mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-07-14 06:07:52 +00:00
cert-manager: upgrade to 1.5.4 (#8069)
* cert-manager: update to 1.5.4 * cert-manager: remove outdated guidelines on creating an initial ClusterIssuer
This commit is contained in:
@@ -150,7 +150,7 @@ Note: Upstart/SysV init based OS types are not supported.
|
|||||||
- [ambassador](https://github.com/datawire/ambassador): v1.5
|
- [ambassador](https://github.com/datawire/ambassador): v1.5
|
||||||
- [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
|
- [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
|
||||||
- [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
|
- [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
|
||||||
- [cert-manager](https://github.com/jetstack/cert-manager) v1.0.4
|
- [cert-manager](https://github.com/jetstack/cert-manager) v1.5.4
|
||||||
- [coredns](https://github.com/coredns/coredns) v1.8.0
|
- [coredns](https://github.com/coredns/coredns) v1.8.0
|
||||||
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.0.0
|
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.0.0
|
||||||
|
|
||||||
|
|||||||
+1
-17
@@ -11,29 +11,13 @@
|
|||||||
|
|
||||||
Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
|
Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
|
||||||
|
|
||||||
The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively.
|
|
||||||
|
|
||||||
Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future.
|
|
||||||
|
|
||||||
## Kubernetes TLS Root CA Certificate/Key Secret
|
## Kubernetes TLS Root CA Certificate/Key Secret
|
||||||
|
|
||||||
If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
|
If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
|
||||||
|
|
||||||
If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
|
|
||||||
|
|
||||||
e.g.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
$ cat ca.pem | base64 -w 0
|
|
||||||
LS0tLS1CRUdJTiBDRVJU...
|
|
||||||
|
|
||||||
$ cat ca-key.pem | base64 -w 0
|
|
||||||
LS0tLS1CRUdJTiBSU0Eg...
|
|
||||||
```
|
|
||||||
|
|
||||||
For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
|
For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
|
||||||
|
|
||||||
Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and setting `cert_manager_enabled` to true.
|
`cert-manager` can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and setting `cert_manager_enabled` to true.
|
||||||
|
|
||||||
```ini
|
```ini
|
||||||
# Cert manager deployment
|
# Cert manager deployment
|
||||||
|
|||||||
@@ -558,7 +558,7 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
|
|||||||
ingress_ambassador_image_tag: "v1.2.9"
|
ingress_ambassador_image_tag: "v1.2.9"
|
||||||
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
|
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
|
||||||
alb_ingress_image_tag: "v1.1.9"
|
alb_ingress_image_tag: "v1.1.9"
|
||||||
cert_manager_version: "v1.0.4"
|
cert_manager_version: "v1.5.4"
|
||||||
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
|
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
|
||||||
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
|
||||||
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
|
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
|
||||||
|
|||||||
@@ -31,20 +31,8 @@
|
|||||||
- name: Cert Manager | Templates list
|
- name: Cert Manager | Templates list
|
||||||
set_fact:
|
set_fact:
|
||||||
cert_manager_templates:
|
cert_manager_templates:
|
||||||
- { name: 00-namespace, file: 00-namespace.yml, type: ns }
|
- { name: cert-manager, file: cert-manager.yml, type: all }
|
||||||
- { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
|
- { name: cert-manager.crds, file: cert-manager.crds.yml, type: crd }
|
||||||
- { name: crd-certificate, file: crd-certificate.yml, type: crd }
|
|
||||||
- { name: crd-challenge, file: crd-challenge.yml, type: crd }
|
|
||||||
- { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
|
|
||||||
- { name: crd-issuer, file: crd-issuer.yml, type: crd }
|
|
||||||
- { name: crd-order, file: crd-order.yml, type: crd }
|
|
||||||
- { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
|
|
||||||
- { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
|
|
||||||
- { name: role-cert-manager, file: role-cert-manager.yml, type: role }
|
|
||||||
- { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
|
|
||||||
- { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
|
|
||||||
- { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
|
|
||||||
- { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
|
|
||||||
|
|
||||||
- name: Cert Manager | Create manifests
|
- name: Cert Manager | Create manifests
|
||||||
template:
|
template:
|
||||||
|
|||||||
@@ -1,21 +0,0 @@
|
|||||||
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Namespace
|
|
||||||
metadata:
|
|
||||||
name: {{ cert_manager_namespace }}
|
|
||||||
labels:
|
|
||||||
name: {{ cert_manager_namespace }}
|
|
||||||
+16065
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
-498
@@ -1,498 +0,0 @@
|
|||||||
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cainjector
|
|
||||||
app.kubernetes.io/component: cainjector
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cainjector
|
|
||||||
name: cert-manager-cainjector
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- certificates
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- events
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- patch
|
|
||||||
- apiGroups:
|
|
||||||
- admissionregistration.k8s.io
|
|
||||||
resources:
|
|
||||||
- validatingwebhookconfigurations
|
|
||||||
- mutatingwebhookconfigurations
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- apiregistration.k8s.io
|
|
||||||
resources:
|
|
||||||
- apiservices
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- apiextensions.k8s.io
|
|
||||||
resources:
|
|
||||||
- customresourcedefinitions
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- auditregistration.k8s.io
|
|
||||||
resources:
|
|
||||||
- auditsinks
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- update
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-issuers
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- issuers
|
|
||||||
- issuers/status
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- issuers
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- delete
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- events
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- patch
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-clusterissuers
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- clusterissuers
|
|
||||||
- clusterissuers/status
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- clusterissuers
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- delete
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- events
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- patch
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-certificates
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- certificates
|
|
||||||
- certificates/status
|
|
||||||
- certificaterequests
|
|
||||||
- certificaterequests/status
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- certificates
|
|
||||||
- certificaterequests
|
|
||||||
- clusterissuers
|
|
||||||
- issuers
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- certificates/finalizers
|
|
||||||
- certificaterequests/finalizers
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- acme.cert-manager.io
|
|
||||||
resources:
|
|
||||||
- orders
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- delete
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- delete
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- events
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- patch
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-orders
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- acme.cert-manager.io
|
|
||||||
resources:
|
|
||||||
- orders
|
|
||||||
- orders/status
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- acme.cert-manager.io
|
|
||||||
resources:
|
|
||||||
- orders
|
|
||||||
- challenges
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- clusterissuers
