37 @@ spec:
      in RFC3339 form and is in UTC.
    name: Age
    type: date
-  group: certmanager.k8s.io
+  group: cert-manager.io
  names:
    kind: CertificateRequest
    listKind: CertificateRequestList
    plural: certificaterequests
    shortNames:
    - cr
    - crs
    singular: certificaterequest
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      description: CertificateRequest is a type to represent a Certificate Signing
        Request
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          description: CertificateRequestSpec defines the desired state of CertificateRequest
          properties:
            csr:
              description: Byte slice containing the PEM encoded CertificateSigningRequest
@ -59,7 +64,7 @@ spec:
              type: string
            isCA:
              description: IsCA will mark the resulting certificate as valid for signing.
-                This implies that the 'signing' usage is set
+                This implies that the 'cert sign' usage is set
              type: boolean
            issuerRef:
              description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
@ -68,7 +73,7 @@ spec:
                will be used.  If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
                with the provided name will be used. The 'name' field in this stanza
                is required at all times. The group field refers to the API group
-                of the issuer which defaults to 'certmanager.k8s.io' if empty.
+                of the issuer which defaults to 'cert-manager.io' if empty.
              properties:
                group:
                  type: string
@ -79,10 +84,45 @@ spec:
              required:
              - name
              type: object
            usages:
              description: Usages is the set of x509 actions that are enabled for
                a given key. Defaults are ('digital signature', 'key encipherment')
                if empty
              items:
                description: 'KeyUsage specifies valid usage contexts for keys. See:
                  https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
                enum:
                - signing
                - digital signature
                - content commitment
                - key encipherment
                - key agreement
                - data encipherment
                - cert sign
                - crl sign
                - encipher only
                - decipher only
                - any
                - server auth
                - client auth
                - code signing
                - email protection
                - s/mime
                - ipsec end system
                - ipsec tunnel
                - ipsec user
                - timestamping
                - ocsp signing
                - microsoft sgc
                - netscape sgc
                type: string
              type: array
          required:
          - issuerRef
          type: object
        status:
          description: CertificateStatus defines the observed state of CertificateRequest
            and resulting signed certificate.
          properties:
            ca:
              description: Byte slice containing the PEM encoded certificate authority
@ -96,6 +136,8 @@ spec:
              type: string
            conditions:
              items:
                description: CertificateRequestCondition contains condition information
                  for a CertificateRequest.
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
@ -122,12 +164,22 @@ spec:
                    description: Type of the condition, currently ('Ready').
                    type: string
                required:
                - type
                - status
                - type
                type: object
              type: array
            failureTime:
              description: FailureTime stores the time that this CertificateRequest
                failed. This is used to influence garbage collection and back-off.
              format: date-time
              type: string
          type: object
-  version: v1alpha1
+      type: object
  version: v1alpha2
  versions:
  - name: v1alpha2
    served: true
    storage: true
 status:
  acceptedNames:
    kind: ""
--- a/templates/0.11.0/certificates.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/certificates.cert-manager.io-CustomResourceDefinition.yaml
@ -2,9 +2,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
-  labels:
+  name: certificates.cert-manager.io
    controller-tools.k8s.io: "1.0"
  name: certificates.certmanager.k8s.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
@ -28,66 +26,47 @@ spec:
      in RFC3339 form and is in UTC.
    name: Age
    type: date
-  group: certmanager.k8s.io
+  group: cert-manager.io
  names:
    kind: Certificate
    listKind: CertificateList
    plural: certificates
    shortNames:
    - cert
    - certs
    singular: certificate
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      description: Certificate is a type to represent a Certificate from ACME
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          description: CertificateSpec defines the desired state of Certificate. A
            valid Certificate requires at least one of a CommonName, DNSName, or URISAN
            to be valid.
          properties:
            acme:
              description: ACME contains configuration specific to ACME Certificates.
                Notably, this contains details on how the domain names listed on this
                Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01
                providers to DNS names.
              properties:
                config:
                  items:
                    properties:
                      domains:
                        description: Domains is the list of domains that this SolverConfig
                          applies to.
                        items:
                          type: string
                        type: array
                    required:
                    - domains
                    type: object
                  type: array
              required:
              - config
              type: object
            commonName:
              description: CommonName is a common name to be used on the Certificate.
-                If no CommonName is given, then the first entry in DNSNames is used
+                The CommonName should have a length of 64 characters or fewer to avoid
-                as the CommonName. The CommonName should have a length of 64 characters
+                generating invalid CSRs.
                or fewer to avoid generating invalid CSRs; in order to have longer
                domain names, set the CommonName (or first DNSNames entry) to have
                64 characters or fewer, and then add the longer domain name to DNSNames.
              type: string
            dnsNames:
              description: DNSNames is a list of subject alt names to be used on the
-                Certificate. If no CommonName is given, then the first entry in DNSNames
+                Certificate.
                is used as the CommonName and must have a length of 64 characters
                or fewer.
              items:
                type: string
              type: array
@ -102,7 +81,7 @@ spec:
              type: array
            isCA:
              description: IsCA will mark this Certificate as valid for signing. This
-                implies that the 'signing' usage is set
+                implies that the 'cert sign' usage is set
              type: boolean
            issuerRef:
              description: IssuerRef is a reference to the issuer for this certificate.
@ -137,6 +116,9 @@ spec:
                allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
                respectively. If KeyEncoding is not specified, then PKCS#1 will be
                used by default.
              enum:
              - pkcs1
              - pkcs8
              type: string
            keySize:
              description: KeySize is the key bit size of the corresponding private
@ -144,7 +126,6 @@ spec:
                and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
                and value must be one of (256, 384, 521) when KeyAlgorithm is set
                to "ecdsa".
              format: int64
              type: integer
            organization:
              description: Organization is the organization to be used on the Certificate
@ -158,14 +139,56 @@ spec:
              description: SecretName is the name of the secret resource to store
                this secret in
              type: string
            uriSANs:
              description: URISANs is a list of URI Subject Alternative Names to be
                set on this Certificate.
              items:
                type: string
              type: array
            usages:
              description: Usages is the set of x509 actions that are enabled for
                a given key. Defaults are ('digital signature', 'key encipherment')
                if empty
              items:
                description: 'KeyUsage specifies valid usage contexts for keys. See:
                  https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
                enum:
                - signing
                - digital signature
                - content commitment
                - key encipherment
                - key agreement
                - data encipherment
                - cert sign
                - crl sign
                - encipher only
                - decipher only
                - any
                - server auth
                - client auth
                - code signing
                - email protection
                - s/mime
                - ipsec end system
                - ipsec tunnel
                - ipsec user
                - timestamping
                - ocsp signing
                - microsoft sgc
                - netscape sgc
                type: string
              type: array
          required:
          - secretName
          - issuerRef
          - secretName
          type: object
        status:
          description: CertificateStatus defines the observed state of Certificate
          properties:
            conditions:
              items:
                description: CertificateCondition contains condition information for
                  an Certificate.
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
@ -192,8 +215,8 @@ spec:
                    description: Type of the condition, currently ('Ready').
                    type: string
                required:
                - type
                - status
                - type
                type: object
              type: array
            lastFailureTime:
@ -205,7 +228,12 @@ spec:
              format: date-time
              type: string
          type: object
-  version: v1alpha1
+      type: object
  version: v1alpha2
  versions:
  - name: v1alpha2
    served: true
    storage: true
 status:
  acceptedNames:
    kind: ""
--- a/templates/0.11.0/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml
--- a/templates/0.11.0/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml
--- a/templates/0.11.0/issuers.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/issuers.cert-manager.io-CustomResourceDefinition.yaml
--- a/templates/0.11.0/orders.acme.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/orders.acme.cert-manager.io-CustomResourceDefinition.yaml
@ -0,0 +1,207 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
  name: orders.acme.cert-manager.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.state
    name: State
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.reason
    name: Reason
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: acme.cert-manager.io
  names:
    kind: Order
    listKind: OrderList
    plural: orders
    singular: order
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      description: Order is a type to represent an Order with an ACME server
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            commonName:
              description: CommonName is the common name as specified on the DER encoded
                CSR. If CommonName is not specified, the first DNSName specified will
                be used as the CommonName. At least one of CommonName or a DNSNames
                must be set. This field must match the corresponding field on the
                DER encoded CSR.
              type: string
            csr:
              description: Certificate signing request bytes in DER encoding. This
                will be used when finalizing the order. This field must be set on
                the order.
              format: byte
              type: string
            dnsNames:
              description: DNSNames is a list of DNS names that should be included
                as part of the Order validation process. If CommonName is not specified,
                the first DNSName specified will be used as the CommonName. At least
                one of CommonName or a DNSNames must be set. This field must match
                the corresponding field on the DER encoded CSR.
              items:
                type: string
              type: array
            issuerRef:
              description: IssuerRef references a properly configured ACME-type Issuer
                which should be used to create this Order. If the Issuer does not
                exist, processing will be retried. If the Issuer is not an 'ACME'
                Issuer, an error will be returned and the Order will be marked as
                failed.
