adrien/ansible-role-k8s-cert-manager
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add 0.16 version
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2020-07-24 00:36:11 +02:00
parent ac92e81b52
commit dd90cd4b37
40 changed files with 19436 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

54
templates/0.16/cert-manager-Deployment.yaml Normal file
View file

@ -0,0 +1,54 @@
# Source: cert-manager/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
template:
metadata:
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v0.16.0
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
prometheus.io/port: '9402'
spec:
serviceAccountName: cert-manager
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-controller:v0.16.0"
imagePullPolicy: IfNotPresent
args:
- --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
ports:
- containerPort: 9402
protocol: TCP
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}

4
templates/0.16/cert-manager-Namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager

23
templates/0.16/cert-manager-Service.yaml Normal file
View file

@ -0,0 +1,23 @@
# Source: cert-manager/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 9402
targetPort: 9402
selector:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"

13
templates/0.16/cert-manager-ServiceAccount.yaml Normal file
View file

@ -0,0 +1,13 @@
# Source: cert-manager/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0

34
templates/0.16/cert-manager-cainjector-ClusterRole.yaml Normal file
View file

@ -0,0 +1,34 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v0.16.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["auditregistration.k8s.io"]
resources: ["auditsinks"]
verbs: ["get", "list", "watch", "update"]

20
templates/0.16/cert-manager-cainjector-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,20 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v0.16.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-cainjector
subjects:
- name: cert-manager-cainjector
namespace: "cert-manager"
kind: ServiceAccount

45
templates/0.16/cert-manager-cainjector-Deployment.yaml Normal file
View file

@ -0,0 +1,45 @@
# Source: cert-manager/templates/cainjector-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-cainjector
namespace: "cert-manager"
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v0.16.0
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
template:
metadata:
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v0.16.0
spec:
serviceAccountName: cert-manager-cainjector
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-cainjector:v0.16.0"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}

13
templates/0.16/cert-manager-cainjector-ServiceAccount.yaml Normal file
View file

@ -0,0 +1,13 @@
# Source: cert-manager/templates/cainjector-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager-cainjector
namespace: "cert-manager"
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v0.16.0

27
templates/0.16/cert-manager-cainjector:leaderelection-Role.yaml Normal file
View file

@ -0,0 +1,27 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
# leader election rules
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v0.16.0
rules:
# Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
# see cmd/cainjector/start.go#L113
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
# see cmd/cainjector/start.go#L137
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]

23
templates/0.16/cert-manager-cainjector:leaderelection-RoleBinding.yaml Normal file
View file

@ -0,0 +1,23 @@
# Source: cert-manager/templates/cainjector-rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
helm.sh/chart: cert-manager-v0.16.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-cainjector:leaderelection
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: cert-manager

35
templates/0.16/cert-manager-controller-certificates-ClusterRole.yaml Normal file
View file

@ -0,0 +1,35 @@
# Source: cert-manager/templates/rbac.yaml
# Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

20
templates/0.16/cert-manager-controller-certificates-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-certificates
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

57
templates/0.16/cert-manager-controller-challenges-ClusterRole.yaml Normal file
View file

@ -0,0 +1,57 @@
# Source: cert-manager/templates/rbac.yaml
# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
rules:
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["get", "list", "watch"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Used to create events
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# HTTP01 rules
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# We require the ability to specify a custom hostname when we are creating
# new ingress resources.
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- apiGroups: ["route.openshift.io"]
resources: ["routes/custom-host"]
verbs: ["create"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]

20
templates/0.16/cert-manager-controller-challenges-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-challenges
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

26
templates/0.16/cert-manager-controller-clusterissuers-ClusterRole.yaml Normal file
View file

@ -0,0 +1,26 @@
# Source: cert-manager/templates/rbac.yaml
# ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

20
templates/0.16/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-clusterissuers
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

32
templates/0.16/cert-manager-controller-ingress-shim-ClusterRole.yaml Normal file
View file

@ -0,0 +1,32 @@
# Source: cert-manager/templates/rbac.yaml
# ingress-shim controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["extensions"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

20
templates/0.16/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-ingress-shim
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

26
templates/0.16/cert-manager-controller-issuers-ClusterRole.yaml Normal file
View file

@ -0,0 +1,26 @@
# Source: cert-manager/templates/rbac.yaml
# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

20
templates/0.16/cert-manager-controller-issuers-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-issuers
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

38
templates/0.16/cert-manager-controller-orders-ClusterRole.yaml Normal file
View file

@ -0,0 +1,38 @@
# Source: cert-manager/templates/rbac.yaml
# Orders controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
rules:
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["create", "delete"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

20
templates/0.16/cert-manager-controller-orders-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,20 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-orders
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount

18
templates/0.16/cert-manager-edit-ClusterRole.yaml Normal file
View file

@ -0,0 +1,18 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-edit
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]

19
templates/0.16/cert-manager-view-ClusterRole.yaml Normal file
View file

@ -0,0 +1,19 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-view
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["get", "list", "watch"]

65
templates/0.16/cert-manager-webhook-Deployment.yaml Normal file
View file

@ -0,0 +1,65 @@
# Source: cert-manager/templates/webhook-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v0.16.0
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
template:
metadata:
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v0.16.0
spec:
serviceAccountName: cert-manager-webhook
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-webhook:v0.16.0"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --secure-port=10250
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
ports:
- name: https
containerPort: 10250
livenessProbe:
httpGet:
path: /livez
port: 6080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 6080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{}

35
templates/0.16/cert-manager-webhook-MutatingWebhookConfiguration.yaml Normal file
View file

@ -0,0 +1,35 @@
# Source: cert-manager/templates/webhook-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v0.16.0
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
service:
name: cert-manager-webhook
namespace: "cert-manager"
path: /mutate

23
templates/0.16/cert-manager-webhook-Service.yaml Normal file
View file

@ -0,0 +1,23 @@
# Source: cert-manager/templates/webhook-service.yaml
apiVersion: v1
kind: Service
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v0.16.0
spec:
type: ClusterIP
ports:
- name: https
port: 443
targetPort: 10250
selector:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"

13
templates/0.16/cert-manager-webhook-ServiceAccount.yaml Normal file
View file

@ -0,0 +1,13 @@
# Source: cert-manager/templates/webhook-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v0.16.0

45
templates/0.16/cert-manager-webhook-ValidatingWebhookConfiguration.yaml Normal file
View file

@ -0,0 +1,45 @@
# Source: cert-manager/templates/webhook-validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v0.16.0
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- key: "cert-manager.io/disable-validation"
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- cert-manager
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
service:
name: cert-manager-webhook
namespace: "cert-manager"
path: /validate

23
templates/0.16/cert-manager-webhook:dynamic-serving-Role.yaml Normal file
View file

@ -0,0 +1,23 @@
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: cert-manager-webhook:dynamic-serving
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v0.16.0
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames:
- 'cert-manager-webhook-ca'
verbs: ["get", "list", "watch", "update"]
# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]

22
templates/0.16/cert-manager-webhook:dynamic-serving-RoleBinding.yaml Normal file
View file

@ -0,0 +1,22 @@
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: cert-manager-webhook:dynamic-serving
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
helm.sh/chart: cert-manager-v0.16.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook:dynamic-serving
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook
namespace: cert-manager

22
templates/0.16/cert-manager:leaderelection-Role.yaml Normal file
View file

@ -0,0 +1,22 @@
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
rules:
# Used for leader election by the controller
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]

24
templates/0.16/cert-manager:leaderelection-RoleBinding.yaml Normal file
View file

@ -0,0 +1,24 @@
# Source: cert-manager/templates/rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
helm.sh/chart: cert-manager-v0.16.0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: cert-manager

565
templates/0.16/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml Normal file
View file

@ -0,0 +1,565 @@
# Source: cert-manager/templates/templates.regular.out
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificaterequests.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
helm.sh/chart: 'cert-manager-v0.16.0'
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: cert-manager.io
preserveUnknownFields: false
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: 'cert-manager'
name: 'cert-manager-webhook'
path: /convert
names:
kind: CertificateRequest
listKind: CertificateRequestList
plural: certificaterequests
shortNames:
- cr
- crs
singular: certificaterequest
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
"schema":
"openAPIV3Schema":
description: "A CertificateRequest is used to request a signed certificate
from one of the configured issuers. \n All fields within the CertificateRequest's
`spec` are immutable after creation. A CertificateRequest will either succeed
or fail, as denoted by its `status.state` field. \n A CertificateRequest
is a 'one-shot' resource, meaning it represents a single point in time request
for a certificate and cannot be re-used."
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- csr
- issuerRef
properties:
csr:
description: The PEM-encoded x509 certificate signing request to be
submitted to the CA for signing.
type: string
format: byte
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types.
type: string
isCA:
description: IsCA will request to mark the certificate as valid for
certificate signing when submitting to the issuer. This will automatically
add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
with the given name in the same namespace as the CertificateRequest
will be used. If the 'kind' field is set to 'ClusterIssuer', a
ClusterIssuer with the provided name will be used. The 'name' field
in this stanza is required at all times. The group field refers
to the API group of the issuer which defaults to 'cert-manager.io'
if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
usages:
description: Usages is the set of x509 usages that are requested for
the certificate. Defaults to `digital signature` and `key encipherment`
if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys.
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Valid KeyUsage values are as follows: "signing", "digital signature",
"content commitment", "key encipherment", "key agreement", "data
encipherment", "cert sign", "crl sign", "encipher only", "decipher
only", "any", "server auth", "client auth", "code signing", "email
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
status:
description: Status of the CertificateRequest. This is set and managed
automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also
known as the CA (Certificate Authority). This is set on a best-effort
basis by different issuers. If not set, the CA is assumed to be
unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate
signing request. If not set, the CertificateRequest has either not
been completed or has failed. More information on failure can be
found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a
CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information
for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the
details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation
for the condition's last transition.
type: string
status:
description: Status of the condition, one of ('True', 'False',
'Unknown').
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are ('Ready',
'InvalidRequest').
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest
failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
- name: v1alpha3
served: true
storage: false
"schema":
"openAPIV3Schema":
description: "A CertificateRequest is used to request a signed certificate
from one of the configured issuers. \n All fields within the CertificateRequest's
`spec` are immutable after creation. A CertificateRequest will either succeed
or fail, as denoted by its `status.state` field. \n A CertificateRequest
is a 'one-shot' resource, meaning it represents a single point in time request
for a certificate and cannot be re-used."
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- csr
- issuerRef
properties:
csr:
description: The PEM-encoded x509 certificate signing request to be
submitted to the CA for signing.
type: string
format: byte
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types.
type: string
isCA:
description: IsCA will request to mark the certificate as valid for
certificate signing when submitting to the issuer. This will automatically
add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
with the given name in the same namespace as the CertificateRequest
will be used. If the 'kind' field is set to 'ClusterIssuer', a
ClusterIssuer with the provided name will be used. The 'name' field
in this stanza is required at all times. The group field refers
to the API group of the issuer which defaults to 'cert-manager.io'
if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
usages:
description: Usages is the set of x509 usages that are requested for
the certificate. Defaults to `digital signature` and `key encipherment`
if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys.
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Valid KeyUsage values are as follows: "signing", "digital signature",
"content commitment", "key encipherment", "key agreement", "data
encipherment", "cert sign", "crl sign", "encipher only", "decipher
only", "any", "server auth", "client auth", "code signing", "email
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
status:
description: Status of the CertificateRequest. This is set and managed
automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also
known as the CA (Certificate Authority). This is set on a best-effort
basis by different issuers. If not set, the CA is assumed to be
unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate
signing request. If not set, the CertificateRequest has either not
been completed or has failed. More information on failure can be
found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a
CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information
for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the
details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation
for the condition's last transition.
type: string
status:
description: Status of the condition, one of ('True', 'False',
'Unknown').
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are ('Ready',
'InvalidRequest').
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest
failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
- name: v1beta1
served: true
storage: false
"schema":
"openAPIV3Schema":
description: "A CertificateRequest is used to request a signed certificate
from one of the configured issuers. \n All fields within the CertificateRequest's
`spec` are immutable after creation. A CertificateRequest will either succeed
or fail, as denoted by its `status.state` field. \n A CertificateRequest
is a 'one-shot' resource, meaning it represents a single point in time request
for a certificate and cannot be re-used."
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- issuerRef
- request
properties:
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types.
type: string
isCA:
description: IsCA will request to mark the certificate as valid for
certificate signing when submitting to the issuer. This will automatically
add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
with the given name in the same namespace as the CertificateRequest
will be used. If the 'kind' field is set to 'ClusterIssuer', a
ClusterIssuer with the provided name will be used. The 'name' field
in this stanza is required at all times. The group field refers
to the API group of the issuer which defaults to 'cert-manager.io'
if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: The PEM-encoded x509 certificate signing request to be
submitted to the CA for signing.
type: string
format: byte
usages:
description: Usages is the set of x509 usages that are requested for
the certificate. Defaults to `digital signature` and `key encipherment`
if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys.
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Valid KeyUsage values are as follows: "signing", "digital signature",
"content commitment", "key encipherment", "key agreement", "data
encipherment", "cert sign", "crl sign", "encipher only", "decipher
only", "any", "server auth", "client auth", "code signing", "email
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
status:
description: Status of the CertificateRequest. This is set and managed
automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also
known as the CA (Certificate Authority). This is set on a best-effort
basis by different issuers. If not set, the CA is assumed to be
unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate
signing request. If not set, the CertificateRequest has either not
been completed or has failed. More information on failure can be
found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a
CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information
for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the
details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation
for the condition's last transition.
type: string
status:
description: Status of the condition, one of ('True', 'False',
'Unknown').
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are ('Ready',
'InvalidRequest').
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest
failed. This is used to influence garbage collection and back-off.
type: string
format: date-time

1211
templates/0.16/certificates.cert-manager.io-CustomResourceDefinition.yaml Normal file
View file

File diff suppressed because it is too large Load diff

4462
templates/0.16/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml Normal file
View file

File diff suppressed because it is too large Load diff

5823
templates/0.16/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml Normal file
View file

File diff suppressed because it is too large Load diff

5820
templates/0.16/issuers.cert-manager.io-CustomResourceDefinition.yaml Normal file
View file

File diff suppressed because it is too large Load diff

615
templates/0.16/orders.acme.cert-manager.io-CustomResourceDefinition.yaml Normal file
View file

@ -0,0 +1,615 @@
# Source: cert-manager/templates/templates.regular.out
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: orders.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
labels:
app: 'cert-manager'
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
helm.sh/chart: 'cert-manager-v0.16.0'
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.reason
name: Reason
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: acme.cert-manager.io
preserveUnknownFields: false
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: 'cert-manager'
name: 'cert-manager-webhook'
path: /convert
names:
kind: Order
listKind: OrderList
plural: orders
singular: order
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
"schema":
"openAPIV3Schema":
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- csr
- dnsNames
- issuerRef
properties:
commonName:
description: CommonName is the common name as specified on the DER
encoded CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded
CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
type: string
format: byte
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented
for this challenge. This is used to compute the 'key'
that must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
the raw value retrieved from the ACME server. Only 'http-01'
and 'dns-01' are supported by cert-manager, other values
will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string
- name: v1alpha3
served: true
storage: false
"schema":
"openAPIV3Schema":
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- csr
- dnsNames
- issuerRef
properties:
commonName:
description: CommonName is the common name as specified on the DER
encoded CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded
CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
type: string
format: byte
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented
for this challenge. This is used to compute the 'key'
that must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
the raw value retrieved from the ACME server. Only 'http-01'
and 'dns-01' are supported by cert-manager, other values
will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string
- name: v1beta1
served: true
storage: false
"schema":
"openAPIV3Schema":
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- dnsNames
- issuerRef
- request
properties:
commonName:
description: CommonName is the common name as specified on the DER
encoded CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded
CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Order. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Order will be
marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
the order.
type: string
format: byte
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server
on what authorizations must be completed in order to validate the
DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge
resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented
for this challenge. This is used to compute the 'key'
that must also be presented.
type: string
type:
description: Type is the type of challenge being offered,
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
the raw value retrieved from the ACME server. Only 'http-01'
and 'dns-01' are supported by cert-manager, other values
will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can
be used to retrieve additional metadata about the Challenge
from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part
of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization
when first fetched from the ACME server. If an Authorization
is already 'valid', the Order controller will not create a
Challenge resource for the authorization. This will occur
when working with an ACME server that enables 'authz reuse'
(such as Let's Encrypt's production endpoint). If not set
and 'identifier' is set, the state is assumed to be pending
and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be
completed
type: string
wildcard:
description: Wildcard will be true if this authorization is
for a wildcard DNS name. If this is true, the identifier will
be the *non-wildcard* version of the DNS name. For example,
if '*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate
for this Order. This field will be populated after the order has
been successfully finalized with the ACME server, and the order
has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why
the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
type: string

41
vars/files_list_0.16.yml Normal file
View file

@ -0,0 +1,41 @@
---
certmanager_0.16_list:
- "0.16/certificaterequests.cert-manager.io-CustomResourceDefinition.yaml"
- "0.16/certificates.cert-manager.io-CustomResourceDefinition.yaml"
- "0.16/challenges.acme.cert-manager.io-CustomResourceDefinition.yaml"
- "0.16/clusterissuers.cert-manager.io-CustomResourceDefinition.yaml"
- "0.16/issuers.cert-manager.io-CustomResourceDefinition.yaml"
- "0.16/orders.acme.cert-manager.io-CustomResourceDefinition.yaml"
- "0.16/cert-manager-Namespace.yaml"
- "0.16/cert-manager-cainjector-ServiceAccount.yaml"
- "0.16/cert-manager-ServiceAccount.yaml"
- "0.16/cert-manager-webhook-ServiceAccount.yaml"
- "0.16/cert-manager-cainjector-ClusterRole.yaml"
- "0.16/cert-manager-controller-issuers-ClusterRole.yaml"
- "0.16/cert-manager-controller-clusterissuers-ClusterRole.yaml"
- "0.16/cert-manager-controller-certificates-ClusterRole.yaml"
- "0.16/cert-manager-controller-orders-ClusterRole.yaml"
- "0.16/cert-manager-controller-challenges-ClusterRole.yaml"
- "0.16/cert-manager-controller-ingress-shim-ClusterRole.yaml"
- "0.16/cert-manager-view-ClusterRole.yaml"
- "0.16/cert-manager-edit-ClusterRole.yaml"
- "0.16/cert-manager-cainjector-ClusterRoleBinding.yaml"
- "0.16/cert-manager-controller-issuers-ClusterRoleBinding.yaml"
- "0.16/cert-manager-controller-clusterissuers-ClusterRoleBinding.yaml"
- "0.16/cert-manager-controller-certificates-ClusterRoleBinding.yaml"
- "0.16/cert-manager-controller-orders-ClusterRoleBinding.yaml"
- "0.16/cert-manager-controller-challenges-ClusterRoleBinding.yaml"
- "0.16/cert-manager-controller-ingress-shim-ClusterRoleBinding.yaml"
- "0.16/cert-manager-cainjector:leaderelection-Role.yaml"
- "0.16/cert-manager:leaderelection-Role.yaml"
- "0.16/cert-manager-webhook:dynamic-serving-Role.yaml"
- "0.16/cert-manager-cainjector:leaderelection-RoleBinding.yaml"
- "0.16/cert-manager:leaderelection-RoleBinding.yaml"
- "0.16/cert-manager-webhook:dynamic-serving-RoleBinding.yaml"
- "0.16/cert-manager-Service.yaml"
- "0.16/cert-manager-webhook-Service.yaml"
- "0.16/cert-manager-cainjector-Deployment.yaml"
- "0.16/cert-manager-Deployment.yaml"
- "0.16/cert-manager-webhook-Deployment.yaml"
- "0.16/cert-manager-webhook-MutatingWebhookConfiguration.yaml"
- "0.16/cert-manager-webhook-ValidatingWebhookConfiguration.yaml"