|
|
||||||
- issuers
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- acme.cert-manager.io
|
|
||||||
resources:
|
|
||||||
- challenges
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- delete
|
|
||||||
- apiGroups:
|
|
||||||
- acme.cert-manager.io
|
|
||||||
resources:
|
|
||||||
- orders/finalizers
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- events
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- patch
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-challenges
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- acme.cert-manager.io
|
|
||||||
resources:
|
|
||||||
- challenges
|
|
||||||
- challenges/status
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- acme.cert-manager.io
|
|
||||||
resources:
|
|
||||||
- challenges
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- issuers
|
|
||||||
- clusterissuers
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- events
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- patch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- pods
|
|
||||||
- services
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- create
|
|
||||||
- delete
|
|
||||||
- apiGroups:
|
|
||||||
- extensions
|
|
||||||
resources:
|
|
||||||
- ingresses
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- create
|
|
||||||
- delete
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- route.openshift.io
|
|
||||||
resources:
|
|
||||||
- routes/custom-host
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- apiGroups:
|
|
||||||
- acme.cert-manager.io
|
|
||||||
resources:
|
|
||||||
- challenges/finalizers
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-ingress-shim
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- certificates
|
|
||||||
- certificaterequests
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- delete
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- certificates
|
|
||||||
- certificaterequests
|
|
||||||
- issuers
|
|
||||||
- clusterissuers
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- extensions
|
|
||||||
resources:
|
|
||||||
- ingresses
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- extensions
|
|
||||||
resources:
|
|
||||||
- ingresses/finalizers
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- events
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- patch
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
||||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
|
||||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
|
||||||
name: cert-manager-view
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- certificates
|
|
||||||
- certificaterequests
|
|
||||||
- issuers
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
||||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
|
||||||
name: cert-manager-edit
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- certificates
|
|
||||||
- certificaterequests
|
|
||||||
- issuers
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- delete
|
|
||||||
- deletecollection
|
|
||||||
- patch
|
|
||||||
- update
|
|
||||||
-140
@@ -1,140 +0,0 @@
|
|||||||
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cainjector
|
|
||||||
app.kubernetes.io/component: cainjector
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cainjector
|
|
||||||
name: cert-manager-cainjector
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cert-manager-cainjector
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: cert-manager-cainjector
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-issuers
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cert-manager-controller-issuers
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: cert-manager
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-clusterissuers
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cert-manager-controller-clusterissuers
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: cert-manager
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-certificates
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cert-manager-controller-certificates
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: cert-manager
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-orders
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cert-manager-controller-orders
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: cert-manager
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-challenges
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cert-manager-controller-challenges
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: cert-manager
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager-controller-ingress-shim
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cert-manager-controller-ingress-shim
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: cert-manager
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
-2492
File diff suppressed because it is too large
Load Diff
-6039
File diff suppressed because it is too large
Load Diff
-7943
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,885 +0,0 @@
|
|||||||
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
|
||||||
kind: CustomResourceDefinition
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: orders.acme.cert-manager.io
|
|
||||||
spec:
|
|
||||||
conversion:
|
|
||||||
strategy: Webhook
|
|
||||||
webhook:
|
|
||||||
clientConfig:
|
|
||||||
service:
|
|
||||||
name: cert-manager-webhook
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
path: /convert
|
|
||||||
conversionReviewVersions:
|
|
||||||
- v1
|
|
||||||
- v1beta1
|
|
||||||
group: acme.cert-manager.io
|
|
||||||
names:
|
|
||||||
kind: Order
|
|
||||||
listKind: OrderList
|
|
||||||
plural: orders
|
|
||||||
singular: order
|
|
||||||
scope: Namespaced
|
|
||||||
versions:
|
|
||||||
- additionalPrinterColumns:
|
|
||||||
- jsonPath: .status.state
|
|
||||||
name: State
|
|
||||||
type: string
|
|
||||||
- jsonPath: .spec.issuerRef.name
|
|
||||||
name: Issuer
|
|
||||||
priority: 1
|
|
||||||
type: string
|
|
||||||
- jsonPath: .status.reason
|
|
||||||
name: Reason
|
|
||||||
priority: 1
|
|
||||||
type: string
|
|
||||||
- description: CreationTimestamp is a timestamp representing the server time when
|
|
||||||
this object was created. It is not guaranteed to be set in happens-before
|
|
||||||
order across separate operations. Clients may not set this value. It is represented
|
|
||||||
in RFC3339 form and is in UTC.
|
|
||||||
jsonPath: .metadata.creationTimestamp
|
|
||||||
name: Age
|
|
||||||
type: date
|
|
||||||
name: v1alpha2
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
description: Order is a type to represent an Order with an ACME server
|
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: 'Kind is a string value representing the REST resource this
|
|
||||||
object represents. Servers may infer this from the endpoint the client
|
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
||||||
type: string
|
|
||||||
metadata:
|
|
||||||
type: object
|
|
||||||
spec:
|
|
||||||
properties:
|
|
||||||
commonName:
|
|
||||||
description: CommonName is the common name as specified on the DER
|
|
||||||
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
|
||||||
This field must match the corresponding field on the DER encoded
|
|
||||||
CSR.
|
|
||||||
type: string
|
|
||||||
csr:
|
|
||||||
description: Certificate signing request bytes in DER encoding. This
|
|
||||||
will be used when finalizing the order. This field must be set on
|
|
||||||
the order.
|
|
||||||
format: byte
|
|
||||||
type: string
|
|
||||||
dnsNames:
|
|
||||||
description: DNSNames is a list of DNS names that should be included
|
|
||||||
as part of the Order validation process. This field must match the
|
|
||||||
corresponding field on the DER encoded CSR.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
issuerRef:
|
|
||||||
description: IssuerRef references a properly configured ACME-type
|
|
||||||
Issuer which should be used to create this Order. If the Issuer
|
|
||||||
does not exist, processing will be retried. If the Issuer is not
|
|
||||||
an 'ACME' Issuer, an error will be returned and the Order will be
|
|
||||||
marked as failed.
|
|
||||||
properties:
|
|
||||||
group:
|
|
||||||
description: Group of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: Kind of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
description: Name of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- name
|
|
||||||
type: object
|
|
||||||
required:
|
|
||||||
- csr
|
|
||||||
- dnsNames
|
|
||||||
- issuerRef
|
|
||||||
type: object
|
|
||||||
status:
|
|
||||||
properties:
|
|
||||||
authorizations:
|
|
||||||
description: Authorizations contains data returned from the ACME server
|
|
||||||
on what authorizations must be completed in order to validate the
|
|
||||||
DNS names specified on the Order.
|
|
||||||
items:
|
|
||||||
description: ACMEAuthorization contains data returned from the ACME
|
|
||||||
server on an authorization that must be completed in order validate
|
|
||||||
a DNS name on an ACME Order resource.
|
|
||||||
properties:
|
|
||||||
challenges:
|
|
||||||
description: Challenges specifies the challenge types offered
|
|
||||||
by the ACME server. One of these challenge types will be selected
|
|
||||||
when validating the DNS name and an appropriate Challenge
|
|
||||||
resource will be created to perform the ACME challenge process.
|
|
||||||
items:
|
|
||||||
description: Challenge specifies a challenge offered by the
|
|
||||||
ACME server for an Order. An appropriate Challenge resource
|
|
||||||
can be created to perform the ACME challenge process.
|
|
||||||
properties:
|
|
||||||
token:
|
|
||||||
description: Token is the token that must be presented
|
|
||||||
for this challenge. This is used to compute the 'key'
|
|
||||||
that must also be presented.
|
|
||||||
type: string
|
|
||||||
type:
|
|
||||||
description: Type is the type of challenge being offered,
|
|
||||||
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
|
||||||
the raw value retrieved from the ACME server. Only 'http-01'
|
|
||||||
and 'dns-01' are supported by cert-manager, other values
|
|
||||||
will be ignored.
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL is the URL of this challenge. It can
|
|
||||||
be used to retrieve additional metadata about the Challenge
|
|
||||||
from the ACME server.
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- token
|
|
||||||
- type
|
|
||||||
- url
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
identifier:
|
|
||||||
description: Identifier is the DNS name to be validated as part
|
|
||||||
of this authorization
|
|
||||||
type: string
|
|
||||||
initialState:
|
|
||||||
description: InitialState is the initial state of the ACME authorization
|
|
||||||
when first fetched from the ACME server. If an Authorization
|
|
||||||
is already 'valid', the Order controller will not create a
|
|
||||||
Challenge resource for the authorization. This will occur
|
|
||||||
when working with an ACME server that enables 'authz reuse'
|
|
||||||
(such as Let's Encrypt's production endpoint). If not set
|
|
||||||
and 'identifier' is set, the state is assumed to be pending
|
|
||||||
and a Challenge will be created.
|
|
||||||
enum:
|
|
||||||
- valid
|
|
||||||
- ready
|
|
||||||
- pending
|
|
||||||
- processing
|
|
||||||
- invalid
|
|
||||||
- expired
|
|
||||||
- errored
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL is the URL of the Authorization that must be
|
|
||||||
completed
|
|
||||||
type: string
|
|
||||||
wildcard:
|
|
||||||
description: Wildcard will be true if this authorization is
|
|
||||||
for a wildcard DNS name. If this is true, the identifier will
|
|
||||||
be the *non-wildcard* version of the DNS name. For example,
|
|
||||||
if '*.example.com' is the DNS name being validated, this field
|
|
||||||
will be 'true' and the 'identifier' field will be 'example.com'.
|
|
||||||
type: boolean
|
|
||||||
required:
|
|
||||||
- url
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
certificate:
|
|
||||||
description: Certificate is a copy of the PEM encoded certificate
|
|
||||||
for this Order. This field will be populated after the order has
|
|
||||||
been successfully finalized with the ACME server, and the order
|
|
||||||
has transitioned to the 'valid' state.
|
|
||||||
format: byte
|
|
||||||
type: string
|
|
||||||
failureTime:
|
|
||||||
description: FailureTime stores the time that this order failed. This
|
|
||||||
is used to influence garbage collection and back-off.
|
|
||||||
format: date-time
|
|
||||||
type: string
|
|
||||||
finalizeURL:
|
|
||||||
description: FinalizeURL of the Order. This is used to obtain certificates
|
|
||||||
for this order once it has been completed.
|
|
||||||
type: string
|
|
||||||
reason:
|
|
||||||
description: Reason optionally provides more information about a why
|
|
||||||
the order is in the current state.
|
|
||||||
type: string
|
|
||||||
state:
|
|
||||||
description: State contains the current state of this Order resource.
|
|
||||||
States 'success' and 'expired' are 'final'
|
|
||||||
enum:
|
|
||||||
- valid
|
|
||||||
- ready
|
|
||||||
- pending
|
|
||||||
- processing
|
|
||||||
- invalid
|
|
||||||
- expired
|
|
||||||
- errored
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL of the Order. This will initially be empty when the
|
|
||||||
resource is first created. The Order controller will populate this
|
|
||||||
field when the Order is first processed. This field will be immutable
|
|
||||||
after it is initially set.
|
|
||||||
type: string
|
|
||||||
type: object
|
|
||||||
required:
|
|
||||||
- metadata
|
|
||||||
type: object
|
|
||||||
served: true
|
|
||||||
storage: false
|
|
||||||
subresources:
|
|
||||||
status: {}
|
|
||||||
- additionalPrinterColumns:
|
|
||||||
- jsonPath: .status.state
|
|
||||||
name: State
|
|
||||||
type: string
|
|
||||||
- jsonPath: .spec.issuerRef.name
|
|
||||||
name: Issuer
|
|
||||||
priority: 1
|
|
||||||
type: string
|
|
||||||
- jsonPath: .status.reason
|
|
||||||
name: Reason
|
|
||||||
priority: 1
|
|
||||||
type: string
|
|
||||||
- description: CreationTimestamp is a timestamp representing the server time when
|
|
||||||
this object was created. It is not guaranteed to be set in happens-before
|
|
||||||
order across separate operations. Clients may not set this value. It is represented
|
|
||||||
in RFC3339 form and is in UTC.
|
|
||||||
jsonPath: .metadata.creationTimestamp
|
|
||||||
name: Age
|
|
||||||
type: date
|
|
||||||
name: v1alpha3
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
description: Order is a type to represent an Order with an ACME server
|
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: 'Kind is a string value representing the REST resource this
|
|
||||||
object represents. Servers may infer this from the endpoint the client
|
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
||||||
type: string
|
|
||||||
metadata:
|
|
||||||
type: object
|
|
||||||
spec:
|
|
||||||
properties:
|
|
||||||
commonName:
|
|
||||||
description: CommonName is the common name as specified on the DER
|
|
||||||
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
|
||||||
This field must match the corresponding field on the DER encoded
|
|
||||||
CSR.
|
|
||||||
type: string
|
|
||||||
csr:
|
|
||||||
description: Certificate signing request bytes in DER encoding. This
|
|
||||||
will be used when finalizing the order. This field must be set on
|
|
||||||
the order.
|
|
||||||
format: byte
|
|
||||||
type: string
|
|
||||||
dnsNames:
|
|
||||||
description: DNSNames is a list of DNS names that should be included
|
|
||||||
as part of the Order validation process. This field must match the
|
|
||||||
corresponding field on the DER encoded CSR.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
issuerRef:
|
|
||||||
description: IssuerRef references a properly configured ACME-type
|
|
||||||
Issuer which should be used to create this Order. If the Issuer
|
|
||||||
does not exist, processing will be retried. If the Issuer is not
|
|
||||||
an 'ACME' Issuer, an error will be returned and the Order will be
|
|
||||||
marked as failed.
|
|
||||||
properties:
|
|
||||||
group:
|
|
||||||
description: Group of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: Kind of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
description: Name of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- name
|
|
||||||
type: object
|
|
||||||
required:
|
|
||||||
- csr
|
|
||||||
- dnsNames
|
|
||||||
- issuerRef
|
|
||||||
type: object
|
|
||||||
status:
|
|
||||||
properties:
|
|
||||||
authorizations:
|
|
||||||
description: Authorizations contains data returned from the ACME server
|
|
||||||
on what authorizations must be completed in order to validate the
|
|
||||||
DNS names specified on the Order.
|
|
||||||
items:
|
|
||||||
description: ACMEAuthorization contains data returned from the ACME
|
|
||||||
server on an authorization that must be completed in order validate
|
|
||||||
a DNS name on an ACME Order resource.
|
|
||||||
properties:
|
|
||||||
challenges:
|
|
||||||
description: Challenges specifies the challenge types offered
|
|
||||||
by the ACME server. One of these challenge types will be selected
|
|
||||||
when validating the DNS name and an appropriate Challenge
|
|
||||||
resource will be created to perform the ACME challenge process.
|
|
||||||
items:
|
|
||||||
description: Challenge specifies a challenge offered by the
|
|
||||||
ACME server for an Order. An appropriate Challenge resource
|
|
||||||
can be created to perform the ACME challenge process.
|
|
||||||
properties:
|
|
||||||
token:
|
|
||||||
description: Token is the token that must be presented
|
|
||||||
for this challenge. This is used to compute the 'key'
|
|
||||||
that must also be presented.
|
|
||||||
type: string
|
|
||||||
type:
|
|
||||||
description: Type is the type of challenge being offered,
|
|
||||||
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
|
||||||
the raw value retrieved from the ACME server. Only 'http-01'
|
|
||||||
and 'dns-01' are supported by cert-manager, other values
|
|
||||||
will be ignored.
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL is the URL of this challenge. It can
|
|
||||||
be used to retrieve additional metadata about the Challenge
|
|
||||||
from the ACME server.
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- token
|
|
||||||
- type
|
|
||||||
- url
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
identifier:
|
|
||||||
description: Identifier is the DNS name to be validated as part
|
|
||||||
of this authorization
|
|
||||||
type: string
|
|
||||||
initialState:
|
|
||||||
description: InitialState is the initial state of the ACME authorization
|
|
||||||
when first fetched from the ACME server. If an Authorization
|
|
||||||
is already 'valid', the Order controller will not create a
|
|
||||||
Challenge resource for the authorization. This will occur
|
|
||||||
when working with an ACME server that enables 'authz reuse'
|
|
||||||
(such as Let's Encrypt's production endpoint). If not set
|
|
||||||
and 'identifier' is set, the state is assumed to be pending
|
|
||||||
and a Challenge will be created.
|
|
||||||
enum:
|
|
||||||
- valid
|
|
||||||
- ready
|
|
||||||
- pending
|
|
||||||
- processing
|
|
||||||
- invalid
|
|
||||||
- expired
|
|
||||||
- errored
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL is the URL of the Authorization that must be
|
|
||||||
completed
|
|
||||||
type: string
|
|
||||||
wildcard:
|
|
||||||
description: Wildcard will be true if this authorization is
|
|
||||||
for a wildcard DNS name. If this is true, the identifier will
|
|
||||||
be the *non-wildcard* version of the DNS name. For example,
|
|
||||||
if '*.example.com' is the DNS name being validated, this field
|
|
||||||
will be 'true' and the 'identifier' field will be 'example.com'.
|
|
||||||
type: boolean
|
|
||||||
required:
|
|
||||||
- url
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
certificate:
|
|
||||||
description: Certificate is a copy of the PEM encoded certificate
|
|
||||||
for this Order. This field will be populated after the order has
|
|
||||||
been successfully finalized with the ACME server, and the order
|
|
||||||
has transitioned to the 'valid' state.
|
|
||||||
format: byte
|
|
||||||
type: string
|
|
||||||
failureTime:
|
|
||||||
description: FailureTime stores the time that this order failed. This
|
|
||||||
is used to influence garbage collection and back-off.
|
|
||||||
format: date-time
|
|
||||||
type: string
|
|
||||||
finalizeURL:
|
|
||||||
description: FinalizeURL of the Order. This is used to obtain certificates
|
|
||||||
for this order once it has been completed.