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
              required:
              - name
              type: object
          required:
          - csr
          - issuerRef
          type: object
        status:
          properties:
            authorizations:
              description: Authorizations contains data returned from the ACME server
                on what authoriations must be completed in order to validate the DNS
                names specified on the Order.
              items:
                description: ACMEAuthorization contains data returned from the ACME
                  server on an authorization that must be completed in order validate
                  a DNS name on an ACME Order resource.
                properties:
                  challenges:
                    description: Challenges specifies the challenge types offered
                      by the ACME server. One of these challenge types will be selected
                      when validating the DNS name and an appropriate Challenge resource
                      will be created to perform the ACME challenge process.
                    items:
                      description: Challenge specifies a challenge offered by the
                        ACME server for an Order. An appropriate Challenge resource
                        can be created to perform the ACME challenge process.
                      properties:
                        token:
                          description: Token is the token that must be presented for
                            this challenge. This is used to compute the 'key' that
                            must also be presented.
                          type: string
                        type:
                          description: Type is the type of challenge being offered,
                            e.g. http-01, dns-01
                          type: string
                        url:
                          description: URL is the URL of this challenge. It can be
                            used to retrieve additional metadata about the Challenge
                            from the ACME server.
                          type: string
                      required:
                      - token
                      - type
                      - url
                      type: object
                    type: array
                  identifier:
                    description: Identifier is the DNS name to be validated as part
                      of this authorization
                    type: string
                  url:
                    description: URL is the URL of the Authorization that must be
                      completed
                    type: string
                  wildcard:
                    description: Wildcard will be true if this authorization is for
                      a wildcard DNS name. If this is true, the identifier will be
                      the *non-wildcard* version of the DNS name. For example, if
                      '*.example.com' is the DNS name being validated, this field
                      will be 'true' and the 'identifier' field will be 'example.com'.
                    type: boolean
                required:
                - url
                type: object
              type: array
            certificate:
              description: Certificate is a copy of the PEM encoded certificate for
                this Order. This field will be populated after the order has been
                successfully finalized with the ACME server, and the order has transitioned
                to the 'valid' state.
              format: byte
              type: string
            failureTime:
              description: FailureTime stores the time that this order failed. This
                is used to influence garbage collection and back-off.
              format: date-time
              type: string
            finalizeURL:
              description: FinalizeURL of the Order. This is used to obtain certificates
                for this order once it has been completed.
              type: string
            reason:
              description: Reason optionally provides more information about a why
                the order is in the current state.
              type: string
            state:
              description: State contains the current state of this Order resource.
                States 'success' and 'expired' are 'final'
              enum:
              - valid
              - ready
              - pending
              - processing
              - invalid
              - expired
              - errored
              type: string
            url:
              description: URL of the Order. This will initially be empty when the
                resource is first created. The Order controller will populate this
                field when the Order is first processed. This field will be immutable
                after it is initially set.
              type: string
          type: object
      required:
      - metadata
      type: object
  version: v1alpha2
  versions:
  - name: v1alpha2
    served: true
    storage: true
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/templates/0.11.0/v1beta1.webhook.cert-manager.io-APIService.yaml
+++ b/templates/0.11.0/v1beta1.webhook.cert-manager.io-APIService.yaml
@ -1,18 +1,18 @@
-# Source: cert-manager/charts/webhook/templates/apiservice.yaml
+# Source: cert-manager/templates/webhook-apiservice.yaml
 apiVersion: apiregistration.k8s.io/v1beta1
 kind: APIService
 metadata:
-  name: v1beta1.admission.certmanager.k8s.io
+  name: v1beta1.webhook.cert-manager.io
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
-    helm.sh/chart: webhook-v0.9.0
+    helm.sh/chart: cert-manager-v0.11.0
  annotations:
-    certmanager.k8s.io/inject-ca-from: "cert-manager/cert-manager-webhook-webhook-tls"
+    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls"
 spec:
-  group: admission.certmanager.k8s.io
+  group: webhook.cert-manager.io
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
--- a/templates/cert-manager-certificat-webhook-0.9.0.yaml
+++ b/templates/cert-manager-certificat-webhook-0.9.0.yaml
@ -1,21 +0,0 @@
 # Finally, generate a serving certificate for the webhook to use
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Certificate
 metadata:
  name: cert-manager-webhook-webhook-tls
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
 spec:
  secretName: cert-manager-webhook-webhook-tls
  duration: 8760h # 1y
  issuerRef:
    name: cert-manager-webhook-ca
  dnsNames:
  - cert-manager-webhook
  - cert-manager-webhook.cert-manager
  - cert-manager-webhook.cert-manager.svc
--- a/templates/cert-manager-certificat-webhookca-0.9.0.yaml
+++ b/templates/cert-manager-certificat-webhookca-0.9.0.yaml
@ -1,19 +0,0 @@
 # Generate a CA Certificate used to sign certificates for the webhook
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Certificate
 metadata:
  name: cert-manager-webhook-ca
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
 spec:
  secretName: cert-manager-webhook-ca
  duration: 43800h # 5y
  issuerRef:
    name: cert-manager-webhook-selfsign
  commonName: "ca.webhook.cert-manager"
  isCA: true
--- a/templates/cert-manager-crd-challenges-0.9.0.yaml
+++ b/templates/cert-manager-crd-challenges-0.9.0.yaml
@ -1,197 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
  labels:
    controller-tools.k8s.io: "1.0"
  name: challenges.certmanager.k8s.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.state
    name: State
    type: string
  - JSONPath: .spec.dnsName
    name: Domain
    type: string
  - JSONPath: .status.reason
    name: Reason
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: certmanager.k8s.io
  names:
    kind: Challenge
    plural: challenges
  scope: Namespaced
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            authzURL:
              description: AuthzURL is the URL to the ACME Authorization resource
                that this challenge is a part of.
              type: string
            config:
              description: 'Config specifies the solver configuration for this challenge.
