jlengrand/engine
1
0
Fork 0
mirror of https://github.com/jlengrand/engine.git synced 2026-03-10 15:49:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: update cert manager

Browse Source
This commit is contained in:
MacLikorne
2021-07-29 09:17:30 +02:00
committed by Pierre Mavro
parent 9a853b4271
commit 3d9a0b2d2e
11 changed files with 143 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/common/bootstrap/charts/cert-manager/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v1
appVersion: v1.0.4
appVersion: v1.1.1
description: A Helm chart for cert-manager
home: https://github.com/jetstack/cert-manager
icon: https://raw.githubusercontent.com/jetstack/cert-manager/master/logo/logo.png
@@ -14,4 +14,4 @@ maintainers:
name: cert-manager
sources:
- https://github.com/jetstack/cert-manager
version: v1.0.4
version: v1.1.1

17
lib/common/bootstrap/charts/cert-manager/README.md
View File

@@ -20,10 +20,10 @@ This is performed in a separate step to allow you to easily uninstall and reinst
```bash
# Kubernetes 1.15+
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.1.1/cert-manager.crds.yaml
# Kubernetes <1.15
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager-legacy.crds.yaml
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.1.1/cert-manager-legacy.crds.yaml
```
> **Note**: If you're using a Kubernetes version below `v1.15` you will need to install the legacy version of the custom resource definitions.
@@ -73,10 +73,10 @@ delete the previously installed CustomResourceDefinition resources:
```console
# Kubernetes 1.15+
$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml
$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.1.1/cert-manager.crds.yaml
# Kubernetes <1.15
$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager-legacy.crds.yaml
$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.1.1/cert-manager-legacy.crds.yaml
```
## Configuration
@@ -93,7 +93,7 @@ The following table lists the configurable parameters of the cert-manager chart
| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` |
| `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` |
| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
| `image.tag` | Image tag | `v1.0.4` |
| `image.tag` | Image tag | `v1.1.1` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `replicaCount` | Number of cert-manager replicas | `1` |
| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod |
@@ -133,7 +133,9 @@ The following table lists the configurable parameters of the cert-manager chart
| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | |
| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | |
| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` |
| `webhook.timeoutSeconds` | Seconds the API server should wait the webhook to respond before treating the call as a failure. | `10` |
| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` |
| `webhook.podLabels` | Labels to add to the cert-manager webhook pod | `{}` |
| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` |
| `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` |
| `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` |
@@ -146,7 +148,7 @@ The following table lists the configurable parameters of the cert-manager chart
| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` |
| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` |
| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` |
| `webhook.image.tag` | Webhook image tag | `v1.0.4` |
| `webhook.image.tag` | Webhook image tag | `v1.1.1` |
| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` |
| `webhook.securityContext` | Security context for webhook pod assignment | `{}` |
@@ -165,6 +167,7 @@ The following table lists the configurable parameters of the cert-manager chart
| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` |
| `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` |
| `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` |
| `cainjector.podLabels` | Labels to add to the cert-manager cainjector pod | `{}` |
| `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` |
| `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` |
| `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` |
@@ -175,7 +178,7 @@ The following table lists the configurable parameters of the cert-manager chart
| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` |
| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` |
| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` |
| `cainjector.image.tag` | cainjector image tag | `v1.0.4` |
| `cainjector.image.tag` | cainjector image tag | `v1.1.1` |
| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` |
| `cainjector.securityContext` | Security context for cainjector pod assignment | `{}` |
| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | `{}` |

3
lib/common/bootstrap/charts/cert-manager/templates/cainjector-deployment.yaml
View File

@@ -35,6 +35,9 @@ spec:
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: "cainjector"
helm.sh/chart: {{ include "cainjector.chart" . }}
{{- if .Values.cainjector.podLabels }}
{{ toYaml .Values.cainjector.podLabels | indent 8 }}
{{- end }}
{{- if .Values.cainjector.podAnnotations }}
annotations:
{{ toYaml .Values.cainjector.podAnnotations | indent 8 }}

38
lib/common/bootstrap/charts/cert-manager/templates/crds.legacy.yaml
View File

@@ -316,6 +316,10 @@ spec:
items:
type: string
type: array
encodeUsagesInRequest:
description: EncodeUsagesInRequest controls whether key usages should
be present in the CertificateRequest
type: boolean
ipAddresses:
description: IPAddresses is a list of IP address subjectAltNames to
be set on the Certificate.
@@ -455,8 +459,6 @@ spec:
if not specified. If `algorithm` is set to `ECDSA`, valid values
are `256`, `384` or `521`, and will default to `256` if not specified.
No other values are allowed.
maximum: 8192
minimum: 0
type: integer
type: object
renewBefore:
@@ -2225,6 +2227,13 @@ spec:
your account or certificates, including expiry notification emails.
This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates
that matches the duration of the certificate. This is not supported
by all ACME servers like Let's Encrypt. If set to true when the
ACME server does not support it it will create an error on the
Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external
account of the ACME server. If set, upon registration cert-manager
@@ -4145,6 +4154,13 @@ spec:
your account or certificates, including expiry notification emails.
This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates
that matches the duration of the certificate. This is not supported
by all ACME servers like Let's Encrypt. If set to true when the
ACME server does not support it it will create an error on the
Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external
account of the ACME server. If set, upon registration cert-manager
@@ -6050,8 +6066,9 @@ spec:
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded
CSR. If specified, this value must also be present in `dnsNames`.
This field must match the corresponding field on the DER encoded CSR.
CSR. If specified, this value must also be present in `dnsNames` or
`ipAddresses`. This field must match the corresponding field on the
DER encoded CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included
@@ -6060,6 +6077,18 @@ spec:
items:
type: string
type: array
duration:
description: Duration is the duration for the not after date for the
requested certificate. this is set on order creation as pe the ACME
spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included
as part of the Order validation process. This field must match the
corresponding field on the DER encoded CSR.
items:
type: string
type: array
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer
which should be used to create this Order. If the Issuer does not
@@ -6086,7 +6115,6 @@ spec:
format: byte
type: string
required:
- dnsNames
- issuerRef
- request
type: object

88
lib/common/bootstrap/charts/cert-manager/templates/crds.yaml
View File

@@ -707,6 +707,9 @@ spec:
type: array
items:
type: string
encodeUsagesInRequest:
description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
type: boolean
ipAddresses:
description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
type: array
@@ -745,8 +748,6 @@ spec:
keySize:
description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
type: integer
maximum: 8192
minimum: 0
keystores:
description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
type: object
@@ -1001,6 +1002,9 @@ spec:
type: array
items:
type: string
encodeUsagesInRequest:
description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
type: boolean
ipAddresses:
description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
type: array
@@ -1039,8 +1043,6 @@ spec:
keySize:
description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
type: integer
maximum: 8192
minimum: 0
keystores:
description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
type: object
@@ -1297,6 +1299,9 @@ spec:
type: array
items:
type: string
encodeUsagesInRequest:
description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
type: boolean
ipAddresses:
description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
type: array
@@ -1390,8 +1395,6 @@ spec:
size:
description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
type: integer
maximum: 8192
minimum: 0
renewBefore:
description: The amount of time before the currently issued certificate's `notAfter` time that cert-manager will begin to attempt to renew the certificate. If this value is greater than the total duration of the certificate (i.e. notAfter - notBefore), it will be automatically renewed 2/3rds of the way through the certificate's duration.
type: string
@@ -1593,6 +1596,9 @@ spec:
type: array
items:
type: string
encodeUsagesInRequest:
description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
type: boolean
ipAddresses:
description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
type: array
@@ -1686,8 +1692,6 @@ spec:
size:
description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
type: integer
maximum: 8192
minimum: 0
renewBefore:
description: The amount of time before the currently issued certificate's `notAfter` time that cert-manager will begin to attempt to renew the certificate. If this value is greater than the total duration of the certificate (i.e. notAfter - notBefore), it will be automatically renewed 2/3rds of the way through the certificate's duration.
type: string
@@ -5254,6 +5258,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@@ -6280,6 +6287,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@@ -7308,6 +7318,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@@ -8336,6 +8349,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@@ -9401,6 +9417,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@@ -10427,6 +10446,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@@ -11455,6 +11477,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@@ -12483,6 +12508,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@@ -13541,11 +13569,10 @@ spec:
type: object
required:
- csr
- dnsNames
- issuerRef
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames`. This field must match the corresponding field on the DER encoded CSR.
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
@@ -13556,6 +13583,14 @@ spec:
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
@@ -13691,11 +13726,10 @@ spec:
type: object
required:
- csr
- dnsNames
- issuerRef
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames`. This field must match the corresponding field on the DER encoded CSR.
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
@@ -13706,6 +13740,14 @@ spec:
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
@@ -13841,18 +13883,25 @@ spec:
spec:
type: object
required:
- dnsNames
- issuerRef
- request
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames`. This field must match the corresponding field on the DER encoded CSR.
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
@@ -13992,18 +14041,25 @@ spec:
spec:
type: object
required:
- dnsNames
- issuerRef
- request
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames`. This field must match the corresponding field on the DER encoded CSR.
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object

7
lib/common/bootstrap/charts/cert-manager/templates/rbac.yaml
View File

@@ -426,6 +426,10 @@ rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["get", "list", "watch"]
---
@@ -446,5 +450,8 @@ rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["get", "list", "watch"]
{{- end }}

3
lib/common/bootstrap/charts/cert-manager/templates/webhook-deployment.yaml
View File

@@ -34,6 +34,9 @@ spec:
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: "webhook"
helm.sh/chart: {{ include "webhook.chart" . }}
{{- if .Values.webhook.podLabels }}
{{ toYaml .Values.webhook.podLabels | indent 8 }}
{{- end }}
{{- if .Values.webhook.podAnnotations }}
annotations:
{{ toYaml .Values.webhook.podAnnotations | indent 8 }}

1
lib/common/bootstrap/charts/cert-manager/templates/webhook-mutating-webhook.yaml
View File

@@ -35,6 +35,7 @@ webhooks:
- "*/*"
{{- if $isV1AdmissionRegistration }}
admissionReviewVersions: ["v1", "v1beta1"]
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
{{- end }}
failurePolicy: Fail
{{- if (semverCompare ">=1.12-0" .Capabilities.KubeVersion.GitVersion) }}

1
lib/common/bootstrap/charts/cert-manager/templates/webhook-validating-webhook.yaml
View File

@@ -45,6 +45,7 @@ webhooks:
- "*/*"
{{- if $isV1AdmissionRegistration }}
admissionReviewVersions: ["v1", "v1beta1"]
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
{{- end }}
failurePolicy: Fail
{{- if (semverCompare ">=1.12-0" .Capabilities.KubeVersion.GitVersion) }}

13
lib/common/bootstrap/charts/cert-manager/values.yaml
View File

@@ -41,7 +41,7 @@ featureGates: ""
image:
repository: quay.io/jetstack/cert-manager-controller
# You can manage a registry with
# registy: quay.io
# registry: quay.io
# repository: jetstack/cert-manager-controller
# Override the image tag to deploy by setting this variable.
@@ -178,6 +178,7 @@ tolerations: []
webhook:
replicaCount: 1
timeoutSeconds: 10
strategy: {}
# type: RollingUpdate
@@ -238,10 +239,13 @@ webhook:
tolerations: []
# Optional additional labels to add to the Webhook Pods
podLabels: {}
image:
repository: quay.io/jetstack/cert-manager-webhook
# You can manage a registry with
# registy: quay.io
# registry: quay.io
# repository: jetstack/cert-manager-webhook
# Override the image tag to deploy by setting this variable.
@@ -322,10 +326,13 @@ cainjector:
tolerations: []
# Optional additional labels to add to the CA Injector Pods
podLabels: {}
image:
repository: quay.io/jetstack/cert-manager-cainjector
# You can manage a registry with
# registy: quay.io
# registry: quay.io
# repository: jetstack/cert-manager-cainjector
# Override the image tag to deploy by setting this variable.

2
lib/helm-freeze.yaml
View File

@@ -1,6 +1,6 @@
charts:
- name: cert-manager
version: v1.0.4
version: v1.1.1
repo_name: jetstack
- name: external-dns
repo_name: bitnami