|
|
||||||
type: string
|
|
||||||
reason:
|
|
||||||
description: Reason optionally provides more information about a why
|
|
||||||
the order is in the current state.
|
|
||||||
type: string
|
|
||||||
state:
|
|
||||||
description: State contains the current state of this Order resource.
|
|
||||||
States 'success' and 'expired' are 'final'
|
|
||||||
enum:
|
|
||||||
- valid
|
|
||||||
- ready
|
|
||||||
- pending
|
|
||||||
- processing
|
|
||||||
- invalid
|
|
||||||
- expired
|
|
||||||
- errored
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL of the Order. This will initially be empty when the
|
|
||||||
resource is first created. The Order controller will populate this
|
|
||||||
field when the Order is first processed. This field will be immutable
|
|
||||||
after it is initially set.
|
|
||||||
type: string
|
|
||||||
type: object
|
|
||||||
required:
|
|
||||||
- metadata
|
|
||||||
type: object
|
|
||||||
served: true
|
|
||||||
storage: false
|
|
||||||
subresources:
|
|
||||||
status: {}
|
|
||||||
- additionalPrinterColumns:
|
|
||||||
- jsonPath: .status.state
|
|
||||||
name: State
|
|
||||||
type: string
|
|
||||||
- jsonPath: .spec.issuerRef.name
|
|
||||||
name: Issuer
|
|
||||||
priority: 1
|
|
||||||
type: string
|
|
||||||
- jsonPath: .status.reason
|
|
||||||
name: Reason
|
|
||||||
priority: 1
|
|
||||||
type: string
|
|
||||||
- description: CreationTimestamp is a timestamp representing the server time when
|
|
||||||
this object was created. It is not guaranteed to be set in happens-before
|
|
||||||
order across separate operations. Clients may not set this value. It is represented
|
|
||||||
in RFC3339 form and is in UTC.
|
|
||||||
jsonPath: .metadata.creationTimestamp
|
|
||||||
name: Age
|
|
||||||
type: date
|
|
||||||
name: v1beta1
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
description: Order is a type to represent an Order with an ACME server
|
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: 'Kind is a string value representing the REST resource this
|
|
||||||
object represents. Servers may infer this from the endpoint the client
|
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
||||||
type: string
|
|
||||||
metadata:
|
|
||||||
type: object
|
|
||||||
spec:
|
|
||||||
properties:
|
|
||||||
commonName:
|
|
||||||
description: CommonName is the common name as specified on the DER
|
|
||||||
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
|
||||||
This field must match the corresponding field on the DER encoded
|
|
||||||
CSR.
|
|
||||||
type: string
|
|
||||||
dnsNames:
|
|
||||||
description: DNSNames is a list of DNS names that should be included
|
|
||||||
as part of the Order validation process. This field must match the
|
|
||||||
corresponding field on the DER encoded CSR.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
issuerRef:
|
|
||||||
description: IssuerRef references a properly configured ACME-type
|
|
||||||
Issuer which should be used to create this Order. If the Issuer
|
|
||||||
does not exist, processing will be retried. If the Issuer is not
|
|
||||||
an 'ACME' Issuer, an error will be returned and the Order will be
|
|
||||||
marked as failed.
|
|
||||||
properties:
|
|
||||||
group:
|
|
||||||
description: Group of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: Kind of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
description: Name of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- name
|
|
||||||
type: object
|
|
||||||
request:
|
|
||||||
description: Certificate signing request bytes in DER encoding. This
|
|
||||||
will be used when finalizing the order. This field must be set on
|
|
||||||
the order.
|
|
||||||
format: byte
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- dnsNames
|
|
||||||
- issuerRef
|
|
||||||
- request
|
|
||||||
type: object
|
|
||||||
status:
|
|
||||||
properties:
|
|
||||||
authorizations:
|
|
||||||
description: Authorizations contains data returned from the ACME server
|
|
||||||
on what authorizations must be completed in order to validate the
|
|
||||||
DNS names specified on the Order.
|
|
||||||
items:
|
|
||||||
description: ACMEAuthorization contains data returned from the ACME
|
|
||||||
server on an authorization that must be completed in order validate
|
|
||||||
a DNS name on an ACME Order resource.
|
|
||||||
properties:
|
|
||||||
challenges:
|
|
||||||
description: Challenges specifies the challenge types offered
|
|
||||||
by the ACME server. One of these challenge types will be selected
|
|
||||||
when validating the DNS name and an appropriate Challenge
|
|
||||||
resource will be created to perform the ACME challenge process.
|
|
||||||
items:
|
|
||||||
description: Challenge specifies a challenge offered by the
|
|
||||||
ACME server for an Order. An appropriate Challenge resource
|
|
||||||
can be created to perform the ACME challenge process.
|
|
||||||
properties:
|
|
||||||
token:
|
|
||||||
description: Token is the token that must be presented
|
|
||||||
for this challenge. This is used to compute the 'key'
|
|
||||||
that must also be presented.
|
|
||||||
type: string
|
|
||||||
type:
|
|
||||||
description: Type is the type of challenge being offered,
|
|
||||||
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
|
||||||
the raw value retrieved from the ACME server. Only 'http-01'
|
|
||||||
and 'dns-01' are supported by cert-manager, other values
|
|
||||||
will be ignored.
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL is the URL of this challenge. It can
|
|
||||||
be used to retrieve additional metadata about the Challenge
|
|
||||||
from the ACME server.
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- token
|
|
||||||
- type
|
|
||||||
- url
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
identifier:
|
|
||||||
description: Identifier is the DNS name to be validated as part
|
|
||||||
of this authorization
|
|
||||||
type: string
|
|
||||||
initialState:
|
|
||||||
description: InitialState is the initial state of the ACME authorization
|
|
||||||
when first fetched from the ACME server. If an Authorization
|
|
||||||
is already 'valid', the Order controller will not create a
|
|
||||||
Challenge resource for the authorization. This will occur
|
|
||||||
when working with an ACME server that enables 'authz reuse'
|
|
||||||
(such as Let's Encrypt's production endpoint). If not set
|
|
||||||
and 'identifier' is set, the state is assumed to be pending
|
|
||||||
and a Challenge will be created.
|
|
||||||
enum:
|
|
||||||
- valid
|
|
||||||
- ready
|
|
||||||
- pending
|
|
||||||
- processing
|
|
||||||
- invalid
|
|
||||||
- expired
|
|
||||||
- errored
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL is the URL of the Authorization that must be
|
|
||||||
completed
|
|
||||||
type: string
|
|
||||||
wildcard:
|
|
||||||
description: Wildcard will be true if this authorization is
|
|
||||||
for a wildcard DNS name. If this is true, the identifier will
|
|
||||||
be the *non-wildcard* version of the DNS name. For example,
|
|
||||||
if '*.example.com' is the DNS name being validated, this field
|
|
||||||
will be 'true' and the 'identifier' field will be 'example.com'.
|
|
||||||
type: boolean
|
|
||||||
required:
|
|
||||||
- url
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
certificate:
|
|
||||||
description: Certificate is a copy of the PEM encoded certificate
|
|
||||||
for this Order. This field will be populated after the order has
|
|
||||||
been successfully finalized with the ACME server, and the order
|
|
||||||
has transitioned to the 'valid' state.
|
|
||||||
format: byte
|
|
||||||
type: string
|
|
||||||
failureTime:
|
|
||||||
description: FailureTime stores the time that this order failed. This
|
|
||||||
is used to influence garbage collection and back-off.
|
|
||||||
format: date-time
|
|
||||||
type: string
|
|
||||||
finalizeURL:
|
|
||||||
description: FinalizeURL of the Order. This is used to obtain certificates
|
|
||||||
for this order once it has been completed.
|
|
||||||
type: string
|
|
||||||
reason:
|
|
||||||
description: Reason optionally provides more information about a why
|
|
||||||
the order is in the current state.
|
|
||||||
type: string
|
|
||||||
state:
|
|
||||||
description: State contains the current state of this Order resource.
|
|
||||||
States 'success' and 'expired' are 'final'
|
|
||||||
enum:
|
|
||||||
- valid
|
|
||||||
- ready
|
|
||||||
- pending
|
|
||||||
- processing
|
|
||||||
- invalid
|
|
||||||
- expired
|
|
||||||
- errored
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL of the Order. This will initially be empty when the
|
|
||||||
resource is first created. The Order controller will populate this
|
|
||||||
field when the Order is first processed. This field will be immutable
|
|
||||||
after it is initially set.
|
|
||||||
type: string
|
|
||||||
type: object
|
|
||||||
required:
|
|
||||||
- metadata
|
|
||||||
- spec
|
|
||||||
type: object
|
|
||||||
served: true
|
|
||||||
storage: false
|
|
||||||
subresources:
|
|
||||||
status: {}
|
|
||||||
- additionalPrinterColumns:
|
|
||||||
- jsonPath: .status.state
|
|
||||||
name: State
|
|
||||||
type: string
|
|
||||||
- jsonPath: .spec.issuerRef.name
|
|
||||||
name: Issuer
|
|
||||||
priority: 1
|
|
||||||
type: string
|
|
||||||
- jsonPath: .status.reason
|
|
||||||
name: Reason
|
|
||||||
priority: 1
|
|
||||||
type: string
|
|
||||||
- description: CreationTimestamp is a timestamp representing the server time when
|
|
||||||
this object was created. It is not guaranteed to be set in happens-before
|
|
||||||
order across separate operations. Clients may not set this value. It is represented
|
|
||||||
in RFC3339 form and is in UTC.
|
|
||||||
jsonPath: .metadata.creationTimestamp
|
|
||||||
name: Age
|
|
||||||
type: date
|
|
||||||
name: v1
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
description: Order is a type to represent an Order with an ACME server
|
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
|
||||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: 'Kind is a string value representing the REST resource this
|
|
||||||
object represents. Servers may infer this from the endpoint the client
|
|
||||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
||||||
type: string
|
|
||||||
metadata:
|
|
||||||
type: object
|
|
||||||
spec:
|
|
||||||
properties:
|
|
||||||
commonName:
|
|
||||||
description: CommonName is the common name as specified on the DER
|
|
||||||
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
|
||||||
This field must match the corresponding field on the DER encoded
|
|
||||||
CSR.
|
|
||||||
type: string
|
|
||||||
dnsNames:
|
|
||||||
description: DNSNames is a list of DNS names that should be included
|
|
||||||
as part of the Order validation process. This field must match the
|
|
||||||
corresponding field on the DER encoded CSR.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
issuerRef:
|
|
||||||
description: IssuerRef references a properly configured ACME-type
|
|
||||||
Issuer which should be used to create this Order. If the Issuer
|
|
||||||
does not exist, processing will be retried. If the Issuer is not
|
|
||||||
an 'ACME' Issuer, an error will be returned and the Order will be
|
|
||||||
marked as failed.
|
|
||||||
properties:
|
|
||||||
group:
|
|
||||||
description: Group of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: Kind of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
description: Name of the resource being referred to.
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- name
|
|
||||||
type: object
|
|
||||||
request:
|
|
||||||
description: Certificate signing request bytes in DER encoding. This
|
|
||||||
will be used when finalizing the order. This field must be set on
|
|
||||||
the order.
|
|
||||||
format: byte
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- dnsNames
|
|
||||||
- issuerRef
|
|
||||||
- request
|
|
||||||
type: object
|
|
||||||
status:
|
|
||||||
properties:
|
|
||||||
authorizations:
|
|
||||||
description: Authorizations contains data returned from the ACME server
|
|
||||||
on what authorizations must be completed in order to validate the
|
|
||||||
DNS names specified on the Order.
|
|
||||||
items:
|
|
||||||
description: ACMEAuthorization contains data returned from the ACME
|
|
||||||
server on an authorization that must be completed in order validate
|
|
||||||
a DNS name on an ACME Order resource.
|
|
||||||
properties:
|
|
||||||
challenges:
|
|
||||||
description: Challenges specifies the challenge types offered
|
|
||||||
by the ACME server. One of these challenge types will be selected
|
|
||||||
when validating the DNS name and an appropriate Challenge
|
|
||||||
resource will be created to perform the ACME challenge process.
|
|
||||||
items:
|
|
||||||
description: Challenge specifies a challenge offered by the
|
|
||||||
ACME server for an Order. An appropriate Challenge resource
|
|
||||||
can be created to perform the ACME challenge process.
|
|
||||||
properties:
|
|
||||||
token:
|
|
||||||
description: Token is the token that must be presented
|
|
||||||
for this challenge. This is used to compute the 'key'
|
|
||||||
that must also be presented.
|
|
||||||
type: string
|
|
||||||
type:
|
|
||||||
description: Type is the type of challenge being offered,
|
|
||||||
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
|
||||||
the raw value retrieved from the ACME server. Only 'http-01'
|
|
||||||
and 'dns-01' are supported by cert-manager, other values
|
|
||||||
will be ignored.
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL is the URL of this challenge. It can
|
|
||||||
be used to retrieve additional metadata about the Challenge
|
|
||||||
from the ACME server.
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- token
|
|
||||||
- type
|
|
||||||
- url
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
identifier:
|
|
||||||
description: Identifier is the DNS name to be validated as part
|
|
||||||
of this authorization
|
|
||||||
type: string
|
|
||||||
initialState:
|
|
||||||
description: InitialState is the initial state of the ACME authorization
|
|
||||||
when first fetched from the ACME server. If an Authorization
|
|
||||||
is already 'valid', the Order controller will not create a
|
|
||||||
Challenge resource for the authorization. This will occur
|
|
||||||
when working with an ACME server that enables 'authz reuse'
|
|
||||||
(such as Let's Encrypt's production endpoint). If not set
|
|
||||||
and 'identifier' is set, the state is assumed to be pending
|
|
||||||
and a Challenge will be created.
|
|
||||||
enum:
|
|
||||||
- valid
|
|
||||||
- ready
|
|
||||||
- pending
|
|
||||||
- processing
|
|
||||||
- invalid
|
|
||||||
- expired
|
|
||||||
- errored
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL is the URL of the Authorization that must be
|
|
||||||
completed
|
|
||||||
type: string
|
|
||||||
wildcard:
|
|
||||||
description: Wildcard will be true if this authorization is
|
|
||||||
for a wildcard DNS name. If this is true, the identifier will
|
|
||||||
be the *non-wildcard* version of the DNS name. For example,
|
|
||||||
if '*.example.com' is the DNS name being validated, this field
|
|
||||||
will be 'true' and the 'identifier' field will be 'example.com'.
|
|
||||||
type: boolean
|
|
||||||
required:
|
|
||||||
- url
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
certificate:
|
|
||||||
description: Certificate is a copy of the PEM encoded certificate
|
|
||||||
for this Order. This field will be populated after the order has
|
|
||||||
been successfully finalized with the ACME server, and the order
|
|
||||||
has transitioned to the 'valid' state.
|
|
||||||
format: byte
|
|
||||||
type: string
|
|
||||||
failureTime:
|
|
||||||
description: FailureTime stores the time that this order failed. This
|
|
||||||
is used to influence garbage collection and back-off.
|
|
||||||
format: date-time
|
|
||||||
type: string
|
|
||||||
finalizeURL:
|
|
||||||
description: FinalizeURL of the Order. This is used to obtain certificates
|
|
||||||
for this order once it has been completed.
|
|
||||||
type: string
|
|
||||||
reason:
|
|
||||||
description: Reason optionally provides more information about a why
|
|
||||||
the order is in the current state.
|
|
||||||
type: string
|
|
||||||
state:
|
|
||||||
description: State contains the current state of this Order resource.
|
|
||||||
States 'success' and 'expired' are 'final'
|
|
||||||
enum:
|
|
||||||
- valid
|
|
||||||
- ready
|
|
||||||
- pending
|
|
||||||
- processing
|
|
||||||
- invalid
|
|
||||||
- expired
|
|
||||||
- errored
|
|
||||||
type: string
|
|
||||||
url:
|
|
||||||
description: URL of the Order. This will initially be empty when the
|
|
||||||
resource is first created. The Order controller will populate this
|
|
||||||
field when the Order is first processed. This field will be immutable
|
|
||||||
after it is initially set.
|
|
||||||
type: string
|
|
||||||
type: object
|
|
||||||
required:
|
|
||||||
- metadata
|
|
||||||
- spec
|
|
||||||
type: object
|
|
||||||
served: true
|
|
||||||
storage: true
|
|
||||||
subresources:
|
|
||||||
status: {}
|
|
||||||
status:
|
|
||||||
acceptedNames:
|
|
||||||
kind: ""
|
|
||||||
plural: ""
|
|
||||||
conditions: []
|
|
||||||
storedVersions: []
|
|
||||||
-168
@@ -1,168 +0,0 @@
|
|||||||
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cainjector
|
|
||||||
app.kubernetes.io/component: cainjector
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cainjector
|
|
||||||
name: cert-manager-cainjector
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app.kubernetes.io/component: cainjector
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cainjector
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cainjector
|
|
||||||
app.kubernetes.io/component: cainjector
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cainjector
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- args:
|
|
||||||
- --v=2
|
|
||||||
- --leader-election-namespace=kube-system
|
|
||||||
env:
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
|
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
|
||||||
name: cert-manager
|
|
||||||
resources: {}
|
|
||||||
serviceAccountName: cert-manager-cainjector
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
prometheus.io/path: /metrics
|
|
||||||
prometheus.io/port: "9402"
|
|
||||||
prometheus.io/scrape: "true"
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- args:
|
|
||||||
- --v=2
|
|
||||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
|
||||||
- --leader-election-namespace=kube-system
|
|
||||||
env:
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
|
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
|
||||||
name: cert-manager
|
|
||||||
ports:
|
|
||||||
- containerPort: 9402
|
|
||||||
protocol: TCP
|
|
||||||
resources: {}
|
|
||||||
serviceAccountName: cert-manager
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: webhook
|
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
name: cert-manager-webhook
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: webhook
|
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- args:
|
|
||||||
- --v=2
|
|
||||||
- --secure-port=10250
|
|
||||||
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
|
||||||
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
|
|
||||||
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.{{ cert_manager_namespace }},cert-manager-webhook.{{ cert_manager_namespace }}.svc
|
|
||||||
env:
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
|
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
|
||||||
livenessProbe:
|
|
||||||
failureThreshold: 3
|
|
||||||
httpGet:
|
|
||||||
path: /livez
|
|
||||||
port: 6080
|
|
||||||
scheme: HTTP
|
|
||||||
initialDelaySeconds: 60
|
|
||||||
periodSeconds: 10
|
|
||||||
successThreshold: 1
|
|
||||||
timeoutSeconds: 1
|
|
||||||
name: cert-manager
|
|
||||||
ports:
|
|
||||||
- containerPort: 10250
|
|
||||||
name: https
|
|
||||||
readinessProbe:
|
|
||||||
failureThreshold: 3
|
|
||||||
httpGet:
|
|
||||||
path: /healthz
|
|
||||||
port: 6080
|
|
||||||
scheme: HTTP
|
|
||||||
initialDelaySeconds: 5
|
|
||||||
periodSeconds: 5
|
|
||||||
successThreshold: 1
|
|
||||||
timeoutSeconds: 1
|
|
||||||
resources: {}
|
|
||||||
serviceAccountName: cert-manager-webhook
|
|
||||||
-100
@@ -1,100 +0,0 @@
|
|||||||
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cainjector
|
|
||||||
app.kubernetes.io/component: cainjector
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cainjector
|
|
||||||
name: cert-manager-cainjector:leaderelection
|
|
||||||
namespace: kube-system
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resourceNames:
|
|
||||||
- cert-manager-cainjector-leader-election
|
|
||||||
- cert-manager-cainjector-leader-election-core
|
|
||||||
resources:
|
|
||||||
- configmaps
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- update
|
|
||||||
- patch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- configmaps
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager:leaderelection
|
|
||||||
namespace: kube-system
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resourceNames:
|
|
||||||
- cert-manager-controller
|
|
||||||
resources:
|
|
||||||
- configmaps
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- update
|
|
||||||
- patch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- configmaps
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: webhook
|
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
name: cert-manager-webhook:dynamic-serving
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resourceNames:
|
|
||||||
- cert-manager-webhook-ca
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
-73
@@ -1,73 +0,0 @@
|
|||||||
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cainjector
|
|
||||||
app.kubernetes.io/component: cainjector
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cainjector
|
|
||||||
name: cert-manager-cainjector:leaderelection
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: cert-manager-cainjector:leaderelection
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: cert-manager-cainjector
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager:leaderelection
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: cert-manager:leaderelection
|
|
||||||
subjects:
|
|
||||||
- apiGroup: ""
|
|
||||||
kind: ServiceAccount
|
|
||||||
name: cert-manager
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: webhook
|
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
name: cert-manager-webhook:dynamic-serving
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: cert-manager-webhook:dynamic-serving
|
|
||||||
subjects:
|
|
||||||
- apiGroup: ""
|
|
||||||
kind: ServiceAccount
|
|
||||||
name: cert-manager-webhook
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
-47
@@ -1,47 +0,0 @@
|
|||||||
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cainjector
|
|
||||||
app.kubernetes.io/component: cainjector
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cainjector
|
|
||||||
name: cert-manager-cainjector
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: webhook
|
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
name: cert-manager-webhook
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
-56
@@ -1,56 +0,0 @@
|
|||||||
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cert-manager
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
name: cert-manager
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: 9402
|
|
||||||
protocol: TCP
|
|
||||||
targetPort: 9402
|
|
||||||
selector:
|
|
||||||
app.kubernetes.io/component: controller
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: cert-manager
|
|
||||||
type: ClusterIP
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: webhook
|
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
name: cert-manager-webhook
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- name: https
|
|
||||||
port: 443
|
|
||||||
targetPort: 10250
|
|
||||||
selector:
|
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
type: ClusterIP
|
|
||||||
-94
@@ -1,94 +0,0 @@
|
|||||||
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: admissionregistration.k8s.io/v1
|
|
||||||
kind: MutatingWebhookConfiguration
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
|
||||||
labels:
|
|
||||||
app: webhook
|
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
name: cert-manager-webhook
|
|
||||||
webhooks:
|
|
||||||
- admissionReviewVersions:
|
|
||||||
- v1
|
|
||||||
- v1beta1
|
|
||||||
clientConfig:
|
|
||||||
service:
|
|
||||||
name: cert-manager-webhook
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
path: /mutate
|
|
||||||
failurePolicy: Fail
|
|
||||||
name: webhook.cert-manager.io
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
- acme.cert-manager.io
|
|
||||||
apiVersions:
|
|
||||||
- '*'
|
|
||||||
operations:
|
|
||||||
- CREATE
|
|
||||||
- UPDATE
|
|
||||||
resources:
|
|
||||||
- '*/*'
|
|
||||||
sideEffects: None
|
|
||||||
---
|
|
||||||
apiVersion: admissionregistration.k8s.io/v1
|
|
||||||
kind: ValidatingWebhookConfiguration
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
|
||||||
labels:
|
|
||||||
app: webhook
|
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/instance: cert-manager
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
name: cert-manager-webhook
|
|
||||||
webhooks:
|
|
||||||
- admissionReviewVersions:
|
|
||||||
- v1
|
|
||||||
- v1beta1
|
|
||||||
clientConfig:
|
|
||||||
service:
|
|
||||||
name: cert-manager-webhook
|
|
||||||
namespace: {{ cert_manager_namespace }}
|
|
||||||
path: /validate
|
|
||||||
failurePolicy: Fail
|
|
||||||
name: webhook.cert-manager.io
|
|
||||||
namespaceSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: cert-manager.io/disable-validation
|
|
||||||
operator: NotIn
|
|
||||||
values:
|
|
||||||
- "true"
|
|
||||||
- key: name
|
|
||||||
operator: NotIn
|
|
||||||
values:
|
|
||||||
- cert-manager
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
- acme.cert-manager.io
|
|
||||||
apiVersions:
|
|
||||||
- '*'
|
|
||||||
operations:
|
|
||||||
- CREATE
|
|
||||||
- UPDATE
|
|
||||||
resources:
|
|
||||||
- '*/*'
|
|
||||||
sideEffects: None
|
|
||||||
Reference in New Issue
Block a user