Remove old versions

2021-02-15 17:24:33 +01:00 · 2021-02-15 17:24:33 +01:00 · 3e04f58491
commit 3e04f58491
parent 2c893c9c12
343 changed files with 0 additions and 102675 deletions
--- a/files/cert-manager-psp.yaml
+++ b/files/cert-manager-psp.yaml
@ -1,41 +0,0 @@
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: cert-namager
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/component: "controller"
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
 spec:
  privileged: false
  allowPrivilegeEscalation: false
  allowedCapabilities: []  # default set of capabilities are implicitly allowed
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'projected'
  - 'secret'
  - 'downwardAPI'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
  fsGroup:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
--- a/tasks/upgrade.yml
+++ b/tasks/upgrade.yml
@ -1,110 +0,0 @@
 ---
 - name: Enable upgrade mode
  set_fact:
    certmanager_need_upgrade: true
 - name: Upgrade version from 0.12 to 0.13
  block:
  - name: Update upgrade version to 0.13
    set_fact:
      certmanager_upgrade_version: "0.13"
  - name: Include vars for version 0.13
    include_vars: "files_list_0.13.yml"
  - name: Update Cert Manager files to version 0.13
    k8s:
      state: "present"
      context: "{{ my_context }}"
      apply: yes
      force: yes
      resource_definition: "{{ lookup('template', item) | from_yaml }}"
    with_items:
      - "{{ lookup('vars', 'certmanager_' + certmanager_upgrade_version + '_list') }}"
  - name: Update actual version to 0.13
    set_fact:
      certmanager_actual_version: "0.13"
  when:
    - certmanager_actual_version == "0.12"
    - certmanager_need_upgrade|bool
 - name: Disable upgrade mode
  set_fact:
    certmanager_need_upgrade: false
    certmanager_upgraded: true
  when:
    - certmanager_version == certmanager_actual_version
 - name: Upgrade version from 0.13 to 0.14
  block:
  - name: Update upgrade version to 0.14
    set_fact:
      certmanager_upgrade_version: "0.14"
  - name: Include vars for version 0.14
    include_vars: "files_list_0.14.yml"
  - name: Remove old existing object
    k8s:
      context: "{{ my_context }}"
      state: absent
      api_version: '{{ item.apiversion }}'
      kind: '{{ item.type }}'
      namespace: cert-manager
      name: '{{ item.name }}'
    with_items:
      - { type: "Deployment", name: "cert-manager", apiversion: "apps/v1" }
      - { type: "Deployment", name: "cert-manager-cainjector", apiversion: "apps/v1" }
      - { type: "Deployment", name: "cert-manager-webhook", apiversion: "apps/v1" }
 #      - { type: "ClusterRoleBinding", name: "cert-manager-webhook:auth-delegator", apiversion: "rbac.authorization.k8s.io/v1" }
 #      - { type: "RoleBinding", name: "cert-manager-webhook:webhook-authentication-reader", apiversion: "rbac.authorization.k8s.io/v1beta1" }
 #      - { type: "ClusterRole", name: "cert-manager-webhook:webhook-requester", apiversion: "rbac.authorization.k8s.io/v1" }
 ##      - { type: "CustomResourceDefinition", name: "certificates.cert-manager.io", apiversion: "apiextensions.k8s.io/v1" }
  - name: Update Cert Manager files to version 0.14
    k8s:
      state: "present"
      context: "{{ my_context }}"
      apply: yes
      force: yes
      resource_definition: "{{ lookup('template', item) | from_yaml }}"
    with_items:
      - "{{ lookup('vars', 'certmanager_' + certmanager_upgrade_version + '_list') }}"
  - name: Update actual version to 0.14
    set_fact:
      certmanager_actual_version: "0.14"
  when:
    - certmanager_actual_version == "0.13"
    - certmanager_need_upgrade|bool
 - name: Disable upgrade mode
  set_fact:
    certmanager_upgrade: false
    certmanager_upgraded: true
  when:
    - certmanager_version == certmanager_actual_version
 - name: Upgrade version from 0.14 to 0.15
  block:
  - name: Update upgrade version to 0.15
    set_fact:
      certmanager_upgrade_version: "0.15"
  - name: Include vars for version 0.15
    include_vars: "files_list_0.15.yml"
  - name: Update Cert Manager files to version 0.15
    k8s:
      state: "present"
      context: "{{ my_context }}"
      apply: yes
      force: yes
      resource_definition: "{{ lookup('template', item) | from_yaml }}"
    with_items:
      - "{{ lookup('vars', 'certmanager_' + certmanager_upgrade_version + '_list') }}"
  - name: Update actual version to 0.15
    set_fact:
      certmanager_actual_version: "0.15"
  when:
    - certmanager_actual_version == "0.14"
    - certmanager_need_upgrade|bool
 - name: Disable upgrade mode
  set_fact:
    certmanager_need_upgrade: false
    certmanager_upgraded: true
  when:
    - certmanager_version == certmanager_actual_version
--- a/templates/0.11.0/cert-manager-Deployment.yaml
+++ b/templates/0.11.0/cert-manager-Deployment.yaml
@ -1,59 +0,0 @@
 # Source: cert-manager/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cert-manager
      app.kubernetes.io/name: cert-manager
      app.kubernetes.io/instance:  cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: cert-manager
        app.kubernetes.io/name: cert-manager
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cert-manager-v0.11.0
      annotations:
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
    spec:
      serviceAccountName: cert-manager
      containers:
        - name: cert-manager
          image: "quay.io/jetstack/cert-manager-controller:v0.11.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --leader-election-namespace=kube-system
          - --webhook-namespace=$(POD_NAMESPACE)
          - --webhook-ca-secret=cert-manager-webhook-ca
          - --webhook-serving-secret=cert-manager-webhook-tls
          - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
          ports:
          - containerPort: 9402
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            requests:
              cpu: 10m
              memory: 32Mi
--- a/templates/0.11.0/cert-manager-Namespace.yaml
+++ b/templates/0.11.0/cert-manager-Namespace.yaml
@ -1,5 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cert-manager
--- a/templates/0.11.0/cert-manager-Service.yaml
+++ b/templates/0.11.0/cert-manager-Service.yaml
@ -1,23 +0,0 @@
 # Source: cert-manager/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 spec:
  type: ClusterIP
  ports:
    - protocol: TCP
      port: 9402
      targetPort: 9402
  selector:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
--- a/templates/0.11.0/cert-manager-ServiceAccount.yaml
+++ b/templates/0.11.0/cert-manager-ServiceAccount.yaml
@ -1,14 +0,0 @@
 # Source: cert-manager/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  annotations:
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
--- a/templates/0.11.0/cert-manager-cainjector-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-cainjector-ClusterRole.yaml
@ -1,30 +0,0 @@
 # Source: cert-manager/charts/cainjector/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.11.0
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "create", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiregistration.k8s.io"]
    resources: ["apiservices"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "update"]
--- a/templates/0.11.0/cert-manager-cainjector-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-cainjector-ClusterRoleBinding.yaml
@ -1,19 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-cainjector
 subjects:
  - name: cert-manager-cainjector
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-cainjector-Deployment.yaml
+++ b/templates/0.11.0/cert-manager-cainjector-Deployment.yaml
@ -1,47 +0,0 @@
 # Source: cert-manager/charts/cainjector/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager-cainjector
  namespace: "cert-manager"
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.11.0
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cainjector
      app.kubernetes.io/name: cainjector
      app.kubernetes.io/instance:  cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: cainjector
        app.kubernetes.io/name: cainjector
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cainjector-v0.11.0
      annotations:
    spec:
      serviceAccountName: cert-manager-cainjector
      containers:
        - name: cainjector
          image: "quay.io/jetstack/cert-manager-cainjector:v0.11.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --leader-election-namespace=kube-system
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
--- a/templates/0.11.0/cert-manager-cainjector-ServiceAccount.yaml
+++ b/templates/0.11.0/cert-manager-cainjector-ServiceAccount.yaml
@ -1,13 +0,0 @@
 # Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager-cainjector
  namespace: "cert-manager"
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.11.0
--- a/templates/0.11.0/cert-manager-cainjector:leaderelection-Role.yaml
+++ b/templates/0.11.0/cert-manager-cainjector:leaderelection-Role.yaml
@ -1,19 +0,0 @@
 # leader election rules
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.11.0
 rules:
  # Used for leader election by the controller
  # TODO: refine the permission to *just* the leader election configmap
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]
--- a/templates/0.11.0/cert-manager-cainjector:leaderelection-RoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-cainjector:leaderelection-RoleBinding.yaml
@ -1,23 +0,0 @@
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-cainjector:leaderelection
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager-cainjector
    namespace: cert-manager
--- a/templates/0.11.0/cert-manager-controller-certificates-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-certificates-ClusterRole.yaml
@ -1,35 +0,0 @@
 # Certificates controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates/finalizers"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders"]
    verbs: ["create", "delete", "get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.11.0/cert-manager-controller-certificates-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-certificates-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-certificates
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-controller-challenges-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-challenges-ClusterRole.yaml
@ -1,51 +0,0 @@
 # Challenges controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 rules:
  # Use to update challenge resource status
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "challenges/status"]
    verbs: ["update"]
  # Used to watch challenge resources
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["get", "list", "watch"]
  # Used to watch challenges, issuer and clusterissuer resources
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  # Need to be able to retrieve ACME account private key to complete challenges
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  # Used to create events
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  # HTTP01 rules
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges/finalizers"]
    verbs: ["update"]
  # DNS01 rules (duplicated above)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
--- a/templates/0.11.0/cert-manager-controller-challenges-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-challenges-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-challenges
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-controller-clusterissuers-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-clusterissuers-ClusterRole.yaml
@ -1,26 +0,0 @@
 # ClusterIssuer controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "clusterissuers/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.11.0/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-clusterissuers
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-controller-ingress-shim-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-ingress-shim-ClusterRole.yaml
@ -1,32 +0,0 @@
 # ingress-shim controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests"]
    verbs: ["create", "update", "delete"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["extensions"]
    resources: ["ingresses/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.11.0/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-ingress-shim
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-controller-issuers-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-issuers-ClusterRole.yaml
@ -1,26 +0,0 @@
 # Issuer controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "issuers/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.11.0/cert-manager-controller-issuers-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-issuers-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-issuers
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-controller-orders-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-controller-orders-ClusterRole.yaml
@ -1,38 +0,0 @@
 # Orders controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 rules:
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "orders/status"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "challenges"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["create", "delete"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.11.0/cert-manager-controller-orders-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-controller-orders-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-orders
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-edit-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-edit-ClusterRole.yaml
@ -1,18 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cert-manager-edit
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
--- a/templates/0.11.0/cert-manager-leaderelection-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-leaderelection-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-leaderelection
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-leaderelection
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.11.0/cert-manager-view-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-view-ClusterRole.yaml
@ -1,19 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cert-manager-view
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["get", "list", "watch"]
--- a/templates/0.11.0/cert-manager-webhook-Deployment.yaml
+++ b/templates/0.11.0/cert-manager-webhook-Deployment.yaml
@ -1,55 +0,0 @@
 # Source: cert-manager/templates/webhook-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: webhook
      app.kubernetes.io/name: webhook
      app.kubernetes.io/instance:  cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: webhook
        app.kubernetes.io/name: webhook
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cert-manager-v0.11.0
      annotations:
    spec:
      serviceAccountName: cert-manager-webhook
      containers:
        - name: cert-manager
          image: "quay.io/jetstack/cert-manager-webhook:v0.11.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --secure-port=6443
          - --tls-cert-file=/certs/tls.crt
          - --tls-private-key-file=/certs/tls.key
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
          volumeMounts:
          - name: certs
            mountPath: /certs
      volumes:
      - name: certs
        secret:
          secretName: cert-manager-webhook-tls
--- a/templates/0.11.0/cert-manager-webhook-MutatingWebhookConfiguration.yaml
+++ b/templates/0.11.0/cert-manager-webhook-MutatingWebhookConfiguration.yaml
@ -1,36 +0,0 @@
 # Source: cert-manager/templates/webhook-mutating-webhook.yaml
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
  annotations:
    cert-manager.io/inject-apiserver-ca: "true"
 webhooks:
  - name: webhook.cert-manager.io
    rules:
      - apiGroups:
          - "cert-manager.io"
        apiVersions:
          - v1alpha2
        operations:
          - CREATE
          - UPDATE
        resources:
          - certificates
          - issuers
          - clusterissuers
          - orders
          - challenges
          - certificaterequests
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/webhook.cert-manager.io/v1beta1/mutations
--- a/templates/0.11.0/cert-manager-webhook-Service.yaml
+++ b/templates/0.11.0/cert-manager-webhook-Service.yaml
@ -1,23 +0,0 @@
 # Source: cert-manager/templates/webhook-service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 spec:
  type: ClusterIP
  ports:
  - name: https
    port: 443
    targetPort: 6443
  selector:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
--- a/templates/0.11.0/cert-manager-webhook-ServiceAccount.yaml
+++ b/templates/0.11.0/cert-manager-webhook-ServiceAccount.yaml
@ -1,12 +0,0 @@
 # Source: cert-manager/templates/webhook-serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
--- a/templates/0.11.0/cert-manager-webhook-ValidatingWebhookConfiguration.yaml
+++ b/templates/0.11.0/cert-manager-webhook-ValidatingWebhookConfiguration.yaml
@ -1,45 +0,0 @@
 # Source: cert-manager/templates/webhook-validating-webhook.yaml
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
  annotations:
    cert-manager.io/inject-apiserver-ca: "true"
 webhooks:
  - name: webhook.cert-manager.io
    namespaceSelector:
      matchExpressions:
      - key: "cert-manager.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "cert-manager.io"
        apiVersions:
          - v1alpha2
        operations:
          - CREATE
          - UPDATE
        resources:
          - certificates
          - issuers
          - clusterissuers
          - certificaterequests
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/webhook.cert-manager.io/v1beta1/validations
--- a/templates/0.11.0/cert-manager-webhook:auth-delegator-ClusterRoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-webhook:auth-delegator-ClusterRoleBinding.yaml
@ -1,22 +0,0 @@
 # apiserver gets the auth-delegator role to delegate auth decisions to
 # the core apiserver
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-webhook:auth-delegator
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: cert-manager
--- a/templates/0.11.0/cert-manager-webhook:webhook-authentication-reader-RoleBinding.yaml
+++ b/templates/0.11.0/cert-manager-webhook:webhook-authentication-reader-RoleBinding.yaml
@ -1,25 +0,0 @@
 # apiserver gets the ability to read authentication. This allows it to
 # read the specific configmap that has the requestheader-* entries to
 # api agg
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager-webhook:webhook-authentication-reader
  namespace: kube-system
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: cert-manager
--- a/templates/0.11.0/cert-manager-webhook:webhook-requester-ClusterRole.yaml
+++ b/templates/0.11.0/cert-manager-webhook:webhook-requester-ClusterRole.yaml
@ -1,21 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cert-manager-webhook:webhook-requester
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 rules:
 - apiGroups:
  - admission.cert-manager.io
  resources:
  - certificates
  - certificaterequests
  - issuers
  - clusterissuers
  verbs:
  - create
--- a/templates/0.11.0/cert-manager.yaml
+++ b/templates/0.11.0/cert-manager.yaml
--- a/templates/0.11.0/cert-manager:leaderelection-Role.yaml
+++ b/templates/0.11.0/cert-manager:leaderelection-Role.yaml
@ -1,19 +0,0 @@
 # Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager:leaderelection
  namespace: kube-system
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 rules:
  # Used for leader election by the controller
  # TODO: refine the permission to *just* the leader election configmap
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]
--- a/templates/0.11.0/cert-manager:leaderelection-RoleBinding.yaml
+++ b/templates/0.11.0/cert-manager:leaderelection-RoleBinding.yaml
@ -1,24 +0,0 @@
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager:leaderelection
  namespace: kube-system
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager:leaderelection
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
--- a/templates/0.11.0/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml
@ -1,188 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
  name: certificaterequests.cert-manager.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
    name: Ready
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.conditions[?(@.type=="Ready")].message
    name: Status
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: cert-manager.io
  names:
    kind: CertificateRequest
    listKind: CertificateRequestList
    plural: certificaterequests
    shortNames:
    - cr
    - crs
    singular: certificaterequest
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      description: CertificateRequest is a type to represent a Certificate Signing
        Request
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          description: CertificateRequestSpec defines the desired state of CertificateRequest
          properties:
            csr:
              description: Byte slice containing the PEM encoded CertificateSigningRequest
              format: byte
              type: string
            duration:
              description: Requested certificate default Duration
              type: string
            isCA:
              description: IsCA will mark the resulting certificate as valid for signing.
                This implies that the 'cert sign' usage is set
              type: boolean
            issuerRef:
              description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
                the 'kind' field is not set, or set to 'Issuer', an Issuer resource
                with the given name in the same namespace as the CertificateRequest
                will be used.  If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
                with the provided name will be used. The 'name' field in this stanza
                is required at all times. The group field refers to the API group
                of the issuer which defaults to 'cert-manager.io' if empty.
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
              required:
              - name
              type: object
            usages:
              description: Usages is the set of x509 actions that are enabled for
                a given key. Defaults are ('digital signature', 'key encipherment')
                if empty
              items:
                description: 'KeyUsage specifies valid usage contexts for keys. See:
                  https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
                enum:
                - signing
                - digital signature
                - content commitment
                - key encipherment
                - key agreement
                - data encipherment
                - cert sign
                - crl sign
                - encipher only
                - decipher only
                - any
                - server auth
                - client auth
                - code signing
                - email protection
                - s/mime
                - ipsec end system
                - ipsec tunnel
                - ipsec user
                - timestamping
                - ocsp signing
                - microsoft sgc
                - netscape sgc
                type: string
              type: array
          required:
          - issuerRef
          type: object
        status:
          description: CertificateStatus defines the observed state of CertificateRequest
            and resulting signed certificate.
          properties:
            ca:
              description: Byte slice containing the PEM encoded certificate authority
                of the signed certificate.
              format: byte
              type: string
            certificate:
              description: Byte slice containing a PEM encoded signed certificate
                resulting from the given certificate signing request.
              format: byte
              type: string
            conditions:
              items:
                description: CertificateRequestCondition contains condition information
                  for a CertificateRequest.
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    format: date-time
                    type: string
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                    type: string
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string
                required:
                - status
                - type
                type: object
              type: array
            failureTime:
              description: FailureTime stores the time that this CertificateRequest
                failed. This is used to influence garbage collection and back-off.
              format: date-time
              type: string
          type: object
      type: object
  version: v1alpha2
  versions:
  - name: v1alpha2
    served: true
    storage: true
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/templates/0.11.0/certificates.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/certificates.cert-manager.io-CustomResourceDefinition.yaml
@ -1,242 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
  name: certificates.cert-manager.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
    name: Ready
    type: string
  - JSONPath: .spec.secretName
    name: Secret
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.conditions[?(@.type=="Ready")].message
    name: Status
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: cert-manager.io
  names:
    kind: Certificate
    listKind: CertificateList
    plural: certificates
    shortNames:
    - cert
    - certs
    singular: certificate
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      description: Certificate is a type to represent a Certificate from ACME
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          description: CertificateSpec defines the desired state of Certificate. A
            valid Certificate requires at least one of a CommonName, DNSName, or URISAN
            to be valid.
          properties:
            commonName:
              description: CommonName is a common name to be used on the Certificate.
                The CommonName should have a length of 64 characters or fewer to avoid
                generating invalid CSRs.
              type: string
            dnsNames:
              description: DNSNames is a list of subject alt names to be used on the
                Certificate.
              items:
                type: string
              type: array
            duration:
              description: Certificate default Duration
              type: string
            ipAddresses:
              description: IPAddresses is a list of IP addresses to be used on the
                Certificate
              items:
                type: string
              type: array
            isCA:
              description: IsCA will mark this Certificate as valid for signing. This
                implies that the 'cert sign' usage is set
              type: boolean
            issuerRef:
              description: IssuerRef is a reference to the issuer for this certificate.
                If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
                with the given name in the same namespace as the Certificate will
                be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
                with the provided name will be used. The 'name' field in this stanza
                is required at all times.
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
              required:
              - name
              type: object
            keyAlgorithm:
              description: KeyAlgorithm is the private key algorithm of the corresponding
                private key for this certificate. If provided, allowed values are
                either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is
                not provided, key size of 256 will be used for "ecdsa" key algorithm
                and key size of 2048 will be used for "rsa" key algorithm.
              enum:
              - rsa
              - ecdsa
              type: string
            keyEncoding:
              description: KeyEncoding is the private key cryptography standards (PKCS)
                for this certificate's private key to be encoded in. If provided,
                allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
                respectively. If KeyEncoding is not specified, then PKCS#1 will be
                used by default.
              enum:
              - pkcs1
              - pkcs8
              type: string
            keySize:
              description: KeySize is the key bit size of the corresponding private
                key for this certificate. If provided, value must be between 2048
                and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
                and value must be one of (256, 384, 521) when KeyAlgorithm is set
                to "ecdsa".
              type: integer
            organization:
              description: Organization is the organization to be used on the Certificate
              items:
                type: string
              type: array
            renewBefore:
              description: Certificate renew before expiration duration
              type: string
            secretName:
              description: SecretName is the name of the secret resource to store
                this secret in
              type: string
            uriSANs:
              description: URISANs is a list of URI Subject Alternative Names to be
                set on this Certificate.
              items:
                type: string
              type: array
            usages:
              description: Usages is the set of x509 actions that are enabled for
                a given key. Defaults are ('digital signature', 'key encipherment')
                if empty
              items:
                description: 'KeyUsage specifies valid usage contexts for keys. See:
                  https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
                enum:
                - signing
                - digital signature
                - content commitment
                - key encipherment
                - key agreement
                - data encipherment
                - cert sign
                - crl sign
                - encipher only
                - decipher only
                - any
                - server auth
                - client auth
                - code signing
                - email protection
                - s/mime
                - ipsec end system
                - ipsec tunnel
                - ipsec user
                - timestamping
                - ocsp signing
                - microsoft sgc
                - netscape sgc
                type: string
              type: array
          required:
          - issuerRef
          - secretName
          type: object
        status:
          description: CertificateStatus defines the observed state of Certificate
          properties:
            conditions:
              items:
                description: CertificateCondition contains condition information for
                  an Certificate.
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    format: date-time
                    type: string
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                    type: string
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string
                required:
                - status
                - type
                type: object
              type: array
            lastFailureTime:
              format: date-time
              type: string
            notAfter:
              description: The expiration time of the certificate stored in the secret
                named by this resource in spec.secretName.
              format: date-time
              type: string
          type: object
      type: object
  version: v1alpha2
  versions:
  - name: v1alpha2
    served: true
    storage: true
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/templates/0.11.0/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml
--- a/templates/0.11.0/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml
--- a/templates/0.11.0/issuers.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/issuers.cert-manager.io-CustomResourceDefinition.yaml
--- a/templates/0.11.0/orders.acme.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.11.0/orders.acme.cert-manager.io-CustomResourceDefinition.yaml
@ -1,207 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  creationTimestamp: null
  name: orders.acme.cert-manager.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.state
    name: State
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.reason
    name: Reason
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: acme.cert-manager.io
  names:
    kind: Order
    listKind: OrderList
    plural: orders
    singular: order
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      description: Order is a type to represent an Order with an ACME server
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            commonName:
              description: CommonName is the common name as specified on the DER encoded
                CSR. If CommonName is not specified, the first DNSName specified will
                be used as the CommonName. At least one of CommonName or a DNSNames
                must be set. This field must match the corresponding field on the
                DER encoded CSR.
              type: string
            csr:
              description: Certificate signing request bytes in DER encoding. This
                will be used when finalizing the order. This field must be set on
                the order.
              format: byte
              type: string
            dnsNames:
              description: DNSNames is a list of DNS names that should be included
                as part of the Order validation process. If CommonName is not specified,
                the first DNSName specified will be used as the CommonName. At least
                one of CommonName or a DNSNames must be set. This field must match
                the corresponding field on the DER encoded CSR.
              items:
                type: string
              type: array
            issuerRef:
              description: IssuerRef references a properly configured ACME-type Issuer
                which should be used to create this Order. If the Issuer does not
                exist, processing will be retried. If the Issuer is not an 'ACME'
                Issuer, an error will be returned and the Order will be marked as
                failed.
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
              required:
              - name
              type: object
          required:
          - csr
          - issuerRef
          type: object
        status:
          properties:
            authorizations:
              description: Authorizations contains data returned from the ACME server
                on what authoriations must be completed in order to validate the DNS
                names specified on the Order.
              items:
                description: ACMEAuthorization contains data returned from the ACME
                  server on an authorization that must be completed in order validate
                  a DNS name on an ACME Order resource.
                properties:
                  challenges:
                    description: Challenges specifies the challenge types offered
                      by the ACME server. One of these challenge types will be selected
                      when validating the DNS name and an appropriate Challenge resource
                      will be created to perform the ACME challenge process.
                    items:
                      description: Challenge specifies a challenge offered by the
                        ACME server for an Order. An appropriate Challenge resource
                        can be created to perform the ACME challenge process.
                      properties:
                        token:
                          description: Token is the token that must be presented for
                            this challenge. This is used to compute the 'key' that
                            must also be presented.
                          type: string
                        type:
                          description: Type is the type of challenge being offered,
                            e.g. http-01, dns-01
                          type: string
                        url:
                          description: URL is the URL of this challenge. It can be
                            used to retrieve additional metadata about the Challenge
                            from the ACME server.
                          type: string
                      required:
                      - token
                      - type
                      - url
                      type: object
                    type: array
                  identifier:
                    description: Identifier is the DNS name to be validated as part
                      of this authorization
                    type: string
                  url:
                    description: URL is the URL of the Authorization that must be
                      completed
                    type: string
                  wildcard:
                    description: Wildcard will be true if this authorization is for
                      a wildcard DNS name. If this is true, the identifier will be
                      the *non-wildcard* version of the DNS name. For example, if
                      '*.example.com' is the DNS name being validated, this field
                      will be 'true' and the 'identifier' field will be 'example.com'.
                    type: boolean
                required:
                - url
                type: object
              type: array
            certificate:
              description: Certificate is a copy of the PEM encoded certificate for
                this Order. This field will be populated after the order has been
                successfully finalized with the ACME server, and the order has transitioned
                to the 'valid' state.
              format: byte
              type: string
            failureTime:
              description: FailureTime stores the time that this order failed. This
                is used to influence garbage collection and back-off.
              format: date-time
              type: string
            finalizeURL:
              description: FinalizeURL of the Order. This is used to obtain certificates
                for this order once it has been completed.
              type: string
            reason:
              description: Reason optionally provides more information about a why
                the order is in the current state.
              type: string
            state:
              description: State contains the current state of this Order resource.
                States 'success' and 'expired' are 'final'
              enum:
              - valid
              - ready
              - pending
              - processing
              - invalid
              - expired
              - errored
              type: string
            url:
              description: URL of the Order. This will initially be empty when the
                resource is first created. The Order controller will populate this
                field when the Order is first processed. This field will be immutable
                after it is initially set.
              type: string
          type: object
      required:
      - metadata
      type: object
  version: v1alpha2
  versions:
  - name: v1alpha2
    served: true
    storage: true
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/templates/0.11.0/v1beta1.webhook.cert-manager.io-APIService.yaml
+++ b/templates/0.11.0/v1beta1.webhook.cert-manager.io-APIService.yaml
@ -1,21 +0,0 @@
 # Source: cert-manager/templates/webhook-apiservice.yaml
 apiVersion: apiregistration.k8s.io/v1beta1
 kind: APIService
 metadata:
  name: v1beta1.webhook.cert-manager.io
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.11.0
  annotations:
    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls"
 spec:
  group: webhook.cert-manager.io
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: cert-manager-webhook
    namespace: "cert-manager"
  version: v1beta1
--- a/templates/0.12/cert-manager-Deployment.yaml
+++ b/templates/0.12/cert-manager-Deployment.yaml
@ -1,61 +0,0 @@
 # Source: cert-manager/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cert-manager
      app.kubernetes.io/name: cert-manager
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: cert-manager
        app.kubernetes.io/name: cert-manager
        app.kubernetes.io/instance: cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cert-manager-v0.12.0
      annotations:
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
    spec:
      serviceAccountName: cert-manager
      containers:
        - name: cert-manager
          image: "quay.io/jetstack/cert-manager-controller:v0.12.0"
          imagePullPolicy: IfNotPresent
          args:
          - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
          - --v=2
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --leader-election-namespace=kube-system
          - --webhook-namespace=$(POD_NAMESPACE)
          - --webhook-ca-secret=cert-manager-webhook-ca
          - --webhook-serving-secret=cert-manager-webhook-tls
          - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
          ports:
          - containerPort: 9402
            protocol: TCP
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            requests:
              cpu: 10m
              memory: 32Mi
--- a/templates/0.12/cert-manager-Namespace.yaml
+++ b/templates/0.12/cert-manager-Namespace.yaml
@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cert-manager
--- a/templates/0.12/cert-manager-Service.yaml
+++ b/templates/0.12/cert-manager-Service.yaml
@ -1,23 +0,0 @@
 # Source: cert-manager/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 spec:
  type: ClusterIP
  ports:
    - protocol: TCP
      port: 9402
      targetPort: 9402
  selector:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
--- a/templates/0.12/cert-manager-ServiceAccount.yaml
+++ b/templates/0.12/cert-manager-ServiceAccount.yaml
@ -1,14 +0,0 @@
 # Source: cert-manager/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  annotations:
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
--- a/templates/0.12/cert-manager-cainjector-ClusterRole.yaml
+++ b/templates/0.12/cert-manager-cainjector-ClusterRole.yaml
@ -1,30 +0,0 @@
 # Source: cert-manager/templates/cainjector-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "create", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiregistration.k8s.io"]
    resources: ["apiservices"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "update"]
--- a/templates/0.12/cert-manager-cainjector-ClusterRoleBinding.yaml
+++ b/templates/0.12/cert-manager-cainjector-ClusterRoleBinding.yaml
@ -1,19 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-cainjector
 subjects:
  - name: cert-manager-cainjector
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.12/cert-manager-cainjector-Deployment.yaml
+++ b/templates/0.12/cert-manager-cainjector-Deployment.yaml
@ -1,47 +0,0 @@
 # Source: cert-manager/templates/cainjector-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager-cainjector
  namespace: "cert-manager"
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cainjector
      app.kubernetes.io/name: cainjector
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: cainjector
        app.kubernetes.io/name: cainjector
        app.kubernetes.io/instance: cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cert-manager-v0.12.0
      annotations:
    spec:
      serviceAccountName: cert-manager-cainjector
      containers:
        - name: cert-manager
          image: "quay.io/jetstack/cert-manager-cainjector:v0.12.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --leader-election-namespace=kube-system
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
--- a/templates/0.12/cert-manager-cainjector-ServiceAccount.yaml
+++ b/templates/0.12/cert-manager-cainjector-ServiceAccount.yaml
@ -1,13 +0,0 @@
 # Source: cert-manager/templates/cainjector-serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager-cainjector
  namespace: "cert-manager"
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
--- a/templates/0.12/cert-manager-cainjector:leaderelection-Role.yaml
+++ b/templates/0.12/cert-manager-cainjector:leaderelection-Role.yaml
@ -1,19 +0,0 @@
 # leader election rules
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 rules:
  # Used for leader election by the controller
  # TODO: refine the permission to *just* the leader election configmap
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]
--- a/templates/0.12/cert-manager-cainjector:leaderelection-RoleBinding.yaml
+++ b/templates/0.12/cert-manager-cainjector:leaderelection-RoleBinding.yaml
@ -1,23 +0,0 @@
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-cainjector:leaderelection
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager-cainjector
    namespace: cert-manager
--- a/templates/0.12/cert-manager-controller-certificates-ClusterRole.yaml
+++ b/templates/0.12/cert-manager-controller-certificates-ClusterRole.yaml
@ -1,35 +0,0 @@
 # Certificates controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders"]
    verbs: ["create", "delete", "get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.12/cert-manager-controller-certificates-ClusterRoleBinding.yaml
+++ b/templates/0.12/cert-manager-controller-certificates-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-certificates
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.12/cert-manager-controller-challenges-ClusterRole.yaml
+++ b/templates/0.12/cert-manager-controller-challenges-ClusterRole.yaml
@ -1,51 +0,0 @@
 # Challenges controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 rules:
  # Use to update challenge resource status
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "challenges/status"]
    verbs: ["update"]
  # Used to watch challenge resources
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["get", "list", "watch"]
  # Used to watch challenges, issuer and clusterissuer resources
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  # Need to be able to retrieve ACME account private key to complete challenges
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  # Used to create events
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  # HTTP01 rules
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges/finalizers"]
    verbs: ["update"]
  # DNS01 rules (duplicated above)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
--- a/templates/0.12/cert-manager-controller-challenges-ClusterRoleBinding.yaml
+++ b/templates/0.12/cert-manager-controller-challenges-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-challenges
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.12/cert-manager-controller-clusterissuers-ClusterRole.yaml
+++ b/templates/0.12/cert-manager-controller-clusterissuers-ClusterRole.yaml
@ -1,26 +0,0 @@
 # ClusterIssuer controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "clusterissuers/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.12/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml
+++ b/templates/0.12/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-clusterissuers
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.12/cert-manager-controller-ingress-shim-ClusterRole.yaml
+++ b/templates/0.12/cert-manager-controller-ingress-shim-ClusterRole.yaml
@ -1,32 +0,0 @@
 # ingress-shim controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests"]
    verbs: ["create", "update", "delete"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["extensions"]
    resources: ["ingresses/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.12/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml
+++ b/templates/0.12/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-ingress-shim
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.12/cert-manager-controller-issuers-ClusterRole.yaml
+++ b/templates/0.12/cert-manager-controller-issuers-ClusterRole.yaml
@ -1,26 +0,0 @@
 # Issuer controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "issuers/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.12/cert-manager-controller-issuers-ClusterRoleBinding.yaml
+++ b/templates/0.12/cert-manager-controller-issuers-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-issuers
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.12/cert-manager-controller-orders-ClusterRole.yaml
+++ b/templates/0.12/cert-manager-controller-orders-ClusterRole.yaml
@ -1,38 +0,0 @@
 # Orders controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 rules:
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "orders/status"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "challenges"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["create", "delete"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.12/cert-manager-controller-orders-ClusterRoleBinding.yaml
+++ b/templates/0.12/cert-manager-controller-orders-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-orders
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.12/cert-manager-edit-ClusterRole.yaml
+++ b/templates/0.12/cert-manager-edit-ClusterRole.yaml
@ -1,18 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cert-manager-edit
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
--- a/templates/0.12/cert-manager-view-ClusterRole.yaml
+++ b/templates/0.12/cert-manager-view-ClusterRole.yaml
@ -1,19 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cert-manager-view
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["get", "list", "watch"]
--- a/templates/0.12/cert-manager-webhook-Deployment.yaml
+++ b/templates/0.12/cert-manager-webhook-Deployment.yaml
@ -1,65 +0,0 @@
 # Source: cert-manager/templates/webhook-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: webhook
      app.kubernetes.io/name: webhook
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: webhook
        app.kubernetes.io/name: webhook
        app.kubernetes.io/instance: cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cert-manager-v0.12.0
      annotations:
    spec:
      serviceAccountName: cert-manager-webhook
      containers:
        - name: cert-manager
          image: "quay.io/jetstack/cert-manager-webhook:v0.12.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --secure-port=10250
          - --tls-cert-file=/certs/tls.crt
          - --tls-private-key-file=/certs/tls.key
          livenessProbe:
            httpGet:
              path: /livez
              port: 6080
              scheme: HTTP
          readinessProbe:
            httpGet:
              path: /healthz
              port: 6080
              scheme: HTTP
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
          volumeMounts:
          - name: certs
            mountPath: /certs
      volumes:
      - name: certs
        secret:
          secretName: cert-manager-webhook-tls
--- a/templates/0.12/cert-manager-webhook-MutatingWebhookConfiguration.yaml
+++ b/templates/0.12/cert-manager-webhook-MutatingWebhookConfiguration.yaml
@ -1,33 +0,0 @@
 # Source: cert-manager/templates/webhook-mutating-webhook.yaml
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
  annotations:
    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls"
 webhooks:
  - name: webhook.cert-manager.io
    rules:
      - apiGroups:
          - "cert-manager.io"
          - "acme.cert-manager.io"
        apiVersions:
          - v1alpha2
        operations:
          - CREATE
          - UPDATE
        resources:
          - "*/*"
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      service:
        name: cert-manager-webhook
        namespace: "cert-manager"
        path: /mutate
--- a/templates/0.12/cert-manager-webhook-Service.yaml
+++ b/templates/0.12/cert-manager-webhook-Service.yaml
@ -1,23 +0,0 @@
 # Source: cert-manager/templates/webhook-service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 spec:
  type: ClusterIP
  ports:
  - name: https
    port: 443
    targetPort: 10250
  selector:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
--- a/templates/0.12/cert-manager-webhook-ServiceAccount.yaml
+++ b/templates/0.12/cert-manager-webhook-ServiceAccount.yaml
@ -1,12 +0,0 @@
 # Source: cert-manager/templates/webhook-serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
--- a/templates/0.12/cert-manager-webhook-ValidatingWebhookConfiguration.yaml
+++ b/templates/0.12/cert-manager-webhook-ValidatingWebhookConfiguration.yaml
@ -1,43 +0,0 @@
 # Source: cert-manager/templates/webhook-validating-webhook.yaml
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
  annotations:
    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls"
 webhooks:
  - name: webhook.cert-manager.io
    namespaceSelector:
      matchExpressions:
      - key: "cert-manager.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "cert-manager.io"
          - "acme.cert-manager.io"
        apiVersions:
          - v1alpha2
        operations:
          - CREATE
          - UPDATE
        resources:
          - "*/*"
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      service:
        name: cert-manager-webhook
        namespace: "cert-manager"
        path: /mutate
--- a/templates/0.12/cert-manager-webhook:auth-delegator-ClusterRoleBinding.yaml
+++ b/templates/0.12/cert-manager-webhook:auth-delegator-ClusterRoleBinding.yaml
@ -1,22 +0,0 @@
 # apiserver gets the auth-delegator role to delegate auth decisions to
 # the core apiserver
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-webhook:auth-delegator
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: cert-manager
--- a/templates/0.12/cert-manager-webhook:webhook-authentication-reader-RoleBinding.yaml
+++ b/templates/0.12/cert-manager-webhook:webhook-authentication-reader-RoleBinding.yaml
@ -1,25 +0,0 @@
 # apiserver gets the ability to read authentication. This allows it to
 # read the specific configmap that has the requestheader-* entries to
 # api agg
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager-webhook:webhook-authentication-reader
  namespace: kube-system
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: cert-manager
--- a/templates/0.12/cert-manager-webhook:webhook-requester-ClusterRole.yaml
+++ b/templates/0.12/cert-manager-webhook:webhook-requester-ClusterRole.yaml
@ -1,21 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cert-manager-webhook:webhook-requester
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 rules:
 - apiGroups:
  - admission.cert-manager.io
  resources:
  - certificates
  - certificaterequests
  - issuers
  - clusterissuers
  verbs:
  - create
--- a/templates/0.12/cert-manager.yaml
+++ b/templates/0.12/cert-manager.yaml
--- a/templates/0.12/cert-manager:leaderelection-Role.yaml
+++ b/templates/0.12/cert-manager:leaderelection-Role.yaml
@ -1,19 +0,0 @@
 # Source: cert-manager/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager:leaderelection
  namespace: kube-system
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 rules:
  # Used for leader election by the controller
  # TODO: refine the permission to *just* the leader election configmap
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]
--- a/templates/0.12/cert-manager:leaderelection-RoleBinding.yaml
+++ b/templates/0.12/cert-manager:leaderelection-RoleBinding.yaml
@ -1,24 +0,0 @@
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager:leaderelection
  namespace: kube-system
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.12.0
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager:leaderelection
 subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
--- a/templates/0.12/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.12/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml
@ -1,190 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: certificaterequests.cert-manager.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
    name: Ready
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.conditions[?(@.type=="Ready")].message
    name: Status
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: cert-manager.io
  preserveUnknownFields: false
  names:
    kind: CertificateRequest
    listKind: CertificateRequestList
    plural: certificaterequests
    shortNames:
    - cr
    - crs
    singular: certificaterequest
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      description: CertificateRequest is a type to represent a Certificate Signing
        Request
      type: object
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          description: CertificateRequestSpec defines the desired state of CertificateRequest
          type: object
          required:
          - csr
          - issuerRef
          properties:
            csr:
              description: Byte slice containing the PEM encoded CertificateSigningRequest
              type: string
              format: byte
            duration:
              description: Requested certificate default Duration
              type: string
            isCA:
              description: IsCA will mark the resulting certificate as valid for signing.
                This implies that the 'cert sign' usage is set
              type: boolean
            issuerRef:
              description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
                the 'kind' field is not set, or set to 'Issuer', an Issuer resource
                with the given name in the same namespace as the CertificateRequest
                will be used.  If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
                with the provided name will be used. The 'name' field in this stanza
                is required at all times. The group field refers to the API group
                of the issuer which defaults to 'cert-manager.io' if empty.
              type: object
              required:
              - name
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
            usages:
              description: Usages is the set of x509 actions that are enabled for
                a given key. Defaults are ('digital signature', 'key encipherment')
                if empty
              type: array
              items:
                description: 'KeyUsage specifies valid usage contexts for keys. See:
                  https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                  Valid KeyUsage values are as follows: "signing", "digital signature",
                  "content commitment", "key encipherment", "key agreement", "data
                  encipherment", "cert sign", "crl sign", "encipher only", "decipher
                  only", "any", "server auth", "client auth", "code signing", "email
                  protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
                  user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
                  sgc"'
                type: string
                enum:
                - signing
                - digital signature
                - content commitment
                - key encipherment
                - key agreement
                - data encipherment
                - cert sign
                - crl sign
                - encipher only
                - decipher only
                - any
                - server auth
                - client auth
                - code signing
                - email protection
                - s/mime
                - ipsec end system
                - ipsec tunnel
                - ipsec user
                - timestamping
                - ocsp signing
                - microsoft sgc
                - netscape sgc
        status:
          description: CertificateStatus defines the observed state of CertificateRequest
            and resulting signed certificate.
          type: object
          properties:
            ca:
              description: Byte slice containing the PEM encoded certificate authority
                of the signed certificate.
              type: string
              format: byte
            certificate:
              description: Byte slice containing a PEM encoded signed certificate
                resulting from the given certificate signing request.
              type: string
              format: byte
            conditions:
              type: array
              items:
                description: CertificateRequestCondition contains condition information
                  for a CertificateRequest.
                type: object
                required:
                - status
                - type
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    type: string
                    format: date-time
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    type: string
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string
            failureTime:
              description: FailureTime stores the time that this CertificateRequest
                failed. This is used to influence garbage collection and back-off.
              type: string
              format: date-time
  version: v1alpha2
  versions:
  - name: v1alpha2
    served: true
    storage: true
--- a/templates/0.12/certificates.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.12/certificates.cert-manager.io-CustomResourceDefinition.yaml
@ -1,243 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: certificates.cert-manager.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
    name: Ready
    type: string
  - JSONPath: .spec.secretName
    name: Secret
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.conditions[?(@.type=="Ready")].message
    name: Status
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: cert-manager.io
  preserveUnknownFields: false
  names:
    kind: Certificate
    listKind: CertificateList
    plural: certificates
    shortNames:
    - cert
    - certs
    singular: certificate
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      description: Certificate is a type to represent a Certificate from ACME
      type: object
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          description: CertificateSpec defines the desired state of Certificate. A
            valid Certificate requires at least one of a CommonName, DNSName, or URISAN
            to be valid.
          type: object
          required:
          - issuerRef
          - secretName
          properties:
            commonName:
              description: CommonName is a common name to be used on the Certificate.
                The CommonName should have a length of 64 characters or fewer to avoid
                generating invalid CSRs.
              type: string
            dnsNames:
              description: DNSNames is a list of subject alt names to be used on the
                Certificate.
              type: array
              items:
                type: string
            duration:
              description: Certificate default Duration
              type: string
            ipAddresses:
              description: IPAddresses is a list of IP addresses to be used on the
                Certificate
              type: array
              items:
                type: string
            isCA:
              description: IsCA will mark this Certificate as valid for signing. This
                implies that the 'cert sign' usage is set
              type: boolean
            issuerRef:
              description: IssuerRef is a reference to the issuer for this certificate.
                If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
                with the given name in the same namespace as the Certificate will
                be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
                with the provided name will be used. The 'name' field in this stanza
                is required at all times.
              type: object
              required:
              - name
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
            keyAlgorithm:
              description: KeyAlgorithm is the private key algorithm of the corresponding
                private key for this certificate. If provided, allowed values are
                either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is
                not provided, key size of 256 will be used for "ecdsa" key algorithm
                and key size of 2048 will be used for "rsa" key algorithm.
              type: string
              enum:
              - rsa
              - ecdsa
            keyEncoding:
              description: KeyEncoding is the private key cryptography standards (PKCS)
                for this certificate's private key to be encoded in. If provided,
                allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
                respectively. If KeyEncoding is not specified, then PKCS#1 will be
                used by default.
              type: string
              enum:
              - pkcs1
              - pkcs8
            keySize:
              description: KeySize is the key bit size of the corresponding private
                key for this certificate. If provided, value must be between 2048
                and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
                and value must be one of (256, 384, 521) when KeyAlgorithm is set
                to "ecdsa".
              type: integer
            organization:
              description: Organization is the organization to be used on the Certificate
              type: array
              items:
                type: string
            renewBefore:
              description: Certificate renew before expiration duration
              type: string
            secretName:
              description: SecretName is the name of the secret resource to store
                this secret in
              type: string
            uriSANs:
              description: URISANs is a list of URI Subject Alternative Names to be
                set on this Certificate.
              type: array
              items:
                type: string
            usages:
              description: Usages is the set of x509 actions that are enabled for
                a given key. Defaults are ('digital signature', 'key encipherment')
                if empty
              type: array
              items:
                description: 'KeyUsage specifies valid usage contexts for keys. See:
                  https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                  Valid KeyUsage values are as follows: "signing", "digital signature",
                  "content commitment", "key encipherment", "key agreement", "data
                  encipherment", "cert sign", "crl sign", "encipher only", "decipher
                  only", "any", "server auth", "client auth", "code signing", "email
                  protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
                  user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
                  sgc"'
                type: string
                enum:
                - signing
                - digital signature
                - content commitment
                - key encipherment
                - key agreement
                - data encipherment
                - cert sign
                - crl sign
                - encipher only
                - decipher only
                - any
                - server auth
                - client auth
                - code signing
                - email protection
                - s/mime
                - ipsec end system
                - ipsec tunnel
                - ipsec user
                - timestamping
                - ocsp signing
                - microsoft sgc
                - netscape sgc
        status:
          description: CertificateStatus defines the observed state of Certificate
          type: object
          properties:
            conditions:
              type: array
              items:
                description: CertificateCondition contains condition information for
                  an Certificate.
                type: object
                required:
                - status
                - type
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    type: string
                    format: date-time
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    type: string
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string
            lastFailureTime:
              type: string
              format: date-time
            notAfter:
              description: The expiration time of the certificate stored in the secret
                named by this resource in spec.secretName.
              type: string
              format: date-time
  version: v1alpha2
  versions:
  - name: v1alpha2
    served: true
    storage: true
--- a/templates/0.12/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.12/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml
--- a/templates/0.12/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.12/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml
--- a/templates/0.12/issuers.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.12/issuers.cert-manager.io-CustomResourceDefinition.yaml
--- a/templates/0.12/orders.acme.cert-manager.io-CustomResourceDefinition.yaml
+++ b/templates/0.12/orders.acme.cert-manager.io-CustomResourceDefinition.yaml
@ -1,201 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: orders.acme.cert-manager.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.state
    name: State
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.reason
    name: Reason
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: acme.cert-manager.io
  preserveUnknownFields: false
  names:
    kind: Order
    listKind: OrderList
    plural: orders
    singular: order
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      description: Order is a type to represent an Order with an ACME server
      type: object
      required:
      - metadata
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          type: object
          required:
          - csr
          - issuerRef
          properties:
            commonName:
              description: CommonName is the common name as specified on the DER encoded
                CSR. If CommonName is not specified, the first DNSName specified will
                be used as the CommonName. At least one of CommonName or a DNSNames
                must be set. This field must match the corresponding field on the
                DER encoded CSR.
              type: string
            csr:
              description: Certificate signing request bytes in DER encoding. This
                will be used when finalizing the order. This field must be set on
                the order.
              type: string
              format: byte
            dnsNames:
              description: DNSNames is a list of DNS names that should be included
                as part of the Order validation process. If CommonName is not specified,
                the first DNSName specified will be used as the CommonName. At least
                one of CommonName or a DNSNames must be set. This field must match
                the corresponding field on the DER encoded CSR.
              type: array
              items:
                type: string
            issuerRef:
              description: IssuerRef references a properly configured ACME-type Issuer
                which should be used to create this Order. If the Issuer does not
                exist, processing will be retried. If the Issuer is not an 'ACME'
                Issuer, an error will be returned and the Order will be marked as
                failed.
              type: object
              required:
              - name
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
        status:
          type: object
          properties:
            authorizations:
              description: Authorizations contains data returned from the ACME server
                on what authoriations must be completed in order to validate the DNS
                names specified on the Order.
              type: array
              items:
                description: ACMEAuthorization contains data returned from the ACME
                  server on an authorization that must be completed in order validate
                  a DNS name on an ACME Order resource.
                type: object
                required:
                - url
                properties:
                  challenges:
                    description: Challenges specifies the challenge types offered
                      by the ACME server. One of these challenge types will be selected
                      when validating the DNS name and an appropriate Challenge resource
                      will be created to perform the ACME challenge process.
                    type: array
                    items:
                      description: Challenge specifies a challenge offered by the
                        ACME server for an Order. An appropriate Challenge resource
                        can be created to perform the ACME challenge process.
                      type: object
                      required:
                      - token
                      - type
                      - url
                      properties:
                        token:
                          description: Token is the token that must be presented for
                            this challenge. This is used to compute the 'key' that
                            must also be presented.
                          type: string
                        type:
                          description: Type is the type of challenge being offered,
                            e.g. http-01, dns-01
                          type: string
                        url:
                          description: URL is the URL of this challenge. It can be
                            used to retrieve additional metadata about the Challenge
                            from the ACME server.
                          type: string
                  identifier:
                    description: Identifier is the DNS name to be validated as part
                      of this authorization
                    type: string
                  url:
                    description: URL is the URL of the Authorization that must be
                      completed
                    type: string
                  wildcard:
                    description: Wildcard will be true if this authorization is for
                      a wildcard DNS name. If this is true, the identifier will be
                      the *non-wildcard* version of the DNS name. For example, if
                      '*.example.com' is the DNS name being validated, this field
                      will be 'true' and the 'identifier' field will be 'example.com'.
                    type: boolean
            certificate:
              description: Certificate is a copy of the PEM encoded certificate for
                this Order. This field will be populated after the order has been
                successfully finalized with the ACME server, and the order has transitioned
                to the 'valid' state.
              type: string
              format: byte
            failureTime:
              description: FailureTime stores the time that this order failed. This
                is used to influence garbage collection and back-off.
              type: string
              format: date-time
            finalizeURL:
              description: FinalizeURL of the Order. This is used to obtain certificates
                for this order once it has been completed.
              type: string
            reason:
              description: Reason optionally provides more information about a why
                the order is in the current state.
              type: string
            state:
              description: State contains the current state of this Order resource.
                States 'success' and 'expired' are 'final'
              type: string
              enum:
              - valid
              - ready
              - pending
              - processing
              - invalid
              - expired
              - errored
            url:
              description: URL of the Order. This will initially be empty when the
                resource is first created. The Order controller will populate this
                field when the Order is first processed. This field will be immutable
                after it is initially set.
              type: string
  version: v1alpha2
  versions:
  - name: v1alpha2
    served: true
    storage: true
--- a/templates/0.13/cert-manager-Deployment.yaml
+++ b/templates/0.13/cert-manager-Deployment.yaml
@ -1,61 +0,0 @@
 # Source: cert-manager/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cert-manager
      app.kubernetes.io/name: cert-manager
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: cert-manager
        app.kubernetes.io/name: cert-manager
        app.kubernetes.io/instance: cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cert-manager-v0.13.1
      annotations:
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
    spec:
      serviceAccountName: cert-manager
      containers:
        - name: cert-manager
          image: "quay.io/jetstack/cert-manager-controller:v0.13.1"
          imagePullPolicy: IfNotPresent
          args:
          - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
          - --v=2
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --leader-election-namespace=kube-system
          - --webhook-namespace=$(POD_NAMESPACE)
          - --webhook-ca-secret=cert-manager-webhook-ca
          - --webhook-serving-secret=cert-manager-webhook-tls
          - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
          ports:
          - containerPort: 9402
            protocol: TCP
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            requests:
              cpu: 10m
              memory: 32Mi
--- a/templates/0.13/cert-manager-Namespace.yaml
+++ b/templates/0.13/cert-manager-Namespace.yaml
@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cert-manager
--- a/templates/0.13/cert-manager-Service.yaml
+++ b/templates/0.13/cert-manager-Service.yaml
@ -1,23 +0,0 @@
 # Source: cert-manager/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 spec:
  type: ClusterIP
  ports:
    - protocol: TCP
      port: 9402
      targetPort: 9402
  selector:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
--- a/templates/0.13/cert-manager-ServiceAccount.yaml
+++ b/templates/0.13/cert-manager-ServiceAccount.yaml
@ -1,14 +0,0 @@
 # Source: cert-manager/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager
  namespace: "cert-manager"
  annotations:
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
--- a/templates/0.13/cert-manager-cainjector-ClusterRole.yaml
+++ b/templates/0.13/cert-manager-cainjector-ClusterRole.yaml
@ -1,30 +0,0 @@
 # Source: cert-manager/templates/cainjector-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "create", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiregistration.k8s.io"]
    resources: ["apiservices"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "update"]
--- a/templates/0.13/cert-manager-cainjector-ClusterRoleBinding.yaml
+++ b/templates/0.13/cert-manager-cainjector-ClusterRoleBinding.yaml
@ -1,19 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-cainjector
 subjects:
  - name: cert-manager-cainjector
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.13/cert-manager-cainjector-Deployment.yaml
+++ b/templates/0.13/cert-manager-cainjector-Deployment.yaml
@ -1,46 +0,0 @@
 # Source: cert-manager/templates/cainjector-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cert-manager-cainjector
  namespace: "cert-manager"
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cainjector
      app.kubernetes.io/name: cainjector
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: cainjector
        app.kubernetes.io/name: cainjector
        app.kubernetes.io/instance: cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cert-manager-v0.13.1
      annotations:
    spec:
      serviceAccountName: cert-manager-cainjector
      containers:
        - name: cert-manager
          image: "quay.io/jetstack/cert-manager-cainjector:v0.13.1"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --leader-election-namespace=kube-system
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
--- a/templates/0.13/cert-manager-cainjector-ServiceAccount.yaml
+++ b/templates/0.13/cert-manager-cainjector-ServiceAccount.yaml
@ -1,12 +0,0 @@
 # Source: cert-manager/templates/cainjector-serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-manager-cainjector
  namespace: "cert-manager"
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
--- a/templates/0.13/cert-manager-cainjector:leaderelection-Role.yaml
+++ b/templates/0.13/cert-manager-cainjector:leaderelection-Role.yaml
@ -1,19 +0,0 @@
 # leader election rules
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 rules:
  # Used for leader election by the controller
  # TODO: refine the permission to *just* the leader election configmap
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]
--- a/templates/0.13/cert-manager-cainjector:leaderelection-RoleBinding.yaml
+++ b/templates/0.13/cert-manager-cainjector:leaderelection-RoleBinding.yaml
@ -1,22 +0,0 @@
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-cainjector:leaderelection
 subjects:
  - kind: ServiceAccount
    name: cert-manager-cainjector
    namespace: cert-manager
--- a/templates/0.13/cert-manager-controller-certificates-ClusterRole.yaml
+++ b/templates/0.13/cert-manager-controller-certificates-ClusterRole.yaml
@ -1,35 +0,0 @@
 # Certificates controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
    verbs: ["update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders"]
    verbs: ["create", "delete", "get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/templates/0.13/cert-manager-controller-certificates-ClusterRoleBinding.yaml
+++ b/templates/0.13/cert-manager-controller-certificates-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-certificates
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/templates/0.13/cert-manager-controller-challenges-ClusterRole.yaml
+++ b/templates/0.13/cert-manager-controller-challenges-ClusterRole.yaml
@ -1,51 +0,0 @@
 # Challenges controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 rules:
  # Use to update challenge resource status
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "challenges/status"]
    verbs: ["update"]
  # Used to watch challenge resources
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["get", "list", "watch"]
  # Used to watch challenges, issuer and clusterissuer resources
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  # Need to be able to retrieve ACME account private key to complete challenges
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  # Used to create events
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  # HTTP01 rules
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges/finalizers"]
    verbs: ["update"]
  # DNS01 rules (duplicated above)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
--- a/templates/0.13/cert-manager-controller-challenges-ClusterRoleBinding.yaml
+++ b/templates/0.13/cert-manager-controller-challenges-ClusterRoleBinding.yaml
@ -1,20 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.13.1
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-challenges
 subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount
--- a/Show more
+++ b/Show more