--- a/10-cert-manager.yaml Mon Nov 25 20:15:18 2019 -0600
+++ b/10-cert-manager.yaml Mon Nov 25 21:05:29 2019 -0600
@@ -1,13 +1,1791 @@
-# This is the official 0.9.1 manifest
+# This is the official 0.11.0 manifest # from https://github.com/jetstack/cert-manager/releases. No changes, aside
# from this header have been made.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
- controller-tools.k8s.io: "1.0"
- name: certificates.certmanager.k8s.io
+ name: challenges.acme.cert-manager.io + additionalPrinterColumns: + - JSONPath: .status.state + - JSONPath: .spec.dnsName + - JSONPath: .status.reason + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + group: acme.cert-manager.io + listKind: ChallengeList + description: Challenge is a type to represent a Challenge request with an ACME + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + description: DNSName is the identifier that this challenge is for, e.g. + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Challenge. If the Issuer does + not exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + description: Key is the ACME challenge key for this challenge + description: Solver contains the domain solving configuration that should + be used to solve this challenge resource. Only **one** of 'config' + or 'solver' may be specified, and if both are specified then no action + will be performed on the Challenge resource. + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing + the configuration for ACME-DNS servers + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: ACMEIssuerDNS01ProviderAkamai is a structure containing + the DNS configuration for Akamai DNS—Zone Record Management + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + - clientSecretSecretRef + - serviceConsumerDomain + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + - AzureUSGovernmentCloud + - clientSecretSecretRef + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + serviceAccountSecretRef: + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + - serviceAccountSecretRef + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + description: ACMEIssuerDNS01ProviderDigitalOcean is a structure + containing the DNS configuration for DigitalOcean Domains + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing + the configuration for RFC2136 DNS + description: 'The IP address of the DNS supporting RFC2136. + Required. Note: FQDN is not a valid value, only IP.' + description: 'The TSIG Algorithm configured in the DNS supporting + RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` + are defined. Supported values are (case-insensitive): + ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or + description: The TSIG Key name configured in the DNS. If + ``tsigSecretSecretRef`` is defined, this field is required. + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is required. + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: ACMEIssuerDNS01ProviderRoute53 is a structure containing + the Route 53 configuration for AWS + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: ACMEIssuerDNS01ProviderWebhook specifies configuration + for a webhook DNS01 provider, including where to POST ChallengePayload + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values should + not be specified in this stanza. If secret values are + needed (e.g. credentials for a DNS service), you should + use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook + provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + description: The name of the solver to use, as defined in + the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + description: ACMEChallengeSolverHTTP01 contains configuration detailing + how to solve HTTP01 challenges within a Kubernetes cluster. Typically + this is accomplished through creating 'routes' of some description + that configure ingress controllers to direct traffic to 'solver + pods', which are responsible for responding to the ACME server's + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it in + order to solve HTTP01 challenges. This is typically used + in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + description: ObjectMeta overrides for the pod used to + solve HTTP01 challenges. Only the 'labels' and 'annotations' + fields may be set. If labels or annotations overlap + with in-built values, the values here will override + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity scheduling + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no + objects (i.e. is also a no-op). + description: A node selector term, + associated with the corresponding + description: A list of node selector + requirements by node's labels. + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + description: The label key + that the selector applies + description: Represents + a key's relationship to + operators are In, NotIn, + description: An array of + operator is In or NotIn, + be non-empty. If the operator + is Exists or DoesNotExist, + be empty. If the operator + is Gt or Lt, the values + array must have a single + interpreted as an integer. + during a strategic merge + description: A list of node selector + requirements by node's fields. + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + description: The label key + that the selector applies + description: Represents + a key's relationship to + operators are In, NotIn, + description: An array of + operator is In or NotIn, + be non-empty. If the operator + is Exists or DoesNotExist, + be empty. If the operator + is Gt or Lt, the values + array must have a single + interpreted as an integer. + during a strategic merge + description: Weight associated with + matching the corresponding nodeSelectorTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to an update), the system may or may + not try to eventually evict the pod from + description: Required. A list of node + selector terms. The terms are ORed. + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + description: A list of node selector + requirements by node's labels. + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + description: The label key + that the selector applies + description: Represents + a key's relationship to + operators are In, NotIn, + description: An array of + operator is In or NotIn, + be non-empty. If the operator + is Exists or DoesNotExist, + be empty. If the operator + is Gt or Lt, the values + array must have a single + interpreted as an integer. + during a strategic merge + description: A list of node selector + requirements by node's fields. + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + description: The label key + that the selector applies + description: Represents + a key's relationship to + operators are In, NotIn, + description: An array of + operator is In or NotIn, + be non-empty. If the operator + is Exists or DoesNotExist, + be empty. If the operator + is Gt or Lt, the values + array must have a single + interpreted as an integer. + during a strategic merge + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node has pods which matches + the corresponding podAffinityTerm; the + node(s) with the highest sum are the most + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding + description: A label query over + a set of resources, in this + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that relates the key and + values. If the operator + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key <topologyKey> matches that of any + node on which a pod of the set of pods + description: A label query over a + set of resources, in this case pods. + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + description: key is the + label key that the selector + description: operator represents + a key's relationship to + operators are In, NotIn, + Exists and DoesNotExist. + description: values is an + array of string values. + or NotIn, the values array + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + anti-affinity expressions specified by + this field, but it may choose a node that + violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of the + scheduling requirements (resource request, + requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and + adding "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with the + highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding + description: A label query over + a set of resources, in this + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that relates the key and + values. If the operator + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the anti-affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key <topologyKey> matches that of any + node on which a pod of the set of pods + description: A label query over a + set of resources, in this case pods. + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + description: key is the + label key that the selector + description: operator represents + a key's relationship to + operators are In, NotIn, + Exists and DoesNotExist. + description: values is an + array of string values. + or NotIn, the values array + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + <key,value,effect> using the matching operator + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means to + match all values and all keys. + description: Operator represents a key's relationship + to the value. Valid operators are Exists + and Equal. Defaults to Equal. Exists is + equivalent to wildcard for value, so that + a pod can tolerate all taints of a particular + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By + default, it is not set, which means tolerate + the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict + immediately) by the system. + description: Value is the taint value the + toleration matches to. If the operator is + Exists, the value should be empty, otherwise + description: Optional service type for Kubernetes solver + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames selector + will take precedence over a dnsZones selector. If multiple + solvers match with the same dnsNames value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + description: Token is the ACME challenge token for this challenge. + description: Type is the type of ACME challenge this resource represents, + e.g. "dns01" or "http01" + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com' + description: Presented will be set to true if the challenge values for + this challenge are currently 'presented'. This *does not* imply the + self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + description: Reason contains human readable information on why the Challenge + is in the current state. + description: State contains the current 'state' of the challenge. If + not set, the state of the challenge is unknown. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + creationTimestamp: null + name: orders.acme.cert-manager.io + additionalPrinterColumns: + - JSONPath: .status.state + - JSONPath: .spec.issuerRef.name + - JSONPath: .status.reason + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + group: acme.cert-manager.io + description: Order is a type to represent an Order with an ACME server + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CommonName is the common name as specified on the DER encoded + CSR. If CommonName is not specified, the first DNSName specified will + be used as the CommonName. At least one of CommonName or a DNSNames + must be set. This field must match the corresponding field on the + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. If CommonName is not specified, + the first DNSName specified will be used as the CommonName. At least + one of CommonName or a DNSNames must be set. This field must match + the corresponding field on the DER encoded CSR. + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Order. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Order will be marked as + description: Authorizations contains data returned from the ACME server + on what authoriations must be completed in order to validate the DNS + names specified on the Order. + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge resource + will be created to perform the ACME challenge process. + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + description: Token is the token that must be presented for + this challenge. This is used to compute the 'key' that + must also be presented. + description: Type is the type of challenge being offered, + description: URL is the URL of this challenge. It can be + used to retrieve additional metadata about the Challenge + description: Identifier is the DNS name to be validated as part + description: URL is the URL of the Authorization that must be + description: Wildcard will be true if this authorization is for + a wildcard DNS name. If this is true, the identifier will be + the *non-wildcard* version of the DNS name. For example, if + '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + description: Certificate is a copy of the PEM encoded certificate for + this Order. This field will be populated after the order has been + successfully finalized with the ACME server, and the order has transitioned + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + description: Reason optionally provides more information about a why + the order is in the current state. + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + creationTimestamp: null + name: certificaterequests.cert-manager.io + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + - JSONPath: .spec.issuerRef.name + - JSONPath: .status.conditions[?(@.type=="Ready")].message + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + singular: certificaterequest + description: CertificateRequest is a type to represent a Certificate Signing + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CertificateRequestSpec defines the desired state of CertificateRequest + description: Byte slice containing the PEM encoded CertificateSigningRequest + description: Requested certificate default Duration + description: IsCA will mark the resulting certificate as valid for signing. + This implies that the 'cert sign' usage is set + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. The group field refers to the API group + of the issuer which defaults to 'cert-manager.io' if empty. + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + description: CertificateStatus defines the observed state of CertificateRequest + and resulting signed certificate. + description: Byte slice containing the PEM encoded certificate authority + of the signed certificate. + description: Byte slice containing a PEM encoded signed certificate + resulting from the given certificate signing request. + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the details + of the last transition, complementing reason. + description: Reason is a brief machine readable explanation for + the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, currently ('Ready'). + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + creationTimestamp: null + name: certificates.cert-manager.io additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@@ -31,66 +1809,47 @@
in RFC3339 form and is in UTC.
- group: certmanager.k8s.io
+ listKind: CertificateList + description: Certificate is a type to represent a Certificate from ACME description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CertificateSpec defines the desired state of Certificate. A + valid Certificate requires at least one of a CommonName, DNSName, or URISAN
- description: ACME contains configuration specific to ACME Certificates.
- Notably, this contains details on how the domain names listed on this
- Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01
- providers to DNS names.
- description: Domains is the list of domains that this SolverConfig
description: CommonName is a common name to be used on the Certificate.
- If no CommonName is given, then the first entry in DNSNames is used
- as the CommonName. The CommonName should have a length of 64 characters
- or fewer to avoid generating invalid CSRs; in order to have longer
- domain names, set the CommonName (or first DNSNames entry) to have
- 64 characters or fewer, and then add the longer domain name to DNSNames.
+ The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. description: DNSNames is a list of subject alt names to be used on the
- Certificate. If no CommonName is given, then the first entry in DNSNames
- is used as the CommonName and must have a length of 64 characters
@@ -105,7 +1864,7 @@
description: IsCA will mark this Certificate as valid for signing. This
- implies that the 'signing' usage is set
+ implies that the 'cert sign' usage is set description: IssuerRef is a reference to the issuer for this certificate.
@@ -140,6 +1899,9 @@
allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
respectively. If KeyEncoding is not specified, then PKCS#1 will be
description: KeySize is the key bit size of the corresponding private
@@ -147,7 +1909,6 @@
and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
and value must be one of (256, 384, 521) when KeyAlgorithm is set
description: Organization is the organization to be used on the Certificate
@@ -161,159 +1922,56 @@
description: SecretName is the name of the secret resource to store
+ description: URISANs is a list of URI Subject Alternative Names to be + set on this Certificate. + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
+ description: CertificateStatus defines the observed state of Certificate
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- description: Message is a human readable description of the details
- of the last transition, complementing reason.
- description: Reason is a brief machine readable explanation for
- the condition's last transition.
- description: Status of the condition, one of ('True', 'False',
- description: Type of the condition, currently ('Ready').
- description: The expiration time of the certificate stored in the secret
- named by this resource in spec.secretName.
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
- creationTimestamp: null
- controller-tools.k8s.io: "1.0"
- name: certificaterequests.certmanager.k8s.io
- additionalPrinterColumns:
- - JSONPath: .status.conditions[?(@.type=="Ready")].status
- - JSONPath: .spec.issuerRef.name
- - JSONPath: .status.conditions[?(@.type=="Ready")].message
- - JSONPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when
- this object was created. It is not guaranteed to be set in happens-before order
- across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC.
- group: certmanager.k8s.io
- kind: CertificateRequest
- plural: certificaterequests
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
- description: Byte slice containing the PEM encoded CertificateSigningRequest
- description: Requested certificate default Duration
- description: IsCA will mark the resulting certificate as valid for signing.
- This implies that the 'signing' usage is set
- description: IssuerRef is a reference to the issuer for this CertificateRequest. If
- the 'kind' field is not set, or set to 'Issuer', an Issuer resource
- with the given name in the same namespace as the CertificateRequest
- will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
- with the provided name will be used. The 'name' field in this stanza
- is required at all times. The group field refers to the API group
- of the issuer which defaults to 'certmanager.k8s.io' if empty.
- description: Byte slice containing the PEM encoded certificate authority
- of the signed certificate.
- description: Byte slice containing a PEM encoded signed certificate
- resulting from the given certificate signing request.
+ description: CertificateCondition contains condition information for description: LastTransitionTime is the timestamp corresponding
@@ -340,12 +1998,25 @@
description: Type of the condition, currently ('Ready').
+ description: The expiration time of the certificate stored in the secret + named by this resource in spec.secretName.
@@ -353,235 +2024,44 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
- controller-tools.k8s.io: "1.0"
- name: challenges.certmanager.k8s.io
+ name: clusterissuers.cert-manager.io - additionalPrinterColumns:
- - JSONPath: .status.state
- - JSONPath: .spec.dnsName
- - JSONPath: .status.reason
- - JSONPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when
- this object was created. It is not guaranteed to be set in happens-before order
- across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC.
- group: certmanager.k8s.io
+ listKind: ClusterIssuerList + singular: clusterissuer description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- description: AuthzURL is the URL to the ACME Authorization resource
- that this challenge is a part of.
- description: 'Config specifies the solver configuration for this challenge.
- Only **one** of ''config'' or ''solver'' may be specified, and if
- both are specified then no action will be performed on the Challenge
- resource. DEPRECATED: the ''solver'' field should be specified instead'
- description: DNSName is the identifier that this challenge is for, e.g.
- description: IssuerRef references a properly configured ACME-type Issuer
- which should be used to create this Challenge. If the Issuer does
- not exist, processing will be retried. If the Issuer is not an 'ACME'
- Issuer, an error will be returned and the Challenge will be marked
- description: Key is the ACME challenge key for this challenge
- description: Solver contains the domain solving configuration that should
- be used to solve this challenge resource. Only **one** of 'config'
- or 'solver' may be specified, and if both are specified then no action
- will be performed on the Challenge resource.
- description: Selector selects a set of DNSNames on the Certificate
- resource that should be solved using this challenge solver.
- description: List of DNSNames that this solver will be used
- to solve. If specified and a match is found, a dnsNames selector
- will take precedence over a dnsZones selector. If multiple
- solvers match with the same dnsNames value, the solver with
- the most matching labels in matchLabels will be selected.
- If neither has more matches, the solver defined earlier in
- the list will be selected.
- description: List of DNSZones that this solver will be used
- to solve. The most specific DNS zone match specified here
- will take precedence over other DNS zone matches, so a solver
- specifying sys.example.com will be selected over one specifying
- example.com for the domain www.sys.example.com. If multiple
- solvers match with the same dnsZones value, the solver with
- the most matching labels in matchLabels will be selected.
- If neither has more matches, the solver defined earlier in
- the list will be selected.
- description: A label selector that is used to refine the set
- of certificate's that this challenge solver will apply to.
- description: Token is the ACME challenge token for this challenge.
- description: Type is the type of ACME challenge this resource represents,
- e.g. "dns01" or "http01"
- description: URL is the URL of the ACME Challenge resource for this
- challenge. This can be used to lookup details about the status of
- description: Wildcard will be true if this challenge is for a wildcard
- identifier, for example '*.example.com'
- description: Presented will be set to true if the challenge values for
- this challenge are currently 'presented'. This *does not* imply the
- self check is passing. Only that the values have been 'submitted'
- for the appropriate challenge mechanism (i.e. the DNS01 TXT record
- has been presented, or the HTTP01 configuration has been configured).
- description: Processing is used to denote whether this challenge should
- be processed or not. This field will only be set to true by the 'scheduling'
- component. It will only be set to false by the 'challenges' controller,
- after the challenge has reached a final state or timed out. If this
- field is set to false, the challenge controller will not take any
- description: Reason contains human readable information on why the Challenge
- is in the current state.
- description: State contains the current 'state' of the challenge. If
- not set, the state of the challenge is unknown.
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
- creationTimestamp: null
- controller-tools.k8s.io: "1.0"
- name: clusterissuers.certmanager.k8s.io
- group: certmanager.k8s.io
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + description: ACMEIssuer contains the specification for an ACME issuer description: Email is the email for this account
@@ -612,6 +2092,1315 @@
used to solve ACME challenges for the matching domains.
+ description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + - clientSecretSecretRef + - serviceConsumerDomain + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + - AzureUSGovernmentCloud + - clientSecretSecretRef + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + serviceAccountSecretRef: + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + - serviceAccountSecretRef + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity scheduling + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + description: A node selector + term, associated with the + description: A list of node + description: A node selector + requirement is a selector + description: Represents + is Exists or DoesNotExist, + which will be interpreted + description: A list of node + description: A node selector + requirement is a selector + description: Represents + is Exists or DoesNotExist, + which will be interpreted + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + description: A list of node + description: A node selector + requirement is a selector + description: Represents + is Exists or DoesNotExist, + which will be interpreted + description: A list of node + description: A node selector + requirement is a selector + description: Represents + is Exists or DoesNotExist, + which will be interpreted + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + to an element of matchExpressions, + is "In", and the values + "value". The requirements + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + the labelSelector in the + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key <topologyKey> + matches that of any node on which + a pod of the set of pods is running + description: A label query over + a set of resources, in this + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + values. If the operator + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + to an element of matchExpressions, + is "In", and the values + "value". The requirements + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + the labelSelector in the + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key <topologyKey> + matches that of any node on which + a pod of the set of pods is running + description: A label query over + a set of resources, in this + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + values. If the operator + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple <key,value,effect> using the + matching operator <operator>. + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
@@ -641,6 +3430,8 @@
description: A label selector that is used to refine the
set of certificate's that this challenge solver will
@@ -649,309 +3440,8 @@
- description: SecretName is the name of the secret used to sign Certificates
- description: Vault authentication
- description: This Secret contains a AppRole and Secret
- description: Where the authentication path is mounted in
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: This Secret contains the Vault token key
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: Base64 encoded CA bundle to validate Vault server certificate.
- Only used if the Server URL is using HTTPS protocol. This parameter
- is ignored for plain HTTP protocol connection. If not set the
- system root certificates are used to validate the TLS connection.
- description: Vault URL path to the certificate role
- description: Server is the vault connection address
- description: Cloud specifies the Venafi cloud configuration settings.
- Only one of TPP or Cloud may be specified.
- description: APITokenSecretRef is a secret key selector for
- the Venafi Cloud API token.
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: URL is the base URL for Venafi Cloud
- description: TPP specifies Trust Protection Platform configuration
- settings. Only one of TPP or Cloud may be specified.
- description: CABundle is a PEM encoded TLS certifiate to use
- to verify connections to the TPP instance. If specified, system
- roots will not be used and the issuing CA for the TPP instance
- must be verifiable using the provided root. If not specified,
- the connection will be verified using the cert-manager system
- description: CredentialsRef is a reference to a Secret containing
- the username and password for the TPP server. The secret must
- contain two keys, 'username' and 'password'.
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: URL is the base URL for the Venafi TPP instance
- description: Zone is the Venafi Policy Zone to use for this issuer.
- All requests made to the Venafi platform will be restricted by
- the named zone policy. This field is required.
- description: LastRegisteredEmail is the email associated with the
- latest registered ACME account, in order to track changes made
- to registered account associated with the Issuer
- description: URI is the unique account identifier, which can also
- be used to retrieve account details from the CA
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- description: Message is a human readable description of the details
- of the last transition, complementing reason.
- description: Reason is a brief machine readable explanation for
- the condition's last transition.
- description: Status of the condition, one of ('True', 'False',
- description: Type of the condition, currently ('Ready').
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
- creationTimestamp: null
- controller-tools.k8s.io: "1.0"
- name: issuers.certmanager.k8s.io
- group: certmanager.k8s.io
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
- description: Email is the email for this account
- description: PrivateKey is the name of a secret containing the private
- key for this user account.
- description: The key of the secret to select from. Must be a
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: Server is the ACME server URL
- description: If true, skip verifying the ACME server TLS certificate
- description: Solvers is a list of challenge solvers that will be
- used to solve ACME challenges for the matching domains.
- description: Selector selects a set of DNSNames on the Certificate
- resource that should be solved using this challenge solver.
- description: List of DNSNames that this solver will be
- used to solve. If specified and a match is found, a
- dnsNames selector will take precedence over a dnsZones
- selector. If multiple solvers match with the same dnsNames
- value, the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- description: List of DNSZones that this solver will be
- used to solve. The most specific DNS zone match specified
- here will take precedence over other DNS zone matches,
- so a solver specifying sys.example.com will be selected
- over one specifying example.com for the domain www.sys.example.com.
- If multiple solvers match with the same dnsZones value,
- the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- description: A label selector that is used to refine the
- set of certificate's that this challenge solver will
@@ -996,6 +3486,42 @@
+ description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be `/v1/auth/foo/login`. + If unspecified, the default value "kubernetes" will be + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' description: This Secret contains the Vault token key
@@ -1026,10 +3552,12 @@
+ description: VenafiIssuer describes issuer configuration details for description: Cloud specifies the Venafi cloud configuration settings.
@@ -1054,8 +3582,8 @@
description: URL is the base URL for Venafi Cloud
description: TPP specifies Trust Protection Platform configuration
@@ -1086,8 +3614,8 @@
description: URL is the base URL for the Venafi TPP instance
description: Zone is the Venafi Policy Zone to use for this issuer.
@@ -1099,6 +3627,7 @@
+ description: IssuerStatus contains status information about an Issuer @@ -1114,6 +3643,8 @@
+ description: IssuerCondition contains condition information for an description: LastTransitionTime is the timestamp corresponding
@@ -1140,12 +3671,17 @@
description: Type of the condition, currently ('Ready').
@@ -1153,173 +3689,1383 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
- controller-tools.k8s.io: "1.0"
- name: orders.certmanager.k8s.io
+ name: issuers.cert-manager.io - additionalPrinterColumns:
- - JSONPath: .status.state
- - JSONPath: .spec.issuerRef.name
- - JSONPath: .status.reason
- - JSONPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when
- this object was created. It is not guaranteed to be set in happens-before order
- across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC.
- group: certmanager.k8s.io
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer.
- description: CommonName is the common name as specified on the DER encoded
- CSR. If CommonName is not specified, the first DNSName specified will
- be used as the CommonName. At least one of CommonName or a DNSNames
- must be set. This field must match the corresponding field on the
- description: 'Config specifies a mapping from DNS identifiers to how
- those identifiers should be solved when performing ACME challenges.
- A config entry must exist for each domain listed in DNSNames and CommonName.
- Only **one** of ''config'' or ''solvers'' may be specified, and if
- both are specified then no action will be performed on the Order resource. This
- field will be removed when support for solver config specified on
- the Certificate under certificate.spec.acme has been removed. DEPRECATED:
- this field will be removed in future. Solver configuration must instead
- be provided on ACME Issuer resources.'
- description: Domains is the list of domains that this SolverConfig
+ description: ACMEIssuer contains the specification for an ACME issuer + description: Email is the email for this account + description: PrivateKey is the name of a secret containing the private + key for this user account. + description: The key of the secret to select from. Must be a
- description: Certificate signing request bytes in DER encoding. This
- will be used when finalizing the order. This field must be set on
- description: DNSNames is a list of DNS names that should be included
- as part of the Order validation process. If CommonName is not specified,
- the first DNSName specified will be used as the CommonName. At least
- one of CommonName or a DNSNames must be set. This field must match
- the corresponding field on the DER encoded CSR.
- description: IssuerRef references a properly configured ACME-type Issuer
- which should be used to create this Order. If the Issuer does not
- exist, processing will be retried. If the Issuer is not an 'ACME'
- Issuer, an error will be returned and the Order will be marked as
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: Server is the ACME server URL
- description: Certificate is a copy of the PEM encoded certificate for
- this Order. This field will be populated after the order has been
- successfully finalized with the ACME server, and the order has transitioned
- description: Challenges is a list of ChallengeSpecs for Challenges that
- must be created in order to complete this Order.
- description: AuthzURL is the URL to the ACME Authorization resource
- that this challenge is a part of.
- description: 'Config specifies the solver configuration for this
- challenge. Only **one** of ''config'' or ''solver'' may be specified,
- and if both are specified then no action will be performed on
- the Challenge resource. DEPRECATED: the ''solver'' field should
- description: DNSName is the identifier that this challenge is
- description: IssuerRef references a properly configured ACME-type
- Issuer which should be used to create this Challenge. If the
- Issuer does not exist, processing will be retried. If the Issuer
- is not an 'ACME' Issuer, an error will be returned and the Challenge
- will be marked as failed.
+ description: If true, skip verifying the ACME server TLS certificate + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains.
- description: Key is the ACME challenge key for this challenge
- description: Solver contains the domain solving configuration
- that should be used to solve this challenge resource. Only **one**
- of 'config' or 'solver' may be specified, and if both are specified
- then no action will be performed on the Challenge resource.
+ description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + - clientSecretSecretRef + - serviceConsumerDomain + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + - AzureUSGovernmentCloud + - clientSecretSecretRef + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + serviceAccountSecretRef: + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + - serviceAccountSecretRef + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity scheduling + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + description: A node selector + term, associated with the + description: A list of node + description: A node selector + requirement is a selector + description: Represents + is Exists or DoesNotExist, + which will be interpreted + description: A list of node + description: A node selector + requirement is a selector + description: Represents + is Exists or DoesNotExist, + which will be interpreted + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + description: A list of node + description: A node selector + requirement is a selector + description: Represents + is Exists or DoesNotExist, + which will be interpreted + description: A list of node + description: A node selector + requirement is a selector + description: Represents + is Exists or DoesNotExist, + which will be interpreted + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + to an element of matchExpressions, + is "In", and the values + "value". The requirements + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + the labelSelector in the + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key <topologyKey> + matches that of any node on which + a pod of the set of pods is running + description: A label query over + a set of resources, in this + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + values. If the operator + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + to an element of matchExpressions, + is "In", and the values + "value". The requirements + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + the labelSelector in the + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key <topologyKey> + matches that of any node on which + a pod of the set of pods is running + description: A label query over + a set of resources, in this + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + values. If the operator + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple <key,value,effect> using the + matching operator <operator>. + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
@@ -1349,77 +5095,258 @@
description: A label selector that is used to refine the
set of certificate's that this challenge solver will
- description: Token is the ACME challenge token for this challenge.
+ description: SecretName is the name of the secret used to sign Certificates + description: Vault authentication + description: This Secret contains a AppRole and Secret + description: Where the authentication path is mounted in + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be `/v1/auth/foo/login`. + If unspecified, the default value "kubernetes" will be + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: This Secret contains the Vault token key + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + description: Vault URL path to the certificate role + description: Server is the vault connection address + description: VenafiIssuer describes issuer configuration details for + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: URL is the base URL for Venafi Cloud + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + description: URL is the base URL for the Venafi TPP instance + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + description: IssuerStatus contains status information about an Issuer + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: IssuerCondition contains condition information for an + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the details + of the last transition, complementing reason. + description: Reason is a brief machine readable explanation for + the condition's last transition. + description: Status of the condition, one of ('True', 'False', - description: Type is the type of ACME challenge this resource
- represents, e.g. "dns01" or "http01"
- description: URL is the URL of the ACME Challenge resource for
- this challenge. This can be used to lookup details about the
- status of this challenge.
+ description: Type of the condition, currently ('Ready').
- description: Wildcard will be true if this challenge is for a
- wildcard identifier, for example '*.example.com'
- description: FailureTime stores the time that this order failed. This
- is used to influence garbage collection and back-off.
- description: FinalizeURL of the Order. This is used to obtain certificates
- for this order once it has been completed.
- description: Reason optionally provides more information about a why
- the order is in the current state.
- description: State contains the current state of this Order resource.
- States 'success' and 'expired' are 'final'
- description: URL of the Order. This will initially be empty when the
- resource is first created. The Order controller will populate this
- field when the Order is first processed. This field will be immutable
- after it is initially set.
@@ -1431,8 +5358,6 @@
- certmanager.k8s.io/disable-validation: "true"
@@ -1447,10 +5372,25 @@
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.9.1
+ helm.sh/chart: cainjector-v0.11.0 -# Source: cert-manager/charts/webhook/templates/serviceaccount.yaml
+# Source: cert-manager/templates/serviceaccount.yaml + namespace: "cert-manager" + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 +# Source: cert-manager/templates/webhook-serviceaccount.yaml @@ -1461,22 +5401,7 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
----
-# Source: cert-manager/templates/serviceaccount.yaml
- namespace: "cert-manager"
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
+ helm.sh/chart: cert-manager-v0.11.0 # Source: cert-manager/charts/cainjector/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -1488,16 +5413,16 @@
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.9.1
+ helm.sh/chart: cainjector-v0.11.0 - - apiGroups: ["certmanager.k8s.io"]
+ - apiGroups: ["cert-manager.io"] resources: ["certificates"]
verbs: ["get", "list", "watch"]
verbs: ["get", "list", "watch"]
- resources: ["configmaps", "events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
@@ -1518,7 +5443,7 @@
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.9.1
+ helm.sh/chart: cainjector-v0.11.0 apiGroup: rbac.authorization.k8s.io
@@ -1527,419 +5452,53 @@
- name: cert-manager-cainjector
namespace: "cert-manager"
-# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-leaderelection
+ name: cert-manager-cainjector:leaderelection
- app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
+ helm.sh/chart: cainjector-v0.11.0 # Used for leader election by the controller
+ # TODO: refine the permission to *just* the leader election configmap resources: ["configmaps"]
verbs: ["get", "create", "update", "patch"]
-# Issuer controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-issuers
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["issuers", "issuers/status"]
- - apiGroups: ["certmanager.k8s.io"]
- verbs: ["get", "list", "watch"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- verbs: ["create", "patch"]
----
-# ClusterIssuer controller role
+# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-clusterissuers
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["clusterissuers", "clusterissuers/status"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["clusterissuers"]
- verbs: ["get", "list", "watch"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- verbs: ["create", "patch"]
----
-# Certificates controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-certificates
+ name: cert-manager-cainjector:leaderelection
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificaterequests", "clusterissuers", "issuers", "orders"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- #Â admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates/finalizers"]
- - apiGroups: ["certmanager.k8s.io"]
- verbs: ["create", "delete"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- verbs: ["create", "patch"]
----
-# Orders controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-orders
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["orders", "orders/status"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["orders", "clusterissuers", "issuers", "challenges"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["challenges"]
- verbs: ["create", "delete"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- #Â admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["orders/finalizers"]
- verbs: ["get", "list", "watch"]
- verbs: ["create", "patch"]
----
-# Challenges controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-challenges
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- # Use to update challenge resource status
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["challenges", "challenges/status"]
- # Used to watch challenges, issuer and clusterissuer resources
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["challenges", "issuers", "clusterissuers"]
- verbs: ["get", "list", "watch"]
- # Need to be able to retrieve ACME account private key to complete challenges
- verbs: ["get", "list", "watch"]
- # Used to create events
- verbs: ["create", "patch"]
- resources: ["pods", "services"]
- verbs: ["get", "list", "watch", "create", "delete"]
- - apiGroups: ["extensions"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- #Â admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["challenges/finalizers"]
- #Â DNS01 rules (duplicated above)
- verbs: ["get", "list", "watch"]
----
-# ingress-shim controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-ingress-shim
- app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificaterequests"]
- verbs: ["create", "update", "delete"]
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["extensions"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- #Â admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["extensions"]
- resources: ["ingresses/finalizers"]
- verbs: ["create", "patch"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
- name: cert-manager-leaderelection
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- apiGroup: rbac.authorization.k8s.io
- name: cert-manager-leaderelection
- namespace: "cert-manager"
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
- name: cert-manager-controller-issuers
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-issuers
- namespace: "cert-manager"
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
- name: cert-manager-controller-clusterissuers
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-clusterissuers
- namespace: "cert-manager"
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
- name: cert-manager-controller-certificates
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
+ helm.sh/chart: cainjector-v0.11.0 apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-certificates
- namespace: "cert-manager"
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
- name: cert-manager-controller-orders
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-orders
+ name: cert-manager-cainjector:leaderelection
- namespace: "cert-manager"
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
- name: cert-manager-controller-challenges
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-challenges
- namespace: "cert-manager"
+ name: cert-manager-cainjector + namespace: cert-manager
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
- name: cert-manager-controller-ingress-shim
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-ingress-shim
- namespace: "cert-manager"
----
-apiVersion: rbac.authorization.k8s.io/v1
- name: cert-manager-view
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
- name: cert-manager-edit
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["create", "delete", "deletecollection", "patch", "update"]
----
-# Source: cert-manager/charts/webhook/templates/rbac.yaml
+# Source: cert-manager/templates/webhook-rbac.yaml # apiserver gets the auth-delegator role to delegate auth decisions to
@@ -1953,7 +5512,7 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
+ helm.sh/chart: cert-manager-v0.11.0 apiGroup: rbac.authorization.k8s.io
@@ -1979,7 +5538,7 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
+ helm.sh/chart: cert-manager-v0.11.0 apiGroup: rbac.authorization.k8s.io
@@ -2001,10 +5560,10 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
+ helm.sh/chart: cert-manager-v0.11.0 - - admission.certmanager.k8s.io
+ - admission.cert-manager.io @@ -2012,9 +5571,477 @@
+# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager:leaderelection + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + # Used for leader election by the controller + # TODO: refine the permission to *just* the leader election configmap + resources: ["configmaps"] + verbs: ["get", "create", "update", "patch"] +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager:leaderelection + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + apiGroup: rbac.authorization.k8s.io + name: cert-manager:leaderelection + namespace: cert-manager +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-issuers + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + - apiGroups: ["cert-manager.io"] + verbs: ["get", "list", "watch"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + verbs: ["create", "patch"] +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-clusterissuers + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + verbs: ["create", "patch"] +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-certificates + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers"] + - apiGroups: ["acme.cert-manager.io"] + verbs: ["create", "delete", "get", "list", "watch"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + verbs: ["create", "patch"] +# Orders controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-orders + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["get", "list", "watch"] + verbs: ["create", "patch"] +# Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-challenges + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + verbs: ["get", "list", "watch"] + # Used to create events + verbs: ["create", "patch"] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges/finalizers"] + # DNS01 rules (duplicated above) + verbs: ["get", "list", "watch"] -# Source: cert-manager/charts/webhook/templates/service.yaml
+# ingress-shim controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-ingress-shim + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["extensions"] + resources: ["ingresses/finalizers"] + verbs: ["create", "patch"] +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-leaderelection + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-leaderelection + namespace: "cert-manager" +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-issuers + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-issuers + namespace: "cert-manager" +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-clusterissuers + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-clusterissuers + namespace: "cert-manager" +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-certificates + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-certificates + namespace: "cert-manager" +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-orders + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-orders + namespace: "cert-manager" +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-challenges + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-challenges + namespace: "cert-manager" +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-ingress-shim + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-ingress-shim + namespace: "cert-manager" +apiVersion: rbac.authorization.k8s.io/v1 + name: cert-manager-view + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] +apiVersion: rbac.authorization.k8s.io/v1 + name: cert-manager-edit + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] +# Source: cert-manager/templates/service.yaml + namespace: "cert-manager" + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager +# Source: cert-manager/templates/webhook-service.yaml @@ -2025,7 +6052,7 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
+ helm.sh/chart: cert-manager-v0.11.0 @@ -2037,7 +6064,6 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
# Source: cert-manager/charts/cainjector/templates/deployment.yaml
@@ -2050,7 +6076,7 @@
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.9.1
+ helm.sh/chart: cainjector-v0.11.0 @@ -2066,17 +6092,17 @@
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.9.1
+ helm.sh/chart: cainjector-v0.11.0 serviceAccountName: cert-manager-cainjector
- image: "quay.io/jetstack/cert-manager-cainjector:v0.9.1"
+ image: "quay.io/jetstack/cert-manager-cainjector:v0.11.0" imagePullPolicy: IfNotPresent
- - --leader-election-namespace=$(POD_NAMESPACE)
+ - --leader-election-namespace=kube-system @@ -2087,7 +6113,67 @@
-# Source: cert-manager/charts/webhook/templates/deployment.yaml
+# Source: cert-manager/templates/deployment.yaml + namespace: "cert-manager" + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Tiller + helm.sh/chart: cert-manager-v0.11.0 + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + serviceAccountName: cert-manager + image: "quay.io/jetstack/cert-manager-controller:v0.11.0" + imagePullPolicy: IfNotPresent + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=kube-system + - --webhook-namespace=$(POD_NAMESPACE) + - --webhook-ca-secret=cert-manager-webhook-ca + - --webhook-serving-secret=cert-manager-webhook-tls + - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc + fieldPath: metadata.namespace +# Source: cert-manager/templates/webhook-deployment.yaml @@ -2098,7 +6184,7 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
+ helm.sh/chart: cert-manager-v0.11.0 @@ -2114,13 +6200,13 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
+ helm.sh/chart: cert-manager-v0.11.0 serviceAccountName: cert-manager-webhook
- image: "quay.io/jetstack/cert-manager-webhook:v0.9.1"
+ image: "quay.io/jetstack/cert-manager-webhook:v0.11.0" imagePullPolicy: IfNotPresent
@@ -2141,176 +6227,96 @@
- secretName: cert-manager-webhook-webhook-tls
+ secretName: cert-manager-webhook-tls -# Source: cert-manager/templates/deployment.yaml
- namespace: "cert-manager"
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.9.1
- prometheus.io/path: "/metrics"
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9402'
- serviceAccountName: cert-manager
- image: "quay.io/jetstack/cert-manager-controller:v0.9.1"
- imagePullPolicy: IfNotPresent
- - --cluster-resource-namespace=$(POD_NAMESPACE)
- - --leader-election-namespace=$(POD_NAMESPACE)
- fieldPath: metadata.namespace
----
-# Source: cert-manager/charts/webhook/templates/apiservice.yaml
+# Source: cert-manager/templates/webhook-apiservice.yaml apiVersion: apiregistration.k8s.io/v1beta1
- name: v1beta1.admission.certmanager.k8s.io
+ name: v1beta1.webhook.cert-manager.io app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
+ helm.sh/chart: cert-manager-v0.11.0 - certmanager.k8s.io/inject-ca-from: "cert-manager/cert-manager-webhook-webhook-tls"
+ cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls" - group: admission.certmanager.k8s.io
+ group: webhook.cert-manager.io groupPriorityMinimum: 1000
name: cert-manager-webhook
namespace: "cert-manager"
-# Source: cert-manager/charts/webhook/templates/pki.yaml
----
-# Create a selfsigned Issuer, in order to create a root CA certificate for
-# signing webhook serving certificates
-apiVersion: certmanager.k8s.io/v1alpha1
+# Source: cert-manager/templates/webhook-mutating-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration - name: cert-manager-webhook-selfsign
- namespace: "cert-manager"
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
----
-# Generate a CA Certificate used to sign certificates for the webhook
-apiVersion: certmanager.k8s.io/v1alpha1
- name: cert-manager-webhook-ca
- namespace: "cert-manager"
+ name: cert-manager-webhook app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
- secretName: cert-manager-webhook-ca
- name: cert-manager-webhook-selfsign
- commonName: "ca.webhook.cert-manager"
+ helm.sh/chart: cert-manager-v0.11.0 + cert-manager.io/inject-apiserver-ca: "true" + - name: webhook.cert-manager.io + path: /apis/webhook.cert-manager.io/v1beta1/mutations +# Source: cert-manager/charts/cainjector/templates/psp-clusterrole.yaml +# Source: cert-manager/charts/cainjector/templates/psp-clusterrolebinding.yaml -# Create an Issuer that uses the above generated CA certificate to issue certs
-apiVersion: certmanager.k8s.io/v1alpha1
- name: cert-manager-webhook-ca
- namespace: "cert-manager"
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
- secretName: cert-manager-webhook-ca
+# Source: cert-manager/charts/cainjector/templates/psp.yaml +# Source: cert-manager/templates/psp-clusterrole.yaml -# Finally, generate a serving certificate for the webhook to use
-apiVersion: certmanager.k8s.io/v1alpha1
- name: cert-manager-webhook-webhook-tls
- namespace: "cert-manager"
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
- secretName: cert-manager-webhook-webhook-tls
- name: cert-manager-webhook-ca
- - cert-manager-webhook.cert-manager
- - cert-manager-webhook.cert-manager.svc
+# Source: cert-manager/templates/psp-clusterrolebinding.yaml +# Source: cert-manager/templates/psp.yaml # Source: cert-manager/templates/servicemonitor.yaml
-# Source: cert-manager/charts/webhook/templates/validating-webhook.yaml
+# Source: cert-manager/templates/webhook-validating-webhook.yaml apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
@@ -2320,14 +6326,14 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: webhook-v0.9.1
+ helm.sh/chart: cert-manager-v0.11.0 - certmanager.k8s.io/inject-apiserver-ca: "true"
+ cert-manager.io/inject-apiserver-ca: "true" - - name: certificates.admission.certmanager.k8s.io
+ - name: webhook.cert-manager.io - - key: "certmanager.k8s.io/disable-validation"
+ - key: "cert-manager.io/disable-validation" @@ -2337,72 +6343,21 @@
- path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
- - name: issuers.admission.certmanager.k8s.io
- - key: "certmanager.k8s.io/disable-validation"
- path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
- - name: clusterissuers.admission.certmanager.k8s.io
- - key: "certmanager.k8s.io/disable-validation"
- path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers
+ path: /apis/webhook.cert-manager.io/v1beta1/validations