adrien/ansible-role-k8s-cert-manager
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update from upstream
Some checks reported errors
continuous-integration/drone/push Build was killed
Details

Browse source
This commit is contained in:
Adrien Reslinger 2021-06-16 14:12:46 +02:00
parent 098eec3437
commit 601388495b
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
53 changed files with 0 additions and 17153 deletions
Download patch file Download diff file Expand all files Collapse all files

56
templates/1.4/cert-manager-Deployment.yaml
View file

@ -1,56 +0,0 @@
# Source: cert-manager/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
template:
metadata:
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.4.0
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
prometheus.io/port: '9402'
spec:
serviceAccountName: cert-manager
securityContext:
runAsNonRoot: true
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-controller:v1.4.0"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
- --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
ports:
- containerPort: 9402
protocol: TCP
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}

47
templates/1.4/cert-manager-PodSecurityPolicy.yaml
View file

@ -1,47 +0,0 @@
# Source: cert-manager/templates/psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cert-manager
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000

23
templates/1.4/cert-manager-Service.yaml
View file

@ -1,23 +0,0 @@
# Source: cert-manager/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 9402
targetPort: 9402
selector:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"

14
templates/1.4/cert-manager-ServiceAccount.yaml
View file

@ -1,14 +0,0 @@
# Source: cert-manager/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0

34
templates/1.4/cert-manager-cainjector-ClusterRole.yaml
View file

@ -1,34 +0,0 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["auditregistration.k8s.io"]
resources: ["auditsinks"]
verbs: ["get", "list", "watch", "update"]

20
templates/1.4/cert-manager-cainjector-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-cainjector
subjects:
- name: cert-manager-cainjector
namespace: "cert-manager"
kind: ServiceAccount

47
templates/1.4/cert-manager-cainjector-Deployment.yaml
View file

@ -1,47 +0,0 @@
# Source: cert-manager/templates/cainjector-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-cainjector
namespace: "cert-manager"
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.4.0
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
template:
metadata:
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.4.0
spec:
serviceAccountName: cert-manager-cainjector
securityContext:
runAsNonRoot: true
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-cainjector:v1.4.0"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}

47
templates/1.4/cert-manager-cainjector-PodSecurityPolicy.yaml
View file

@ -1,47 +0,0 @@
# Source: cert-manager/templates/cainjector-psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.4.0
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000

14
templates/1.4/cert-manager-cainjector-ServiceAccount.yaml
View file

@ -1,14 +0,0 @@
# Source: cert-manager/templates/cainjector-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: cert-manager-cainjector
namespace: "cert-manager"
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.4.0

18
templates/1.4/cert-manager-cainjector-psp-ClusterRole.yaml
View file

@ -1,18 +0,0 @@
# Source: cert-manager/templates/cainjector-psp-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-cainjector-psp
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- cert-manager-cainjector

20
templates/1.4/cert-manager-cainjector-psp-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/cainjector-psp-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-cainjector-psp
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-cainjector-psp
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: cert-manager

35
templates/1.4/cert-manager-cainjector:leaderelection-Role.yaml
View file

@ -1,35 +0,0 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
# leader election rules
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.4.0
rules:
# Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
# see cmd/cainjector/start.go#L113
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
# see cmd/cainjector/start.go#L137
# See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]

23
templates/1.4/cert-manager-cainjector:leaderelection-RoleBinding.yaml
View file

@ -1,23 +0,0 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-cainjector:leaderelection
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: cert-manager

18
templates/1.4/cert-manager-controller-approve:cert-manager-io-ClusterRole.yaml
View file

@ -1,18 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-approve:cert-manager-io
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cert-manager"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["signers"]
verbs: ["approve"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]

20
templates/1.4/cert-manager-controller-approve:cert-manager-io-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-approve:cert-manager-io
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cert-manager"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-approve:cert-manager-io
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

35
templates/1.4/cert-manager-controller-certificates-ClusterRole.yaml
View file

@ -1,35 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
# Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

20
templates/1.4/cert-manager-controller-certificates-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-certificates
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

29
templates/1.4/cert-manager-controller-certificatesigningrequests-ClusterRole.yaml
View file

@ -1,29 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
# Permission to:
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-certificatesigningrequests
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cert-manager"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/status"]
verbs: ["update"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
verbs: ["sign"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]

20
templates/1.4/cert-manager-controller-certificatesigningrequests-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-certificatesigningrequests
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cert-manager"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-certificatesigningrequests
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

57
templates/1.4/cert-manager-controller-challenges-ClusterRole.yaml
View file

@ -1,57 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
rules:
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["get", "list", "watch"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Used to create events
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# HTTP01 rules
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# We require the ability to specify a custom hostname when we are creating
# new ingress resources.
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- apiGroups: ["route.openshift.io"]
resources: ["routes/custom-host"]
verbs: ["create"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]

20
templates/1.4/cert-manager-controller-challenges-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-challenges
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

26
templates/1.4/cert-manager-controller-clusterissuers-ClusterRole.yaml
View file

@ -1,26 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
# ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

20
templates/1.4/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-clusterissuers
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

32
templates/1.4/cert-manager-controller-ingress-shim-ClusterRole.yaml
View file

@ -1,32 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
# ingress-shim controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

20
templates/1.4/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-ingress-shim
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

26
templates/1.4/cert-manager-controller-issuers-ClusterRole.yaml
View file

@ -1,26 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

20
templates/1.4/cert-manager-controller-issuers-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-issuers
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

38
templates/1.4/cert-manager-controller-orders-ClusterRole.yaml
View file

@ -1,38 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
# Orders controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["create", "delete"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

20
templates/1.4/cert-manager-controller-orders-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-orders
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

21
templates/1.4/cert-manager-edit-ClusterRole.yaml
View file

@ -1,21 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-edit
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]

18
templates/1.4/cert-manager-psp-ClusterRole.yaml
View file

@ -1,18 +0,0 @@
# Source: cert-manager/templates/psp-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-psp
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- cert-manager

20
templates/1.4/cert-manager-psp-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/psp-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-psp
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-psp
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager

22
templates/1.4/cert-manager-view-ClusterRole.yaml
View file

@ -1,22 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-view
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["get", "list", "watch"]

73
templates/1.4/cert-manager-webhook-Deployment.yaml
View file

@ -1,73 +0,0 @@
# Source: cert-manager/templates/webhook-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
template:
metadata:
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
spec:
serviceAccountName: cert-manager-webhook
securityContext:
runAsNonRoot: true
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-webhook:v1.4.0"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --secure-port=10250
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
ports:
- name: https
containerPort: 10250
livenessProbe:
httpGet:
path: /livez
port: 6080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: 6080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}

37
templates/1.4/cert-manager-webhook-MutatingWebhookConfiguration.yaml
View file

@ -1,37 +0,0 @@
# Source: cert-manager/templates/webhook-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1", "v1beta1"]
timeoutSeconds: 10
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
service:
name: cert-manager-webhook
namespace: "cert-manager"
path: /mutate

48
templates/1.4/cert-manager-webhook-PodSecurityPolicy.yaml
View file

@ -1,48 +0,0 @@
# Source: cert-manager/templates/webhook-psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000

23
templates/1.4/cert-manager-webhook-Service.yaml
View file

@ -1,23 +0,0 @@
# Source: cert-manager/templates/webhook-service.yaml
apiVersion: v1
kind: Service
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
spec:
type: ClusterIP
ports:
- name: https
port: 443
targetPort: 10250
selector:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"

14
templates/1.4/cert-manager-webhook-ServiceAccount.yaml
View file

@ -1,14 +0,0 @@
# Source: cert-manager/templates/webhook-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0

46
templates/1.4/cert-manager-webhook-ValidatingWebhookConfiguration.yaml
View file

@ -1,46 +0,0 @@
# Source: cert-manager/templates/webhook-validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- key: "cert-manager.io/disable-validation"
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- cert-manager
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1", "v1beta1"]
timeoutSeconds: 10
failurePolicy: Fail
sideEffects: None
clientConfig:
service:
name: cert-manager-webhook
namespace: "cert-manager"
path: /validate

18
templates/1.4/cert-manager-webhook-psp-ClusterRole.yaml
View file

@ -1,18 +0,0 @@
# Source: cert-manager/templates/webhook-psp-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-webhook-psp
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- cert-manager-webhook

20
templates/1.4/cert-manager-webhook-psp-ClusterRoleBinding.yaml
View file

@ -1,20 +0,0 @@
# Source: cert-manager/templates/webhook-psp-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-webhook-psp
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook-psp
subjects:
- kind: ServiceAccount
name: cert-manager-webhook
namespace: cert-manager

23
templates/1.4/cert-manager-webhook:dynamic-serving-Role.yaml
View file

@ -1,23 +0,0 @@
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook:dynamic-serving
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames:
- 'cert-manager-webhook-ca'
verbs: ["get", "list", "watch", "update"]
# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]

22
templates/1.4/cert-manager-webhook:dynamic-serving-RoleBinding.yaml
View file

@ -1,22 +0,0 @@
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook:dynamic-serving
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook:dynamic-serving
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook
namespace: cert-manager

16
templates/1.4/cert-manager-webhook:subjectaccessreviews-ClusterRole.yaml
View file

@ -1,16 +0,0 @@
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-webhook:subjectaccessreviews
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
rules:
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]

21
templates/1.4/cert-manager-webhook:subjectaccessreviews-ClusterRoleBinding.yaml
View file

@ -1,21 +0,0 @@
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-webhook:subjectaccessreviews
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook:subjectaccessreviews
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook
namespace: cert-manager

30
templates/1.4/cert-manager:leaderelection-Role.yaml
View file

@ -1,30 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
rules:
# Used for leader election by the controller
# See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]

24
templates/1.4/cert-manager:leaderelection-RoleBinding.yaml
View file

@ -1,24 +0,0 @@
# Source: cert-manager/templates/rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v1.4.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: cert-manager

726
templates/1.4/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml
View file

@ -1,726 +0,0 @@
# Source: cert-manager/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: certificaterequests.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
helm.sh/chart: 'cert-manager-v1.4.0'
spec:
group: cert-manager.io
names:
kind: CertificateRequest
listKind: CertificateRequestList
plural: certificaterequests
shortNames:
- cr
- crs
singular: certificaterequest
categories:
- cert-manager
scope: Namespaced
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
#
service:
name: 'cert-manager-webhook'
namespace: "cert-manager"
path: /convert
#
versions:
- name: v1alpha2
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Approved")].status
name: Approved
type: string
- jsonPath: .status.conditions[?(@.type=="Denied")].status
name: Denied
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
type: string
- jsonPath: .spec.username
name: Requestor
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- csr
- issuerRef
properties:
csr:
description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
type: string
format: byte
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
type: string
extra:
description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: object
additionalProperties:
type: array
items:
type: string
groups:
description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: array
items:
type: string
x-kubernetes-list-type: atomic
isCA:
description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
uid:
description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
usages:
description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
username:
description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
status:
description: Status of the CertificateRequest. This is set and managed automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of (`True`, `False`, `Unknown`).
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
served: true
storage: false
- name: v1alpha3
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Approved")].status
name: Approved
type: string
- jsonPath: .status.conditions[?(@.type=="Denied")].status
name: Denied
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
type: string
- jsonPath: .spec.username
name: Requestor
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- csr
- issuerRef
properties:
csr:
description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
type: string
format: byte
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
type: string
extra:
description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: object
additionalProperties:
type: array
items:
type: string
groups:
description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: array
items:
type: string
x-kubernetes-list-type: atomic
isCA:
description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
uid:
description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
usages:
description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
username:
description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
status:
description: Status of the CertificateRequest. This is set and managed automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of (`True`, `False`, `Unknown`).
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
served: true
storage: false
- name: v1beta1
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Approved")].status
name: Approved
type: string
- jsonPath: .status.conditions[?(@.type=="Denied")].status
name: Denied
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
type: string
- jsonPath: .spec.username
name: Requestor
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- issuerRef
- request
properties:
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
type: string
extra:
description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: object
additionalProperties:
type: array
items:
type: string
groups:
description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: array
items:
type: string
x-kubernetes-list-type: atomic
isCA:
description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
type: string
format: byte
uid:
description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
usages:
description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
username:
description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
status:
description: Status of the CertificateRequest. This is set and managed automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of (`True`, `False`, `Unknown`).
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
served: true
storage: false
- name: v1
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Approved")].status
name: Approved
type: string
- jsonPath: .status.conditions[?(@.type=="Denied")].status
name: Denied
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
type: string
- jsonPath: .spec.username
name: Requestor
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- issuerRef
- request
properties:
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
type: string
extra:
description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: object
additionalProperties:
type: array
items:
type: string
groups:
description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: array
items:
type: string
x-kubernetes-list-type: atomic
isCA:
description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
type: string
format: byte
uid:
description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
usages:
description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
username:
description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
status:
description: Status of the CertificateRequest. This is set and managed automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of (`True`, `False`, `Unknown`).
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

1262
templates/1.4/certificates.cert-manager.io-CustomResourceDefinition.yaml
View file

File diff suppressed because it is too large Load diff

3826
templates/1.4/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml
View file

File diff suppressed because it is too large Load diff

4675
templates/1.4/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml
View file

File diff suppressed because it is too large Load diff

4675
templates/1.4/issuers.cert-manager.io-CustomResourceDefinition.yaml
View file

File diff suppressed because it is too large Load diff

674
templates/1.4/orders.acme.cert-manager.io-CustomResourceDefinition.yaml
View file

@ -1,674 +0,0 @@
# Source: cert-manager/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: orders.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
helm.sh/chart: 'cert-manager-v1.4.0'
spec:
group: acme.cert-manager.io
names:
kind: Order
listKind: OrderList
plural: orders
singular: order
categories:
- cert-manager
- cert-manager-acme
scope: Namespaced
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
#
service:
name: 'cert-manager-webhook'
namespace: "cert-manager"
path: /convert
#
versions:
- name: v1alpha2
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- csr
- issuerRef
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
type: string
format: byte
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
type: string
type:
description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be completed
type: string
wildcard:
description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
type: string
served: true
storage: false
- name: v1alpha3
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- csr
- issuerRef
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
type: string
format: byte
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
type: string
type:
description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be completed
type: string
wildcard:
description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
type: string
served: true
storage: false
- name: v1beta1
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- issuerRef
- request
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
type: string
format: byte
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
type: string
type:
description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be completed
type: string
wildcard:
description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
type: string
served: true
storage: false
- name: v1
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- issuerRef
- request
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
type: string
format: byte
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
type: string
type:
description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be completed
type: string
wildcard:
description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []