diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..e9919b5 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,8 @@ +my_context: flamykubekube +ingress_domain: "local.dataminem.net" +#ingress_whitelist: +# - 10.96.0.0/12 +# - 10.244.0.0/16 +# - 192.168.140.0/24 + +certmanager_version: 0.9.0 diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..7b51d9e --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,7 @@ +galaxy_info: + author: Adrien Reslinger + description: Install cert manager to a cluster + company: Flaminem + min_ansible_version: 2.6 + galaxy_tags: [] + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..2a0e656 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,64 @@ +- name: Print the kubectl context + debug: + var: my_context + tags: certmanager + +- name: Cert Manager setup + block: +# - name: namespace +# k8s: +# context: "{{ my_context }}" +# state: present +# name: cert-manager +# api_version: v1 +# kind: Namespace +# tags: certmanager + + - name: Cert Manager files + k8s: + state: present + context: "{{ my_context }}" + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - "cert-manager-crd-crt-{{ certmanager_version }}.yaml" + - "cert-manager-crd-crtreq-{{ certmanager_version }}.yaml" + - "cert-manager-crd-challenges-{{ certmanager_version }}.yaml" + - "cert-manager-crd-clusterissuers-{{ certmanager_version }}.yaml" + - "cert-manager-crd-issuers-{{ certmanager_version }}.yaml" + - "cert-manager-crd-orders-{{ certmanager_version }}.yaml" + - "cert-manager-ns-{{ certmanager_version }}.yaml" + - "cert-manager-sa-cainjector-{{ certmanager_version }}.yaml" + - "cert-manager-sa-webhook-{{ certmanager_version }}.yaml" + - "cert-manager-sa-certmanager-{{ certmanager_version }}.yaml" + - "cert-manager-cr-cainjector-{{ certmanager_version }}.yaml" + - "cert-manager-crb-cainjector-{{ certmanager_version }}.yaml" + - "cert-manager-cr-certmanager-leaderelection-{{ certmanager_version }}.yaml" + - "cert-manager-cr-certmanager-controlerissuers-{{ certmanager_version }}.yaml" + - "cert-manager-cr-certmanager-controlerclusterissuers-{{ certmanager_version }}.yaml" + - "cert-manager-cr-certmanager-certificates-{{ certmanager_version }}.yaml" + - "cert-manager-cr-certmanager-orders-{{ certmanager_version }}.yaml" + - "cert-manager-cr-certmanager-challenges-{{ certmanager_version }}.yaml" + - "cert-manager-cr-certmanager-ingressshim-{{ certmanager_version }}.yaml" + - "cert-manager-crb-certmanager-leaderelection-{{ certmanager_version }}.yaml" + - "cert-manager-crb-certmanager-controlerissuers-{{ certmanager_version }}.yaml" + - "cert-manager-crb-certmanager-controlerclusterissuers-{{ certmanager_version }}.yaml" + - "cert-manager-crb-certmanager-certificates-{{ certmanager_version }}.yaml" + - "cert-manager-crb-certmanager-orders-{{ certmanager_version }}.yaml" + - "cert-manager-crb-certmanager-challenges-{{ certmanager_version }}.yaml" + - "cert-manager-crb-certmanager-ingressshim-{{ certmanager_version }}.yaml" + - "cert-manager-cr-certmanager-view-{{ certmanager_version }}.yaml" + - "cert-manager-cr-certmanager-edit-{{ certmanager_version }}.yaml" + - "cert-manager-crb-certmanager-webhook-{{ certmanager_version }}.yaml" + - "cert-manager-rb-certmanager-webhook-{{ certmanager_version }}.yaml" + - "cert-manager-cr-certmanager-webhook-{{ certmanager_version }}.yaml" + - "cert-manager-svc-webhook-{{ certmanager_version }}.yaml" + - "cert-manager-dp-cainjector-{{ certmanager_version }}.yaml" + - "cert-manager-dp-webhook-{{ certmanager_version }}.yaml" + - "cert-manager-dp-{{ certmanager_version }}.yaml" + - "cert-manager-apiservice-{{ certmanager_version }}.yaml" + - "cert-manager-issuer-webhookselfsign-{{ certmanager_version }}.yaml" + - "cert-manager-certificat-webhookca-{{ certmanager_version }}.yaml" + - "cert-manager-issuer-webhookca-{{ certmanager_version }}.yaml" + - "cert-manager-certificat-webhook-{{ certmanager_version }}.yaml" + - "cert-manager-validatewebhook-{{ certmanager_version }}.yaml" + tags: certmanager diff --git a/templates/cert-manager-apiservice-0.9.0.yaml b/templates/cert-manager-apiservice-0.9.0.yaml new file mode 100644 index 0000000..9b447c3 --- /dev/null +++ b/templates/cert-manager-apiservice-0.9.0.yaml @@ -0,0 +1,21 @@ +# Source: cert-manager/charts/webhook/templates/apiservice.yaml +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1beta1.admission.certmanager.k8s.io + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 + annotations: + certmanager.k8s.io/inject-ca-from: "cert-manager/cert-manager-webhook-webhook-tls" +spec: + group: admission.certmanager.k8s.io + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: cert-manager-webhook + namespace: "cert-manager" + version: v1beta1 diff --git a/templates/cert-manager-certificat-webhook-0.9.0.yaml b/templates/cert-manager-certificat-webhook-0.9.0.yaml new file mode 100644 index 0000000..1d532fe --- /dev/null +++ b/templates/cert-manager-certificat-webhook-0.9.0.yaml @@ -0,0 +1,21 @@ +# Finally, generate a serving certificate for the webhook to use +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: cert-manager-webhook-webhook-tls + namespace: "cert-manager" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 +spec: + secretName: cert-manager-webhook-webhook-tls + duration: 8760h # 1y + issuerRef: + name: cert-manager-webhook-ca + dnsNames: + - cert-manager-webhook + - cert-manager-webhook.cert-manager + - cert-manager-webhook.cert-manager.svc diff --git a/templates/cert-manager-certificat-webhookca-0.9.0.yaml b/templates/cert-manager-certificat-webhookca-0.9.0.yaml new file mode 100644 index 0000000..3ddea57 --- /dev/null +++ b/templates/cert-manager-certificat-webhookca-0.9.0.yaml @@ -0,0 +1,19 @@ +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: cert-manager-webhook-ca + namespace: "cert-manager" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 +spec: + secretName: cert-manager-webhook-ca + duration: 43800h # 5y + issuerRef: + name: cert-manager-webhook-selfsign + commonName: "ca.webhook.cert-manager" + isCA: true diff --git a/templates/cert-manager-cr-cainjector-0.9.0.yaml b/templates/cert-manager-cr-cainjector-0.9.0.yaml new file mode 100644 index 0000000..7b29f64 --- /dev/null +++ b/templates/cert-manager-cr-cainjector-0.9.0.yaml @@ -0,0 +1,30 @@ +# Source: cert-manager/charts/cainjector/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cainjector-v0.9.0 +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps", "events"] + verbs: ["get", "create", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update"] diff --git a/templates/cert-manager-cr-certmanager-certificates-0.9.0.yaml b/templates/cert-manager-cr-certmanager-certificates-0.9.0.yaml new file mode 100644 index 0000000..17d1806 --- /dev/null +++ b/templates/cert-manager-cr-certmanager-certificates-0.9.0.yaml @@ -0,0 +1,33 @@ +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-certificates + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + verbs: ["update"] + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers", "orders"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates/finalizers"] + verbs: ["update"] + - apiGroups: ["certmanager.k8s.io"] + resources: ["orders"] + verbs: ["create", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] diff --git a/templates/cert-manager-cr-certmanager-challenges-0.9.0.yaml b/templates/cert-manager-cr-certmanager-challenges-0.9.0.yaml new file mode 100644 index 0000000..f9a1c29 --- /dev/null +++ b/templates/cert-manager-cr-certmanager-challenges-0.9.0.yaml @@ -0,0 +1,45 @@ +# Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-challenges + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +rules: + # Use to update challenge resource status + - apiGroups: ["certmanager.k8s.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["certmanager.k8s.io"] + resources: ["challenges", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + # HTTP01 rules + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["certmanager.k8s.io"] + resources: ["challenges/finalizers"] + verbs: ["update"] + # DNS01 rules (duplicated above) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] diff --git a/templates/cert-manager-cr-certmanager-controlerclusterissuers-0.9.0.yaml b/templates/cert-manager-cr-certmanager-controlerclusterissuers-0.9.0.yaml new file mode 100644 index 0000000..7d33ad1 --- /dev/null +++ b/templates/cert-manager-cr-certmanager-controlerclusterissuers-0.9.0.yaml @@ -0,0 +1,24 @@ +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-clusterissuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["clusterissuers", "clusterissuers/status"] + verbs: ["update"] + - apiGroups: ["certmanager.k8s.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] diff --git a/templates/cert-manager-cr-certmanager-controlerissuers-0.9.0.yaml b/templates/cert-manager-cr-certmanager-controlerissuers-0.9.0.yaml new file mode 100644 index 0000000..e983517 --- /dev/null +++ b/templates/cert-manager-cr-certmanager-controlerissuers-0.9.0.yaml @@ -0,0 +1,24 @@ +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-issuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["issuers", "issuers/status"] + verbs: ["update"] + - apiGroups: ["certmanager.k8s.io"] + resources: ["issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] diff --git a/templates/cert-manager-cr-certmanager-edit-0.9.0.yaml b/templates/cert-manager-cr-certmanager-edit-0.9.0.yaml new file mode 100644 index 0000000..7c7a10e --- /dev/null +++ b/templates/cert-manager-cr-certmanager-edit-0.9.0.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-edit + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] diff --git a/templates/cert-manager-cr-certmanager-ingressshim-0.9.0.yaml b/templates/cert-manager-cr-certmanager-ingressshim-0.9.0.yaml new file mode 100644 index 0000000..3f5b35f --- /dev/null +++ b/templates/cert-manager-cr-certmanager-ingressshim-0.9.0.yaml @@ -0,0 +1,30 @@ +# ingress-shim controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-ingress-shim + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["extensions"] + resources: ["ingresses/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] diff --git a/templates/cert-manager-cr-certmanager-leaderelection-0.9.0.yaml b/templates/cert-manager-cr-certmanager-leaderelection-0.9.0.yaml new file mode 100644 index 0000000..2663c5d --- /dev/null +++ b/templates/cert-manager-cr-certmanager-leaderelection-0.9.0.yaml @@ -0,0 +1,16 @@ +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-leaderelection + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +rules: + # Used for leader election by the controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create", "update", "patch"] diff --git a/templates/cert-manager-cr-certmanager-orders-0.9.0.yaml b/templates/cert-manager-cr-certmanager-orders-0.9.0.yaml new file mode 100644 index 0000000..884a426 --- /dev/null +++ b/templates/cert-manager-cr-certmanager-orders-0.9.0.yaml @@ -0,0 +1,33 @@ +# Orders controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-orders + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["orders", "orders/status"] + verbs: ["update"] + - apiGroups: ["certmanager.k8s.io"] + resources: ["orders", "clusterissuers", "issuers", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["certmanager.k8s.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["certmanager.k8s.io"] + resources: ["orders/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] diff --git a/templates/cert-manager-cr-certmanager-view-0.9.0.yaml b/templates/cert-manager-cr-certmanager-view-0.9.0.yaml new file mode 100644 index 0000000..5761331 --- /dev/null +++ b/templates/cert-manager-cr-certmanager-view-0.9.0.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-view + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] diff --git a/templates/cert-manager-cr-certmanager-webhook-0.9.0.yaml b/templates/cert-manager-cr-certmanager-webhook-0.9.0.yaml new file mode 100644 index 0000000..97046fa --- /dev/null +++ b/templates/cert-manager-cr-certmanager-webhook-0.9.0.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-webhook:webhook-requester + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 +rules: +- apiGroups: + - admission.certmanager.k8s.io + resources: + - certificates + - certificaterequests + - issuers + - clusterissuers + verbs: + - create diff --git a/templates/cert-manager-crb-cainjector-0.9.0.yaml b/templates/cert-manager-crb-cainjector-0.9.0.yaml new file mode 100644 index 0000000..48525c4 --- /dev/null +++ b/templates/cert-manager-crb-cainjector-0.9.0.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cainjector-v0.9.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-cainjector +subjects: + - name: cert-manager-cainjector + namespace: "cert-manager" + kind: ServiceAccount diff --git a/templates/cert-manager-crb-certmanager-certificates-0.9.0.yaml b/templates/cert-manager-crb-certmanager-certificates-0.9.0.yaml new file mode 100644 index 0000000..9dd4369 --- /dev/null +++ b/templates/cert-manager-crb-certmanager-certificates-0.9.0.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-certificates + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-certificates +subjects: + - name: cert-manager + namespace: "cert-manager" + kind: ServiceAccount diff --git a/templates/cert-manager-crb-certmanager-challenges-0.9.0.yaml b/templates/cert-manager-crb-certmanager-challenges-0.9.0.yaml new file mode 100644 index 0000000..d9c8dc8 --- /dev/null +++ b/templates/cert-manager-crb-certmanager-challenges-0.9.0.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-challenges + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-challenges +subjects: + - name: cert-manager + namespace: "cert-manager" + kind: ServiceAccount diff --git a/templates/cert-manager-crb-certmanager-controlerclusterissuers-0.9.0.yaml b/templates/cert-manager-crb-certmanager-controlerclusterissuers-0.9.0.yaml new file mode 100644 index 0000000..87857f6 --- /dev/null +++ b/templates/cert-manager-crb-certmanager-controlerclusterissuers-0.9.0.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-clusterissuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-clusterissuers +subjects: + - name: cert-manager + namespace: "cert-manager" + kind: ServiceAccount diff --git a/templates/cert-manager-crb-certmanager-controlerissuers-0.9.0.yaml b/templates/cert-manager-crb-certmanager-controlerissuers-0.9.0.yaml new file mode 100644 index 0000000..601615d --- /dev/null +++ b/templates/cert-manager-crb-certmanager-controlerissuers-0.9.0.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-issuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-issuers +subjects: + - name: cert-manager + namespace: "cert-manager" + kind: ServiceAccount diff --git a/templates/cert-manager-crb-certmanager-ingressshim-0.9.0.yaml b/templates/cert-manager-crb-certmanager-ingressshim-0.9.0.yaml new file mode 100644 index 0000000..a07350a --- /dev/null +++ b/templates/cert-manager-crb-certmanager-ingressshim-0.9.0.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-ingress-shim + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-ingress-shim +subjects: + - name: cert-manager + namespace: "cert-manager" + kind: ServiceAccount diff --git a/templates/cert-manager-crb-certmanager-leaderelection-0.9.0.yaml b/templates/cert-manager-crb-certmanager-leaderelection-0.9.0.yaml new file mode 100644 index 0000000..49fa3c7 --- /dev/null +++ b/templates/cert-manager-crb-certmanager-leaderelection-0.9.0.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-leaderelection + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-leaderelection +subjects: + - name: cert-manager + namespace: "cert-manager" + kind: ServiceAccount diff --git a/templates/cert-manager-crb-certmanager-orders-0.9.0.yaml b/templates/cert-manager-crb-certmanager-orders-0.9.0.yaml new file mode 100644 index 0000000..7aacf12 --- /dev/null +++ b/templates/cert-manager-crb-certmanager-orders-0.9.0.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-orders + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-orders +subjects: + - name: cert-manager + namespace: "cert-manager" + kind: ServiceAccount diff --git a/templates/cert-manager-crb-certmanager-webhook-0.9.0.yaml b/templates/cert-manager-crb-certmanager-webhook-0.9.0.yaml new file mode 100644 index 0000000..274667f --- /dev/null +++ b/templates/cert-manager-crb-certmanager-webhook-0.9.0.yaml @@ -0,0 +1,21 @@ +# apiserver gets the auth-delegator role to delegate auth decisions to +# the core apiserver +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-webhook:auth-delegator + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: cert-manager diff --git a/templates/cert-manager-crd-challenges-0.9.0.yaml b/templates/cert-manager-crd-challenges-0.9.0.yaml new file mode 100644 index 0000000..a167a1b --- /dev/null +++ b/templates/cert-manager-crd-challenges-0.9.0.yaml @@ -0,0 +1,197 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + controller-tools.k8s.io: "1.0" + name: challenges.certmanager.k8s.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: certmanager.k8s.io + names: + kind: Challenge + plural: challenges + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authzURL: + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + type: string + config: + description: 'Config specifies the solver configuration for this challenge. + Only **one** of ''config'' or ''solver'' may be specified, and if + both are specified then no action will be performed on the Challenge + resource. DEPRECATED: the ''solver'' field should be specified instead' + type: object + dnsName: + description: DNSName is the identifier that this challenge is for, e.g. + example.com. + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Challenge. If the Issuer does + not exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + as failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + key: + description: Key is the ACME challenge key for this challenge + type: string + solver: + description: Solver contains the domain solving configuration that should + be used to solve this challenge resource. Only **one** of 'config' + or 'solver' may be specified, and if both are specified then no action + will be performed on the Challenge resource. + properties: + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames selector + will take precedence over a dnsZones selector. If multiple + solvers match with the same dnsNames value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + matchLabels: + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: Token is the ACME challenge token for this challenge. + type: string + type: + description: Type is the type of ACME challenge this resource represents, + e.g. "dns01" or "http01" + type: string + url: + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com' + type: boolean + required: + - authzURL + - type + - url + - dnsName + - token + - key + - wildcard + - issuerRef + type: object + status: + properties: + presented: + description: Presented will be set to true if the challenge values for + this challenge are currently 'presented'. This *does not* imply the + self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Reason contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: State contains the current 'state' of the challenge. If + not set, the state of the challenge is unknown. + enum: + - "" + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + required: + - processing + - presented + - reason + type: object + required: + - metadata + - spec + - status + version: v1alpha1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/templates/cert-manager-crd-clusterissuers-0.9.0.yaml b/templates/cert-manager-crd-clusterissuers-0.9.0.yaml new file mode 100644 index 0000000..13687ed --- /dev/null +++ b/templates/cert-manager-crd-clusterissuers-0.9.0.yaml @@ -0,0 +1,300 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + controller-tools.k8s.io: "1.0" + name: clusterissuers.certmanager.k8s.io +spec: + group: certmanager.k8s.io + names: + kind: ClusterIssuer + plural: clusterissuers + scope: Cluster + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + acme: + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - server + - privateKeySecretRef + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - server + - path + type: object + venafi: + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - url + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - url + - credentialsRef + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - type + - status + type: object + type: array + type: object + version: v1alpha1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/templates/cert-manager-crd-crt-0.9.0.yaml b/templates/cert-manager-crd-crt-0.9.0.yaml new file mode 100644 index 0000000..4d37beb --- /dev/null +++ b/templates/cert-manager-crd-crt-0.9.0.yaml @@ -0,0 +1,214 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + controller-tools.k8s.io: "1.0" + name: certificates.certmanager.k8s.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: certmanager.k8s.io + names: + kind: Certificate + plural: certificates + shortNames: + - cert + - certs + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + acme: + description: ACME contains configuration specific to ACME Certificates. + Notably, this contains details on how the domain names listed on this + Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01 + providers to DNS names. + properties: + config: + items: + properties: + domains: + description: Domains is the list of domains that this SolverConfig + applies to. + items: + type: string + type: array + required: + - domains + type: object + type: array + required: + - config + type: object + commonName: + description: CommonName is a common name to be used on the Certificate. + If no CommonName is given, then the first entry in DNSNames is used + as the CommonName. The CommonName should have a length of 64 characters + or fewer to avoid generating invalid CSRs; in order to have longer + domain names, set the CommonName (or first DNSNames entry) to have + 64 characters or fewer, and then add the longer domain name to DNSNames. + type: string + dnsNames: + description: DNSNames is a list of subject alt names to be used on the + Certificate. If no CommonName is given, then the first entry in DNSNames + is used as the CommonName and must have a length of 64 characters + or fewer. + items: + type: string + type: array + duration: + description: Certificate default Duration + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses to be used on the + Certificate + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for signing. This + implies that the 'signing' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + keyAlgorithm: + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is + not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + enum: + - rsa + - ecdsa + type: string + keyEncoding: + description: KeyEncoding is the private key cryptography standards (PKCS) + for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will be + used by default. + type: string + keySize: + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + to "ecdsa". + format: int64 + type: integer + organization: + description: Organization is the organization to be used on the Certificate + items: + type: string + type: array + renewBefore: + description: Certificate renew before expiration duration + type: string + secretName: + description: SecretName is the name of the secret resource to store + this secret in + type: string + required: + - secretName + - issuerRef + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - type + - status + type: object + type: array + lastFailureTime: + format: date-time + type: string + notAfter: + description: The expiration time of the certificate stored in the secret + named by this resource in spec.secretName. + format: date-time + type: string + type: object + version: v1alpha1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/templates/cert-manager-crd-crtreq-0.9.0.yaml b/templates/cert-manager-crd-crtreq-0.9.0.yaml new file mode 100644 index 0000000..da2236a --- /dev/null +++ b/templates/cert-manager-crd-crtreq-0.9.0.yaml @@ -0,0 +1,136 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + controller-tools.k8s.io: "1.0" + name: certificaterequests.certmanager.k8s.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: certmanager.k8s.io + names: + kind: CertificateRequest + plural: certificaterequests + shortNames: + - cr + - crs + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + csr: + description: Byte slice containing the PEM encoded CertificateSigningRequest + format: byte + type: string + duration: + description: Requested certificate default Duration + type: string + isCA: + description: IsCA will mark the resulting certificate as valid for signing. + This implies that the 'signing' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. The group field refers to the API group + of the issuer which defaults to 'certmanager.k8s.io' if empty. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + required: + - issuerRef + type: object + status: + properties: + ca: + description: Byte slice containing the PEM encoded certificate authority + of the signed certificate. + format: byte + type: string + certificate: + description: Byte slice containing a PEM encoded signed certificate + resulting from the given certificate signing request. + format: byte + type: string + conditions: + items: + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - type + - status + type: object + type: array + type: object + version: v1alpha1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/templates/cert-manager-crd-issuers-0.9.0.yaml b/templates/cert-manager-crd-issuers-0.9.0.yaml new file mode 100644 index 0000000..331f5f4 --- /dev/null +++ b/templates/cert-manager-crd-issuers-0.9.0.yaml @@ -0,0 +1,300 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + controller-tools.k8s.io: "1.0" + name: issuers.certmanager.k8s.io +spec: + group: certmanager.k8s.io + names: + kind: Issuer + plural: issuers + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + acme: + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - server + - privateKeySecretRef + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - server + - path + type: object + venafi: + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - url + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - url + - credentialsRef + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - type + - status + type: object + type: array + type: object + version: v1alpha1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/templates/cert-manager-crd-orders-0.9.0.yaml b/templates/cert-manager-crd-orders-0.9.0.yaml new file mode 100644 index 0000000..6e119e9 --- /dev/null +++ b/templates/cert-manager-crd-orders-0.9.0.yaml @@ -0,0 +1,273 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + controller-tools.k8s.io: "1.0" + name: orders.certmanager.k8s.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: certmanager.k8s.io + names: + kind: Order + plural: orders + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded + CSR. If CommonName is not specified, the first DNSName specified will + be used as the CommonName. At least one of CommonName or a DNSNames + must be set. This field must match the corresponding field on the + DER encoded CSR. + type: string + config: + description: 'Config specifies a mapping from DNS identifiers to how + those identifiers should be solved when performing ACME challenges. + A config entry must exist for each domain listed in DNSNames and CommonName. + Only **one** of ''config'' or ''solvers'' may be specified, and if + both are specified then no action will be performed on the Order resource. This + field will be removed when support for solver config specified on + the Certificate under certificate.spec.acme has been removed. DEPRECATED: + this field will be removed in future. Solver configuration must instead + be provided on ACME Issuer resources.' + items: + properties: + domains: + description: Domains is the list of domains that this SolverConfig + applies to. + items: + type: string + type: array + required: + - domains + type: object + type: array + csr: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. If CommonName is not specified, + the first DNSName specified will be used as the CommonName. At least + one of CommonName or a DNSNames must be set. This field must match + the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Order. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Order will be marked as + failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + required: + - csr + - issuerRef + type: object + status: + properties: + certificate: + description: Certificate is a copy of the PEM encoded certificate for + this Order. This field will be populated after the order has been + successfully finalized with the ACME server, and the order has transitioned + to the 'valid' state. + format: byte + type: string + challenges: + description: Challenges is a list of ChallengeSpecs for Challenges that + must be created in order to complete this Order. + items: + properties: + authzURL: + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + type: string + config: + description: 'Config specifies the solver configuration for this + challenge. Only **one** of ''config'' or ''solver'' may be specified, + and if both are specified then no action will be performed on + the Challenge resource. DEPRECATED: the ''solver'' field should + be specified instead' + type: object + dnsName: + description: DNSName is the identifier that this challenge is + for, e.g. example.com. + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Challenge. If the + Issuer does not exist, processing will be retried. If the Issuer + is not an 'ACME' Issuer, an error will be returned and the Challenge + will be marked as failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + key: + description: Key is the ACME challenge key for this challenge + type: string + solver: + description: Solver contains the domain solving configuration + that should be used to solve this challenge resource. Only **one** + of 'config' or 'solver' may be specified, and if both are specified + then no action will be performed on the Challenge resource. + properties: + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + token: + description: Token is the ACME challenge token for this challenge. + type: string + type: + description: Type is the type of ACME challenge this resource + represents, e.g. "dns01" or "http01" + type: string + url: + description: URL is the URL of the ACME Challenge resource for + this challenge. This can be used to lookup details about the + status of this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a + wildcard identifier, for example '*.example.com' + type: boolean + required: + - authzURL + - type + - url + - dnsName + - token + - key + - wildcard + - issuerRef + type: object + type: array + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - "" + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + - spec + - status + version: v1alpha1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/templates/cert-manager-dp-0.9.0.yaml b/templates/cert-manager-dp-0.9.0.yaml new file mode 100644 index 0000000..e154995 --- /dev/null +++ b/templates/cert-manager-dp-0.9.0.yaml @@ -0,0 +1,53 @@ +# Source: cert-manager/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager + namespace: "cert-manager" + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 +spec: + replicas: 1 + selector: + matchLabels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + template: + metadata: + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + spec: + serviceAccountName: cert-manager + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-controller:v0.9.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=$(POD_NAMESPACE) + ports: + - containerPort: 9402 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + requests: + cpu: 10m + memory: 32Mi diff --git a/templates/cert-manager-dp-cainjector-0.9.0.yaml b/templates/cert-manager-dp-cainjector-0.9.0.yaml new file mode 100644 index 0000000..0cf8710 --- /dev/null +++ b/templates/cert-manager-dp-cainjector-0.9.0.yaml @@ -0,0 +1,45 @@ +# Source: cert-manager/charts/cainjector/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager-cainjector + namespace: "cert-manager" + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cainjector-v0.9.0 +spec: + replicas: 1 + selector: + matchLabels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + template: + metadata: + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cainjector-v0.9.0 + annotations: + spec: + serviceAccountName: cert-manager-cainjector + containers: + - name: cainjector + image: "quay.io/jetstack/cert-manager-cainjector:v0.9.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --leader-election-namespace=$(POD_NAMESPACE) + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} diff --git a/templates/cert-manager-dp-webhook-0.9.0.yaml b/templates/cert-manager-dp-webhook-0.9.0.yaml new file mode 100644 index 0000000..6ae232b --- /dev/null +++ b/templates/cert-manager-dp-webhook-0.9.0.yaml @@ -0,0 +1,55 @@ +# Source: cert-manager/charts/webhook/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager-webhook + namespace: "cert-manager" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 +spec: + replicas: 1 + selector: + matchLabels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + template: + metadata: + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 + annotations: + spec: + serviceAccountName: cert-manager-webhook + containers: + - name: webhook + image: "quay.io/jetstack/cert-manager-webhook:v0.9.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --secure-port=6443 + - --tls-cert-file=/certs/tls.crt + - --tls-private-key-file=/certs/tls.key + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} + + volumeMounts: + - name: certs + mountPath: /certs + volumes: + - name: certs + secret: + secretName: cert-manager-webhook-webhook-tls diff --git a/templates/cert-manager-issuer-webhookca-0.9.0.yaml b/templates/cert-manager-issuer-webhookca-0.9.0.yaml new file mode 100644 index 0000000..cd262e9 --- /dev/null +++ b/templates/cert-manager-issuer-webhookca-0.9.0.yaml @@ -0,0 +1,15 @@ +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Issuer +metadata: + name: cert-manager-webhook-ca + namespace: "cert-manager" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 +spec: + ca: + secretName: cert-manager-webhook-ca diff --git a/templates/cert-manager-issuer-webhookselfsign-0.9.0.yaml b/templates/cert-manager-issuer-webhookselfsign-0.9.0.yaml new file mode 100644 index 0000000..82d921e --- /dev/null +++ b/templates/cert-manager-issuer-webhookselfsign-0.9.0.yaml @@ -0,0 +1,15 @@ +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Issuer +metadata: + name: cert-manager-webhook-selfsign + namespace: "cert-manager" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 +spec: + selfSigned: {} diff --git a/templates/cert-manager-ns-0.9.0.yaml b/templates/cert-manager-ns-0.9.0.yaml new file mode 100644 index 0000000..33b2827 --- /dev/null +++ b/templates/cert-manager-ns-0.9.0.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager + labels: + certmanager.k8s.io/disable-validation: "true" diff --git a/templates/cert-manager-rb-certmanager-webhook-0.9.0.yaml b/templates/cert-manager-rb-certmanager-webhook-0.9.0.yaml new file mode 100644 index 0000000..69d2018 --- /dev/null +++ b/templates/cert-manager-rb-certmanager-webhook-0.9.0.yaml @@ -0,0 +1,23 @@ +# apiserver gets the ability to read authentication. This allows it to +# read the specific configmap that has the requestheader-* entries to +# api agg +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager-webhook:webhook-authentication-reader + namespace: kube-system + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: cert-manager diff --git a/templates/cert-manager-sa-cainjector-0.9.0.yaml b/templates/cert-manager-sa-cainjector-0.9.0.yaml new file mode 100644 index 0000000..2104218 --- /dev/null +++ b/templates/cert-manager-sa-cainjector-0.9.0.yaml @@ -0,0 +1,12 @@ +# Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-cainjector + namespace: "cert-manager" + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cainjector-v0.9.0 diff --git a/templates/cert-manager-sa-certmanager-0.9.0.yaml b/templates/cert-manager-sa-certmanager-0.9.0.yaml new file mode 100644 index 0000000..55a6ddd --- /dev/null +++ b/templates/cert-manager-sa-certmanager-0.9.0.yaml @@ -0,0 +1,12 @@ +# Source: cert-manager/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager + namespace: "cert-manager" + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.9.0 diff --git a/templates/cert-manager-sa-webhook-0.9.0.yaml b/templates/cert-manager-sa-webhook-0.9.0.yaml new file mode 100644 index 0000000..1c86ddd --- /dev/null +++ b/templates/cert-manager-sa-webhook-0.9.0.yaml @@ -0,0 +1,12 @@ +# Source: cert-manager/charts/webhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-webhook + namespace: "cert-manager" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 diff --git a/templates/cert-manager-svc-webhook-0.9.0.yaml b/templates/cert-manager-svc-webhook-0.9.0.yaml new file mode 100644 index 0000000..d7dee17 --- /dev/null +++ b/templates/cert-manager-svc-webhook-0.9.0.yaml @@ -0,0 +1,23 @@ +# Source: cert-manager/charts/webhook/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: cert-manager-webhook + namespace: "cert-manager" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: 6443 + selector: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller diff --git a/templates/cert-manager-validatewebhook-0.9.0.yaml b/templates/cert-manager-validatewebhook-0.9.0.yaml new file mode 100644 index 0000000..41d53de --- /dev/null +++ b/templates/cert-manager-validatewebhook-0.9.0.yaml @@ -0,0 +1,96 @@ +# Source: cert-manager/charts/webhook/templates/validating-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: webhook-v0.9.0 + annotations: + certmanager.k8s.io/inject-apiserver-ca: "true" +webhooks: + - name: certificates.admission.certmanager.k8s.io + namespaceSelector: + matchExpressions: + - key: "certmanager.k8s.io/disable-validation" + operator: "NotIn" + values: + - "true" + - key: "name" + operator: "NotIn" + values: + - cert-manager + rules: + - apiGroups: + - "certmanager.k8s.io" + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - certificates + failurePolicy: Fail + clientConfig: + service: + name: kubernetes + namespace: default + path: /apis/admission.certmanager.k8s.io/v1beta1/certificates + - name: issuers.admission.certmanager.k8s.io + namespaceSelector: + matchExpressions: + - key: "certmanager.k8s.io/disable-validation" + operator: "NotIn" + values: + - "true" + - key: "name" + operator: "NotIn" + values: + - cert-manager + rules: + - apiGroups: + - "certmanager.k8s.io" + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - issuers + failurePolicy: Fail + clientConfig: + service: + name: kubernetes + namespace: default + path: /apis/admission.certmanager.k8s.io/v1beta1/issuers + - name: clusterissuers.admission.certmanager.k8s.io + namespaceSelector: + matchExpressions: + - key: "certmanager.k8s.io/disable-validation" + operator: "NotIn" + values: + - "true" + - key: "name" + operator: "NotIn" + values: + - cert-manager + rules: + - apiGroups: + - "certmanager.k8s.io" + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterissuers + failurePolicy: Fail + clientConfig: + service: + name: kubernetes + namespace: default + path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers + diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..aabd18d --- /dev/null +++ b/vars/main.yml @@ -0,0 +1 @@ +user: "{{ ansible_user_id }}"