                Only **one** of ''config'' or ''solver'' may be specified, and if
                both are specified then no action will be performed on the Challenge
                resource. DEPRECATED: the ''solver'' field should be specified instead'
              type: object
            dnsName:
              description: DNSName is the identifier that this challenge is for, e.g.
                example.com.
              type: string
            issuerRef:
              description: IssuerRef references a properly configured ACME-type Issuer
                which should be used to create this Challenge. If the Issuer does
                not exist, processing will be retried. If the Issuer is not an 'ACME'
                Issuer, an error will be returned and the Challenge will be marked
                as failed.
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
              required:
              - name
              type: object
            key:
              description: Key is the ACME challenge key for this challenge
              type: string
            solver:
              description: Solver contains the domain solving configuration that should
                be used to solve this challenge resource. Only **one** of 'config'
                or 'solver' may be specified, and if both are specified then no action
                will be performed on the Challenge resource.
              properties:
                selector:
                  description: Selector selects a set of DNSNames on the Certificate
                    resource that should be solved using this challenge solver.
                  properties:
                    dnsNames:
                      description: List of DNSNames that this solver will be used
                        to solve. If specified and a match is found, a dnsNames selector
                        will take precedence over a dnsZones selector. If multiple
                        solvers match with the same dnsNames value, the solver with
                        the most matching labels in matchLabels will be selected.
                        If neither has more matches, the solver defined earlier in
                        the list will be selected.
                      items:
                        type: string
                      type: array
                    dnsZones:
                      description: List of DNSZones that this solver will be used
                        to solve. The most specific DNS zone match specified here
                        will take precedence over other DNS zone matches, so a solver
                        specifying sys.example.com will be selected over one specifying
                        example.com for the domain www.sys.example.com. If multiple
                        solvers match with the same dnsZones value, the solver with
                        the most matching labels in matchLabels will be selected.
                        If neither has more matches, the solver defined earlier in
                        the list will be selected.
                      items:
                        type: string
                      type: array
                    matchLabels:
                      description: A label selector that is used to refine the set
                        of certificate's that this challenge solver will apply to.
                      type: object
                  type: object
              type: object
            token:
              description: Token is the ACME challenge token for this challenge.
              type: string
            type:
              description: Type is the type of ACME challenge this resource represents,
                e.g. "dns01" or "http01"
              type: string
            url:
              description: URL is the URL of the ACME Challenge resource for this
                challenge. This can be used to lookup details about the status of
                this challenge.
              type: string
            wildcard:
              description: Wildcard will be true if this challenge is for a wildcard
                identifier, for example '*.example.com'
              type: boolean
          required:
          - authzURL
          - type
          - url
          - dnsName
          - token
          - key
          - wildcard
          - issuerRef
          type: object
        status:
          properties:
            presented:
              description: Presented will be set to true if the challenge values for
                this challenge are currently 'presented'. This *does not* imply the
                self check is passing. Only that the values have been 'submitted'
                for the appropriate challenge mechanism (i.e. the DNS01 TXT record
                has been presented, or the HTTP01 configuration has been configured).
              type: boolean
            processing:
              description: Processing is used to denote whether this challenge should
                be processed or not. This field will only be set to true by the 'scheduling'
                component. It will only be set to false by the 'challenges' controller,
                after the challenge has reached a final state or timed out. If this
                field is set to false, the challenge controller will not take any
                more action.
              type: boolean
            reason:
              description: Reason contains human readable information on why the Challenge
                is in the current state.
              type: string
            state:
              description: State contains the current 'state' of the challenge. If
                not set, the state of the challenge is unknown.
              enum:
              - ""
              - valid
              - ready
              - pending
              - processing
              - invalid
              - expired
              - errored
              type: string
          required:
          - processing
          - presented
          - reason
          type: object
      required:
      - metadata
      - spec
      - status
  version: v1alpha1
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/templates/cert-manager-crd-clusterissuers-0.9.0.yaml
+++ b/templates/cert-manager-crd-clusterissuers-0.9.0.yaml
@ -1,300 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
  labels:
    controller-tools.k8s.io: "1.0"
  name: clusterissuers.certmanager.k8s.io
 spec:
  group: certmanager.k8s.io
  names:
    kind: ClusterIssuer
    plural: clusterissuers
  scope: Cluster
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            acme:
              properties:
                email:
                  description: Email is the email for this account
                  type: string
                privateKeySecretRef:
                  description: PrivateKey is the name of a secret containing the private
                    key for this user account.
                  properties:
                    key:
                      description: The key of the secret to select from. Must be a
                        valid secret key.
                      type: string
                    name:
                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        TODO: Add other useful fields. apiVersion, kind, uid?'
                      type: string
                  required:
                  - name
                  type: object
                server:
                  description: Server is the ACME server URL
                  type: string
                skipTLSVerify:
                  description: If true, skip verifying the ACME server TLS certificate
                  type: boolean
                solvers:
                  description: Solvers is a list of challenge solvers that will be
                    used to solve ACME challenges for the matching domains.
                  items:
                    properties:
                      selector:
                        description: Selector selects a set of DNSNames on the Certificate
                          resource that should be solved using this challenge solver.
                        properties:
                          dnsNames:
                            description: List of DNSNames that this solver will be
                              used to solve. If specified and a match is found, a
                              dnsNames selector will take precedence over a dnsZones
                              selector. If multiple solvers match with the same dnsNames
                              value, the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          dnsZones:
                            description: List of DNSZones that this solver will be
                              used to solve. The most specific DNS zone match specified
                              here will take precedence over other DNS zone matches,
                              so a solver specifying sys.example.com will be selected
                              over one specifying example.com for the domain www.sys.example.com.
                              If multiple solvers match with the same dnsZones value,
                              the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          matchLabels:
                            description: A label selector that is used to refine the
                              set of certificate's that this challenge solver will
                              apply to.
                            type: object
                        type: object
                    type: object
                  type: array
              required:
              - server
              - privateKeySecretRef
              type: object
            ca:
              properties:
                secretName:
                  description: SecretName is the name of the secret used to sign Certificates
                    issued by this Issuer.
                  type: string
              required:
              - secretName
              type: object
            selfSigned:
              type: object
            vault:
              properties:
                auth:
                  description: Vault authentication
                  properties:
                    appRole:
                      description: This Secret contains a AppRole and Secret
                      properties:
                        path:
                          description: Where the authentication path is mounted in
                            Vault.
                          type: string
                        roleId:
                          type: string
                        secretRef:
                          properties:
                            key:
                              description: The key of the secret to select from. Must
                                be a valid secret key.
                              type: string
                            name:
                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                TODO: Add other useful fields. apiVersion, kind, uid?'
                              type: string
                          required:
                          - name
                          type: object
                      required:
                      - path
                      - roleId
                      - secretRef
                      type: object
                    tokenSecretRef:
                      description: This Secret contains the Vault token key
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                  type: object
                caBundle:
                  description: Base64 encoded CA bundle to validate Vault server certificate.
                    Only used if the Server URL is using HTTPS protocol. This parameter
                    is ignored for plain HTTP protocol connection. If not set the
                    system root certificates are used to validate the TLS connection.
                  format: byte
                  type: string
                path:
                  description: Vault URL path to the certificate role
                  type: string
                server:
                  description: Server is the vault connection address
                  type: string
              required:
              - auth
              - server
              - path
              type: object
            venafi:
              properties:
                cloud:
                  description: Cloud specifies the Venafi cloud configuration settings.
                    Only one of TPP or Cloud may be specified.
                  properties:
                    apiTokenSecretRef:
                      description: APITokenSecretRef is a secret key selector for
                        the Venafi Cloud API token.
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                    url:
                      description: URL is the base URL for Venafi Cloud
                      type: string
                  required:
                  - url
                  - apiTokenSecretRef
                  type: object
                tpp:
                  description: TPP specifies Trust Protection Platform configuration
                    settings. Only one of TPP or Cloud may be specified.
                  properties:
                    caBundle:
                      description: CABundle is a PEM encoded TLS certifiate to use
                        to verify connections to the TPP instance. If specified, system
                        roots will not be used and the issuing CA for the TPP instance
                        must be verifiable using the provided root. If not specified,
                        the connection will be verified using the cert-manager system
                        root certificates.
                      format: byte
                      type: string
                    credentialsRef:
                      description: CredentialsRef is a reference to a Secret containing
                        the username and password for the TPP server. The secret must
                        contain two keys, 'username' and 'password'.
                      properties:
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                    url:
                      description: URL is the base URL for the Venafi TPP instance
                      type: string
                  required:
                  - url
                  - credentialsRef
                  type: object
                zone:
                  description: Zone is the Venafi Policy Zone to use for this issuer.
                    All requests made to the Venafi platform will be restricted by
                    the named zone policy. This field is required.
                  type: string
              required:
              - zone
              type: object
          type: object
        status:
          properties:
            acme:
              properties:
                lastRegisteredEmail:
                  description: LastRegisteredEmail is the email associated with the
                    latest registered ACME account, in order to track changes made
                    to registered account associated with the  Issuer
                  type: string
                uri:
                  description: URI is the unique account identifier, which can also
                    be used to retrieve account details from the CA
                  type: string
              type: object
            conditions:
              items:
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    format: date-time
                    type: string
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                    type: string
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string
                required:
                - type
                - status
                type: object
              type: array
          type: object
  version: v1alpha1
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/templates/cert-manager-crd-issuers-0.9.0.yaml
+++ b/templates/cert-manager-crd-issuers-0.9.0.yaml
@ -1,300 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
  labels:
    controller-tools.k8s.io: "1.0"
  name: issuers.certmanager.k8s.io
 spec:
  group: certmanager.k8s.io
  names:
    kind: Issuer
    plural: issuers
  scope: Namespaced
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            acme:
              properties:
                email:
                  description: Email is the email for this account
                  type: string
                privateKeySecretRef:
                  description: PrivateKey is the name of a secret containing the private
                    key for this user account.
                  properties:
                    key:
                      description: The key of the secret to select from. Must be a
                        valid secret key.
                      type: string
                    name:
                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        TODO: Add other useful fields. apiVersion, kind, uid?'
                      type: string
                  required:
                  - name
                  type: object
                server:
                  description: Server is the ACME server URL
                  type: string
                skipTLSVerify:
                  description: If true, skip verifying the ACME server TLS certificate
                  type: boolean
                solvers:
                  description: Solvers is a list of challenge solvers that will be
                    used to solve ACME challenges for the matching domains.
                  items:
                    properties:
                      selector:
                        description: Selector selects a set of DNSNames on the Certificate
                          resource that should be solved using this challenge solver.
                        properties:
                          dnsNames:
                            description: List of DNSNames that this solver will be
                              used to solve. If specified and a match is found, a
                              dnsNames selector will take precedence over a dnsZones
                              selector. If multiple solvers match with the same dnsNames
                              value, the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          dnsZones:
                            description: List of DNSZones that this solver will be
                              used to solve. The most specific DNS zone match specified
                              here will take precedence over other DNS zone matches,
                              so a solver specifying sys.example.com will be selected
                              over one specifying example.com for the domain www.sys.example.com.
                              If multiple solvers match with the same dnsZones value,
                              the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          matchLabels:
                            description: A label selector that is used to refine the
                              set of certificate's that this challenge solver will
                              apply to.
                            type: object
                        type: object
                    type: object
                  type: array
              required:
              - server
              - privateKeySecretRef
              type: object
            ca:
              properties:
                secretName:
                  description: SecretName is the name of the secret used to sign Certificates
                    issued by this Issuer.
                  type: string
              required:
              - secretName
              type: object
            selfSigned:
              type: object
            vault:
              properties:
                auth:
                  description: Vault authentication
                  properties:
                    appRole:
                      description: This Secret contains a AppRole and Secret
                      properties:
                        path:
                          description: Where the authentication path is mounted in
                            Vault.
                          type: string
                        roleId:
                          type: string
                        secretRef:
                          properties:
                            key:
                              description: The key of the secret to select from. Must
                                be a valid secret key.
                              type: string
                            name:
                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                TODO: Add other useful fields. apiVersion, kind, uid?'
                              type: string
                          required:
                          - name
                          type: object
                      required:
                      - path
                      - roleId
                      - secretRef
                      type: object
                    tokenSecretRef:
                      description: This Secret contains the Vault token key
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                  type: object
                caBundle:
                  description: Base64 encoded CA bundle to validate Vault server certificate.
                    Only used if the Server URL is using HTTPS protocol. This parameter
                    is ignored for plain HTTP protocol connection. If not set the
                    system root certificates are used to validate the TLS connection.
                  format: byte
                  type: string
                path:
                  description: Vault URL path to the certificate role
                  type: string
                server:
                  description: Server is the vault connection address
                  type: string
              required:
              - auth
              - server
              - path
              type: object
            venafi:
              properties:
                cloud:
                  description: Cloud specifies the Venafi cloud configuration settings.
                    Only one of TPP or Cloud may be specified.
                  properties:
                    apiTokenSecretRef:
                      description: APITokenSecretRef is a secret key selector for
                        the Venafi Cloud API token.
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                    url:
                      description: URL is the base URL for Venafi Cloud
                      type: string
                  required:
                  - url
                  - apiTokenSecretRef
                  type: object
                tpp:
                  description: TPP specifies Trust Protection Platform configuration
                    settings. Only one of TPP or Cloud may be specified.
                  properties:
                    caBundle:
                      description: CABundle is a PEM encoded TLS certifiate to use
                        to verify connections to the TPP instance. If specified, system
                        roots will not be used and the issuing CA for the TPP instance
                        must be verifiable using the provided root. If not specified,
                        the connection will be verified using the cert-manager system
                        root certificates.
                      format: byte
                      type: string
                    credentialsRef:
                      description: CredentialsRef is a reference to a Secret containing
                        the username and password for the TPP server. The secret must
                        contain two keys, 'username' and 'password'.
                      properties:
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                    url:
                      description: URL is the base URL for the Venafi TPP instance
                      type: string
                  required:
                  - url
                  - credentialsRef
                  type: object
                zone:
                  description: Zone is the Venafi Policy Zone to use for this issuer.
                    All requests made to the Venafi platform will be restricted by
                    the named zone policy. This field is required.
                  type: string
              required:
              - zone
              type: object
          type: object
        status:
          properties:
            acme:
              properties:
                lastRegisteredEmail:
                  description: LastRegisteredEmail is the email associated with the
                    latest registered ACME account, in order to track changes made
                    to registered account associated with the  Issuer
                  type: string
                uri:
                  description: URI is the unique account identifier, which can also
                    be used to retrieve account details from the CA
                  type: string
              type: object
            conditions:
              items:
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    format: date-time
                    type: string
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                    type: string
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string
                required:
                - type
                - status
                type: object
              type: array
          type: object
  version: v1alpha1
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/templates/cert-manager-crd-orders-0.9.0.yaml
+++ b/templates/cert-manager-crd-orders-0.9.0.yaml
@ -1,273 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
  labels:
    controller-tools.k8s.io: "1.0"
  name: orders.certmanager.k8s.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.state
    name: State
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.reason
    name: Reason
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: certmanager.k8s.io
  names:
    kind: Order
    plural: orders
  scope: Namespaced
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            commonName:
              description: CommonName is the common name as specified on the DER encoded
                CSR. If CommonName is not specified, the first DNSName specified will
                be used as the CommonName. At least one of CommonName or a DNSNames
                must be set. This field must match the corresponding field on the
                DER encoded CSR.
              type: string
            config:
              description: 'Config specifies a mapping from DNS identifiers to how
                those identifiers should be solved when performing ACME challenges.
                A config entry must exist for each domain listed in DNSNames and CommonName.
                Only **one** of ''config'' or ''solvers'' may be specified, and if
                both are specified then no action will be performed on the Order resource.  This
                field will be removed when support for solver config specified on
                the Certificate under certificate.spec.acme has been removed. DEPRECATED:
                this field will be removed in future. Solver configuration must instead
                be provided on ACME Issuer resources.'
              items:
                properties:
                  domains:
                    description: Domains is the list of domains that this SolverConfig
                      applies to.
                    items:
                      type: string
                    type: array
                required:
                - domains
                type: object
              type: array
            csr:
              description: Certificate signing request bytes in DER encoding. This
                will be used when finalizing the order. This field must be set on
                the order.
              format: byte
              type: string
            dnsNames:
              description: DNSNames is a list of DNS names that should be included
                as part of the Order validation process. If CommonName is not specified,
                the first DNSName specified will be used as the CommonName. At least
                one of CommonName or a DNSNames must be set. This field must match
                the corresponding field on the DER encoded CSR.
              items:
                type: string
              type: array
            issuerRef:
              description: IssuerRef references a properly configured ACME-type Issuer
                which should be used to create this Order. If the Issuer does not
                exist, processing will be retried. If the Issuer is not an 'ACME'
                Issuer, an error will be returned and the Order will be marked as
                failed.
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
              required:
              - name
              type: object
          required:
          - csr
          - issuerRef
          type: object
        status:
          properties:
            certificate:
              description: Certificate is a copy of the PEM encoded certificate for
                this Order. This field will be populated after the order has been
                successfully finalized with the ACME server, and the order has transitioned
                to the 'valid' state.
              format: byte
              type: string
            challenges:
              description: Challenges is a list of ChallengeSpecs for Challenges that
                must be created in order to complete this Order.
              items:
                properties:
                  authzURL:
                    description: AuthzURL is the URL to the ACME Authorization resource
                      that this challenge is a part of.
                    type: string
                  config:
                    description: 'Config specifies the solver configuration for this
                      challenge. Only **one** of ''config'' or ''solver'' may be specified,
                      and if both are specified then no action will be performed on
                      the Challenge resource. DEPRECATED: the ''solver'' field should
                      be specified instead'
                    type: object
                  dnsName:
                    description: DNSName is the identifier that this challenge is
                      for, e.g. example.com.
                    type: string
                  issuerRef:
                    description: IssuerRef references a properly configured ACME-type
                      Issuer which should be used to create this Challenge. If the
                      Issuer does not exist, processing will be retried. If the Issuer
                      is not an 'ACME' Issuer, an error will be returned and the Challenge
                      will be marked as failed.
                    properties:
                      group:
                        type: string
                      kind:
                        type: string
                      name:
                        type: string
                    required:
                    - name
                    type: object
                  key:
                    description: Key is the ACME challenge key for this challenge
                    type: string
                  solver:
                    description: Solver contains the domain solving configuration
                      that should be used to solve this challenge resource. Only **one**
                      of 'config' or 'solver' may be specified, and if both are specified
                      then no action will be performed on the Challenge resource.
                    properties:
                      selector:
                        description: Selector selects a set of DNSNames on the Certificate
                          resource that should be solved using this challenge solver.
                        properties:
                          dnsNames:
                            description: List of DNSNames that this solver will be
                              used to solve. If specified and a match is found, a
                              dnsNames selector will take precedence over a dnsZones
                              selector. If multiple solvers match with the same dnsNames
                              value, the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          dnsZones:
                            description: List of DNSZones that this solver will be
                              used to solve. The most specific DNS zone match specified
                              here will take precedence over other DNS zone matches,
                              so a solver specifying sys.example.com will be selected
                              over one specifying example.com for the domain www.sys.example.com.
                              If multiple solvers match with the same dnsZones value,
                              the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          matchLabels:
                            description: A label selector that is used to refine the
                              set of certificate's that this challenge solver will
                              apply to.
                            type: object
                        type: object
                    type: object
                  token:
                    description: Token is the ACME challenge token for this challenge.
                    type: string
                  type:
                    description: Type is the type of ACME challenge this resource
                      represents, e.g. "dns01" or "http01"
                    type: string
                  url:
                    description: URL is the URL of the ACME Challenge resource for
                      this challenge. This can be used to lookup details about the
                      status of this challenge.
                    type: string
                  wildcard:
                    description: Wildcard will be true if this challenge is for a
                      wildcard identifier, for example '*.example.com'
                    type: boolean
                required:
                - authzURL
                - type
                - url
                - dnsName
                - token
                - key
                - wildcard
                - issuerRef
                type: object
              type: array
            failureTime:
              description: FailureTime stores the time that this order failed. This
                is used to influence garbage collection and back-off.
              format: date-time
              type: string
            finalizeURL:
              description: FinalizeURL of the Order. This is used to obtain certificates
                for this order once it has been completed.
              type: string
            reason:
              description: Reason optionally provides more information about a why
                the order is in the current state.
              type: string
            state:
              description: State contains the current state of this Order resource.
                States 'success' and 'expired' are 'final'
              enum:
              - ""
              - valid
              - ready
              - pending
              - processing
              - invalid
              - expired
              - errored
              type: string
            url:
              description: URL of the Order. This will initially be empty when the
                resource is first created. The Order controller will populate this
                field when the Order is first processed. This field will be immutable
                after it is initially set.
              type: string
          type: object
      required:
      - metadata
      - spec
      - status
  version: v1alpha1
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/templates/cert-manager-issuer-webhookca-0.9.0.yaml
+++ b/templates/cert-manager-issuer-webhookca-0.9.0.yaml
@ -1,15 +0,0 @@
 # Create an Issuer that uses the above generated CA certificate to issue certs
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Issuer
 metadata:
  name: cert-manager-webhook-ca
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
 spec:
  ca:
    secretName: cert-manager-webhook-ca
--- a/templates/cert-manager-issuer-webhookselfsign-0.9.0.yaml
+++ b/templates/cert-manager-issuer-webhookselfsign-0.9.0.yaml
@ -1,15 +0,0 @@
 # Create a selfsigned Issuer, in order to create a root CA certificate for
 # signing webhook serving certificates
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Issuer
 metadata:
  name: cert-manager-webhook-selfsign
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
 spec:
  selfSigned: {}
--- a/templates/cert-manager-validatewebhook-0.9.0.yaml
+++ b/templates/cert-manager-validatewebhook-0.9.0.yaml
@ -1,96 +0,0 @@
 # Source: cert-manager/charts/webhook/templates/validating-webhook.yaml
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
  annotations:
    certmanager.k8s.io/inject-apiserver-ca: "true"
 webhooks:
  - name: certificates.admission.certmanager.k8s.io
    namespaceSelector:
      matchExpressions:
      - key: "certmanager.k8s.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "certmanager.k8s.io"
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - certificates
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
  - name: issuers.admission.certmanager.k8s.io
    namespaceSelector:
      matchExpressions:
      - key: "certmanager.k8s.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "certmanager.k8s.io"
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - issuers
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
  - name: clusterissuers.admission.certmanager.k8s.io
    namespaceSelector:
      matchExpressions:
      - key: "certmanager.k8s.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "certmanager.k8s.io"
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - clusterissuers
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers