HGKeeper

~~--- a/10-cert-manager.yaml Mon Jul 15 01:56:25 2019 -0500~~

+++ b/10-cert-manager.yaml Tue Aug 13 15:33:33 2019 -0500

@@ -1,121 +1,2408 @@

~~-apiVersion: v1~~

~~-kind: ServiceAccount~~

+# This is the official 0.9.1 manifest

+# from https://github.com/jetstack/cert-manager/releases. No changes, aside

+# from this header have been made.

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

metadata:

~~- name: cert-manager~~

~~- namespace: kube-system~~

+ creationTimestamp: null

labels:

~~- app: cert-manager~~

+ controller-tools.k8s.io: "1.0"

+ name: certificates.certmanager.k8s.io

+spec:

+ additionalPrinterColumns:

+ - JSONPath: .status.conditions[?(@.type=="Ready")].status

+ name: Ready

+ type: string

+ - JSONPath: .spec.secretName

+ name: Secret

+ type: string

+ - JSONPath: .spec.issuerRef.name

+ name: Issuer

+ priority: 1

+ type: string

+ - JSONPath: .status.conditions[?(@.type=="Ready")].message

+ name: Status

+ priority: 1

+ type: string

+ - JSONPath: .metadata.creationTimestamp

+ description: CreationTimestamp is a timestamp representing the server time when

+ this object was created. It is not guaranteed to be set in happens-before order

+ across separate operations. Clients may not set this value. It is represented

+ in RFC3339 form and is in UTC.

+ name: Age

+ type: date

+ group: certmanager.k8s.io

+ names:

+ kind: Certificate

+ plural: certificates

+ shortNames:

+ - cert

+ - certs

+ scope: Namespaced

+ validation:

+ openAPIV3Schema:

+ properties:

+ apiVersion:

+ description: 'APIVersion defines the versioned schema of this representation

+ of an object. Servers should convert recognized schemas to the latest

+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'

+ type: string

+ kind:

+ description: 'Kind is a string value representing the REST resource this

+ object represents. Servers may infer this from the endpoint the client

+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'

+ type: string

+ metadata:

+ type: object

+ spec:

+ properties:

+ acme:

+ description: ACME contains configuration specific to ACME Certificates.

+ Notably, this contains details on how the domain names listed on this

+ Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01

+ providers to DNS names.

+ properties:

+ config:

+ items:

+ properties:

+ domains:

+ description: Domains is the list of domains that this SolverConfig

+ applies to.

+ items:

+ type: string

+ type: array

+ required:

+ - domains

+ type: object

+ type: array

+ required:

+ - config

+ type: object

+ commonName:

+ description: CommonName is a common name to be used on the Certificate.

+ If no CommonName is given, then the first entry in DNSNames is used

+ as the CommonName. The CommonName should have a length of 64 characters

+ or fewer to avoid generating invalid CSRs; in order to have longer

+ domain names, set the CommonName (or first DNSNames entry) to have

+ 64 characters or fewer, and then add the longer domain name to DNSNames.

+ type: string

+ dnsNames:

+ description: DNSNames is a list of subject alt names to be used on the

+ Certificate. If no CommonName is given, then the first entry in DNSNames

+ is used as the CommonName and must have a length of 64 characters

+ or fewer.

+ items:

+ type: string

+ type: array

+ duration:

+ description: Certificate default Duration

+ type: string

+ ipAddresses:

+ description: IPAddresses is a list of IP addresses to be used on the

+ Certificate

+ items:

+ type: string

+ type: array

+ isCA:

+ description: IsCA will mark this Certificate as valid for signing. This

+ implies that the 'signing' usage is set

+ type: boolean

+ issuerRef:

+ description: IssuerRef is a reference to the issuer for this certificate.

+ If the 'kind' field is not set, or set to 'Issuer', an Issuer resource

+ with the given name in the same namespace as the Certificate will

+ be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer

+ with the provided name will be used. The 'name' field in this stanza

+ is required at all times.

+ properties:

+ group:

+ type: string

+ kind:

+ type: string

+ name:

+ type: string

+ required:

+ - name

+ type: object

+ keyAlgorithm:

+ description: KeyAlgorithm is the private key algorithm of the corresponding

+ private key for this certificate. If provided, allowed values are

+ either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is

+ not provided, key size of 256 will be used for "ecdsa" key algorithm

+ and key size of 2048 will be used for "rsa" key algorithm.

+ enum:

+ - rsa

+ - ecdsa

+ type: string

+ keyEncoding:

+ description: KeyEncoding is the private key cryptography standards (PKCS)

+ for this certificate's private key to be encoded in. If provided,

+ allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,

+ respectively. If KeyEncoding is not specified, then PKCS#1 will be

+ used by default.

+ type: string

+ keySize:

+ description: KeySize is the key bit size of the corresponding private

+ key for this certificate. If provided, value must be between 2048

+ and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",

+ and value must be one of (256, 384, 521) when KeyAlgorithm is set

+ to "ecdsa".

+ format: int64

+ type: integer

+ organization:

+ description: Organization is the organization to be used on the Certificate

+ items:

+ type: string

+ type: array

+ renewBefore:

+ description: Certificate renew before expiration duration

+ type: string

+ secretName:

+ description: SecretName is the name of the secret resource to store

+ this secret in

+ type: string

+ required:

+ - secretName

+ - issuerRef

+ type: object

+ status:

+ properties:

+ conditions:

+ items:

+ properties:

+ lastTransitionTime:

+ description: LastTransitionTime is the timestamp corresponding

+ to the last status change of this condition.

+ format: date-time

+ type: string

+ message:

+ description: Message is a human readable description of the details

+ of the last transition, complementing reason.

+ type: string

+ reason:

+ description: Reason is a brief machine readable explanation for

+ the condition's last transition.

+ type: string

+ status:

+ description: Status of the condition, one of ('True', 'False',

+ 'Unknown').

+ enum:

+ - "True"

+ - "False"

+ - Unknown

+ type: string

+ type:

+ description: Type of the condition, currently ('Ready').

+ type: string

+ required:

+ - type

+ - status

+ type: object

+ type: array

+ lastFailureTime:

+ format: date-time

+ type: string

+ notAfter:

+ description: The expiration time of the certificate stored in the secret

+ named by this resource in spec.secretName.

+ format: date-time

+ type: string

+ type: object

+ version: v1alpha1

+status:

+ acceptedNames:

+ kind: ""

+ plural: ""

+ conditions: []

+ storedVersions: []

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ creationTimestamp: null

+ labels:

+ controller-tools.k8s.io: "1.0"

+ name: certificaterequests.certmanager.k8s.io

+spec:

+ additionalPrinterColumns:

+ - JSONPath: .status.conditions[?(@.type=="Ready")].status

+ name: Ready

+ type: string

+ - JSONPath: .spec.issuerRef.name

+ name: Issuer

+ priority: 1

+ type: string

+ - JSONPath: .status.conditions[?(@.type=="Ready")].message

+ name: Status

+ priority: 1

+ type: string

+ - JSONPath: .metadata.creationTimestamp

+ description: CreationTimestamp is a timestamp representing the server time when

+ this object was created. It is not guaranteed to be set in happens-before order

+ across separate operations. Clients may not set this value. It is represented

+ in RFC3339 form and is in UTC.

+ name: Age

+ type: date

+ group: certmanager.k8s.io

+ names:

+ kind: CertificateRequest

+ plural: certificaterequests

+ shortNames:

+ - cr

+ - crs

+ scope: Namespaced

+ validation:

+ openAPIV3Schema:

+ properties:

+ apiVersion:

+ description: 'APIVersion defines the versioned schema of this representation

+ of an object. Servers should convert recognized schemas to the latest

+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'

+ type: string

+ kind:

+ description: 'Kind is a string value representing the REST resource this

+ object represents. Servers may infer this from the endpoint the client

+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'

+ type: string

+ metadata:

+ type: object

+ spec:

+ properties:

+ csr:

+ description: Byte slice containing the PEM encoded CertificateSigningRequest

+ format: byte

+ type: string

+ duration:

+ description: Requested certificate default Duration

+ type: string

+ isCA:

+ description: IsCA will mark the resulting certificate as valid for signing.

+ This implies that the 'signing' usage is set

+ type: boolean

+ issuerRef:

+ description: IssuerRef is a reference to the issuer for this CertificateRequest. If

+ the 'kind' field is not set, or set to 'Issuer', an Issuer resource

+ with the given name in the same namespace as the CertificateRequest

+ will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer

+ with the provided name will be used. The 'name' field in this stanza

+ is required at all times. The group field refers to the API group

+ of the issuer which defaults to 'certmanager.k8s.io' if empty.

+ properties:

+ group:

+ type: string

+ kind:

+ type: string

+ name:

+ type: string

+ required:

+ - name

+ type: object

+ required:

+ - issuerRef

+ type: object

+ status:

+ properties:

+ ca:

+ description: Byte slice containing the PEM encoded certificate authority

+ of the signed certificate.

+ format: byte

+ type: string

+ certificate:

+ description: Byte slice containing a PEM encoded signed certificate

+ resulting from the given certificate signing request.

+ format: byte

+ type: string

+ conditions:

+ items:

+ properties:

+ lastTransitionTime:

+ description: LastTransitionTime is the timestamp corresponding

+ to the last status change of this condition.

+ format: date-time

+ type: string

+ message:

+ description: Message is a human readable description of the details

+ of the last transition, complementing reason.

+ type: string

+ reason:

+ description: Reason is a brief machine readable explanation for

+ the condition's last transition.

+ type: string

+ status:

+ description: Status of the condition, one of ('True', 'False',

+ 'Unknown').

+ enum:

+ - "True"

+ - "False"

+ - Unknown

+ type: string

+ type:

+ description: Type of the condition, currently ('Ready').

+ type: string

+ required:

+ - type

+ - status

+ type: object

+ type: array

+ type: object

+ version: v1alpha1

+status:

+ acceptedNames:

+ kind: ""

+ plural: ""

+ conditions: []

+ storedVersions: []

---

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

~~- name: certificates.certmanager.k8s.io~~

+ creationTimestamp: null

labels:

~~- app: cert-manager~~

+ controller-tools.k8s.io: "1.0"

+ name: challenges.certmanager.k8s.io

spec:

+ additionalPrinterColumns:

+ - JSONPath: .status.state

+ name: State

+ type: string

+ - JSONPath: .spec.dnsName

+ name: Domain

+ type: string

+ - JSONPath: .status.reason

+ name: Reason

+ priority: 1

+ type: string

+ - JSONPath: .metadata.creationTimestamp

+ description: CreationTimestamp is a timestamp representing the server time when

+ this object was created. It is not guaranteed to be set in happens-before order

+ across separate operations. Clients may not set this value. It is represented

+ in RFC3339 form and is in UTC.

+ name: Age

+ type: date

group: certmanager.k8s.io

~~- version: v1alpha1~~

+ names:

+ kind: Challenge

+ plural: challenges

scope: Namespaced

~~- names:~~

~~- kind: Certificate~~

~~- plural: certificates~~

~~- shortNames:~~

~~- - cert~~

~~- - certs~~

+ validation:

+ openAPIV3Schema:

+ properties:

+ apiVersion:

+ description: 'APIVersion defines the versioned schema of this representation

+ of an object. Servers should convert recognized schemas to the latest

+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'

+ type: string

+ kind:

+ description: 'Kind is a string value representing the REST resource this

+ object represents. Servers may infer this from the endpoint the client

+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'

+ type: string

+ metadata:

+ type: object

+ spec:

+ properties:

+ authzURL:

+ description: AuthzURL is the URL to the ACME Authorization resource

+ that this challenge is a part of.

+ type: string

+ config:

+ description: 'Config specifies the solver configuration for this challenge.

+ Only **one** of ''config'' or ''solver'' may be specified, and if

+ both are specified then no action will be performed on the Challenge

+ resource. DEPRECATED: the ''solver'' field should be specified instead'

+ type: object

+ dnsName:

+ description: DNSName is the identifier that this challenge is for, e.g.

+ example.com.

+ type: string

+ issuerRef:

+ description: IssuerRef references a properly configured ACME-type Issuer

+ which should be used to create this Challenge. If the Issuer does

+ not exist, processing will be retried. If the Issuer is not an 'ACME'

+ Issuer, an error will be returned and the Challenge will be marked

+ as failed.

+ properties:

+ group:

+ type: string

+ kind:

+ type: string

+ name:

+ type: string

+ required:

+ - name

+ type: object

+ key:

+ description: Key is the ACME challenge key for this challenge

+ type: string

+ solver:

+ description: Solver contains the domain solving configuration that should

+ be used to solve this challenge resource. Only **one** of 'config'

+ or 'solver' may be specified, and if both are specified then no action

+ will be performed on the Challenge resource.

+ properties:

+ selector:

+ description: Selector selects a set of DNSNames on the Certificate

+ resource that should be solved using this challenge solver.

+ properties:

+ dnsNames:

+ description: List of DNSNames that this solver will be used

+ to solve. If specified and a match is found, a dnsNames selector

+ will take precedence over a dnsZones selector. If multiple

+ solvers match with the same dnsNames value, the solver with

+ the most matching labels in matchLabels will be selected.

+ If neither has more matches, the solver defined earlier in

+ the list will be selected.

+ items:

+ type: string

+ type: array

+ dnsZones:

+ description: List of DNSZones that this solver will be used

+ to solve. The most specific DNS zone match specified here

+ will take precedence over other DNS zone matches, so a solver

+ specifying sys.example.com will be selected over one specifying

+ example.com for the domain www.sys.example.com. If multiple

+ solvers match with the same dnsZones value, the solver with

+ the most matching labels in matchLabels will be selected.

+ If neither has more matches, the solver defined earlier in

+ the list will be selected.

+ items:

+ type: string

+ type: array

+ matchLabels:

+ description: A label selector that is used to refine the set

+ of certificate's that this challenge solver will apply to.

+ type: object

+ token:

+ description: Token is the ACME challenge token for this challenge.

+ type: string

+ type:

+ description: Type is the type of ACME challenge this resource represents,

+ e.g. "dns01" or "http01"

+ type: string

+ url:

+ description: URL is the URL of the ACME Challenge resource for this

+ challenge. This can be used to lookup details about the status of

+ this challenge.

+ type: string

+ wildcard:

+ description: Wildcard will be true if this challenge is for a wildcard

+ identifier, for example '*.example.com'

+ type: boolean

+ required:

+ - authzURL

+ - type

+ - url

+ - dnsName

+ - token

+ - key

+ - wildcard

+ - issuerRef

+ type: object

+ status:

+ properties:

+ presented:

+ description: Presented will be set to true if the challenge values for

+ this challenge are currently 'presented'. This *does not* imply the

+ self check is passing. Only that the values have been 'submitted'

+ for the appropriate challenge mechanism (i.e. the DNS01 TXT record

+ has been presented, or the HTTP01 configuration has been configured).

+ type: boolean

+ processing:

+ description: Processing is used to denote whether this challenge should

+ be processed or not. This field will only be set to true by the 'scheduling'

+ component. It will only be set to false by the 'challenges' controller,

+ after the challenge has reached a final state or timed out. If this

+ field is set to false, the challenge controller will not take any

+ more action.

+ type: boolean

+ reason:

+ description: Reason contains human readable information on why the Challenge

+ is in the current state.

+ type: string

+ state:

+ description: State contains the current 'state' of the challenge. If

+ not set, the state of the challenge is unknown.

+ enum:

+ - ""

+ - valid

+ - ready

+ - pending

+ - processing

+ - invalid

+ - expired

+ - errored

+ type: string

+ required:

+ - processing

+ - presented

+ - reason

+ type: object

+ required:

+ - metadata

+ - spec

+ - status

+ version: v1alpha1

+status:

+ acceptedNames:

+ kind: ""

+ plural: ""

+ conditions: []

+ storedVersions: []

---

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

~~- name: clusterissuers.certmanager.k8s.io~~

+ creationTimestamp: null

labels:

~~- app: cert-manager~~

+ controller-tools.k8s.io: "1.0"

+ name: clusterissuers.certmanager.k8s.io

spec:

group: certmanager.k8s.io

~~- version: v1alpha1~~

~~- scope: Cluster~~

names:

kind: ClusterIssuer

plural: clusterissuers

+ scope: Cluster

+ validation:

+ openAPIV3Schema:

+ properties:

+ apiVersion:

+ description: 'APIVersion defines the versioned schema of this representation

+ of an object. Servers should convert recognized schemas to the latest

+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'

+ type: string

+ kind:

+ description: 'Kind is a string value representing the REST resource this

+ object represents. Servers may infer this from the endpoint the client

+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'

+ type: string

+ metadata:

+ type: object

+ spec:

+ properties:

+ acme:

+ properties:

+ email:

+ description: Email is the email for this account

+ type: string

+ privateKeySecretRef:

+ description: PrivateKey is the name of a secret containing the private

+ key for this user account.

+ properties:

+ key:

+ description: The key of the secret to select from. Must be a

+ valid secret key.

+ type: string

+ name:

+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+ TODO: Add other useful fields. apiVersion, kind, uid?'

+ type: string

+ required:

+ - name

+ type: object

+ server:

+ description: Server is the ACME server URL

+ type: string

+ skipTLSVerify:

+ description: If true, skip verifying the ACME server TLS certificate

+ type: boolean

+ solvers:

+ description: Solvers is a list of challenge solvers that will be

+ used to solve ACME challenges for the matching domains.

+ items:

+ properties:

+ selector:

+ description: Selector selects a set of DNSNames on the Certificate

+ resource that should be solved using this challenge solver.

+ properties:

+ dnsNames:

+ description: List of DNSNames that this solver will be

+ used to solve. If specified and a match is found, a

+ dnsNames selector will take precedence over a dnsZones

+ selector. If multiple solvers match with the same dnsNames

+ value, the solver with the most matching labels in matchLabels

+ will be selected. If neither has more matches, the solver

+ defined earlier in the list will be selected.

+ items:

+ type: string

+ type: array

+ dnsZones:

+ description: List of DNSZones that this solver will be

+ used to solve. The most specific DNS zone match specified

+ here will take precedence over other DNS zone matches,

+ so a solver specifying sys.example.com will be selected

+ over one specifying example.com for the domain www.sys.example.com.

+ If multiple solvers match with the same dnsZones value,

+ the solver with the most matching labels in matchLabels

+ will be selected. If neither has more matches, the solver

+ defined earlier in the list will be selected.

+ items:

+ type: string

+ type: array

+ matchLabels:

+ description: A label selector that is used to refine the

+ set of certificate's that this challenge solver will

+ apply to.

+ type: object

+ type: array

+ required:

+ - server

+ - privateKeySecretRef

+ type: object

+ ca:

+ properties:

+ secretName:

+ description: SecretName is the name of the secret used to sign Certificates

+ issued by this Issuer.

+ type: string

+ required:

+ - secretName

+ type: object

+ selfSigned:

+ type: object

+ vault:

+ properties:

+ auth:

+ description: Vault authentication

+ properties:

+ appRole:

+ description: This Secret contains a AppRole and Secret

+ properties:

+ path:

+ description: Where the authentication path is mounted in

+ Vault.

+ type: string

+ roleId:

+ type: string

+ secretRef:

+ properties:

+ key:

+ description: The key of the secret to select from. Must

+ be a valid secret key.

+ type: string

+ name:

+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+ TODO: Add other useful fields. apiVersion, kind, uid?'

+ type: string

+ required:

+ - name

+ type: object

+ required:

+ - path

+ - roleId

+ - secretRef

+ type: object

+ tokenSecretRef:

+ description: This Secret contains the Vault token key

+ properties:

+ key:

+ description: The key of the secret to select from. Must

+ be a valid secret key.

+ type: string

+ name:

+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+ TODO: Add other useful fields. apiVersion, kind, uid?'

+ type: string

+ required:

+ - name

+ type: object

+ caBundle:

+ description: Base64 encoded CA bundle to validate Vault server certificate.

+ Only used if the Server URL is using HTTPS protocol. This parameter

+ is ignored for plain HTTP protocol connection. If not set the

+ system root certificates are used to validate the TLS connection.

+ format: byte

+ type: string

+ path:

+ description: Vault URL path to the certificate role

+ type: string

+ server:

+ description: Server is the vault connection address

+ type: string

+ required:

+ - auth

+ - server

+ - path

+ type: object

+ venafi:

+ properties:

+ cloud:

+ description: Cloud specifies the Venafi cloud configuration settings.

+ Only one of TPP or Cloud may be specified.

+ properties:

+ apiTokenSecretRef:

+ description: APITokenSecretRef is a secret key selector for

+ the Venafi Cloud API token.

+ properties:

+ key:

+ description: The key of the secret to select from. Must

+ be a valid secret key.

+ type: string

+ name:

+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+ TODO: Add other useful fields. apiVersion, kind, uid?'

+ type: string

+ required:

+ - name

+ type: object

+ url:

+ description: URL is the base URL for Venafi Cloud

+ type: string

+ required:

+ - url

+ - apiTokenSecretRef

+ type: object

+ tpp:

+ description: TPP specifies Trust Protection Platform configuration

+ settings. Only one of TPP or Cloud may be specified.

+ properties:

+ caBundle:

+ description: CABundle is a PEM encoded TLS certifiate to use

+ to verify connections to the TPP instance. If specified, system

+ roots will not be used and the issuing CA for the TPP instance

+ must be verifiable using the provided root. If not specified,

+ the connection will be verified using the cert-manager system

+ root certificates.

+ format: byte

+ type: string

+ credentialsRef:

+ description: CredentialsRef is a reference to a Secret containing

+ the username and password for the TPP server. The secret must

+ contain two keys, 'username' and 'password'.

+ properties:

+ name:

+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+ TODO: Add other useful fields. apiVersion, kind, uid?'

+ type: string

+ required:

+ - name

+ type: object

+ url:

+ description: URL is the base URL for the Venafi TPP instance

+ type: string

+ required:

+ - url

+ - credentialsRef

+ type: object

+ zone:

+ description: Zone is the Venafi Policy Zone to use for this issuer.

+ All requests made to the Venafi platform will be restricted by

+ the named zone policy. This field is required.

+ type: string

+ required:

+ - zone

+ type: object

+ status:

+ properties:

+ acme:

+ properties:

+ lastRegisteredEmail:

+ description: LastRegisteredEmail is the email associated with the

+ latest registered ACME account, in order to track changes made

+ to registered account associated with the Issuer

+ type: string

+ uri:

+ description: URI is the unique account identifier, which can also

+ be used to retrieve account details from the CA

+ type: string

+ type: object

+ conditions:

+ items:

+ properties:

+ lastTransitionTime:

+ description: LastTransitionTime is the timestamp corresponding

+ to the last status change of this condition.

+ format: date-time

+ type: string

+ message:

+ description: Message is a human readable description of the details

+ of the last transition, complementing reason.

+ type: string

+ reason:

+ description: Reason is a brief machine readable explanation for

+ the condition's last transition.

+ type: string

+ status:

+ description: Status of the condition, one of ('True', 'False',

+ 'Unknown').

+ enum:

+ - "True"

+ - "False"

+ - Unknown

+ type: string

+ type:

+ description: Type of the condition, currently ('Ready').

+ type: string

+ required:

+ - type

+ - status

+ type: object

+ type: array

+ type: object

+ version: v1alpha1

+status:

+ acceptedNames:

+ kind: ""

+ plural: ""

+ conditions: []

+ storedVersions: []

---

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

~~- name: issuers.certmanager.k8s.io~~

+ creationTimestamp: null

labels:

~~- app: cert-manager~~

+ controller-tools.k8s.io: "1.0"

+ name: issuers.certmanager.k8s.io

spec:

group: certmanager.k8s.io

~~- version: v1alpha1~~

~~- scope: Namespaced~~

names:

kind: Issuer

plural: issuers

+ scope: Namespaced

+ validation:

+ openAPIV3Schema:

+ properties:

+ apiVersion:

+ description: 'APIVersion defines the versioned schema of this representation

+ of an object. Servers should convert recognized schemas to the latest

+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'

+ type: string

+ kind:

+ description: 'Kind is a string value representing the REST resource this

+ object represents. Servers may infer this from the endpoint the client

+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'

+ type: string

+ metadata:

+ type: object

+ spec:

+ properties:

+ acme:

+ properties:

+ email:

+ description: Email is the email for this account

+ type: string

+ privateKeySecretRef:

+ description: PrivateKey is the name of a secret containing the private

+ key for this user account.

+ properties:

+ key:

+ description: The key of the secret to select from. Must be a

+ valid secret key.

+ type: string

+ name:

+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+ TODO: Add other useful fields. apiVersion, kind, uid?'

+ type: string

+ required:

+ - name

+ type: object

+ server:

+ description: Server is the ACME server URL

+ type: string

+ skipTLSVerify:

+ description: If true, skip verifying the ACME server TLS certificate

+ type: boolean

+ solvers:

+ description: Solvers is a list of challenge solvers that will be

+ used to solve ACME challenges for the matching domains.

+ items:

+ properties:

+ selector:

+ description: Selector selects a set of DNSNames on the Certificate

+ resource that should be solved using this challenge solver.

+ properties:

+ dnsNames:

+ description: List of DNSNames that this solver will be

+ used to solve. If specified and a match is found, a

+ dnsNames selector will take precedence over a dnsZones

+ selector. If multiple solvers match with the same dnsNames

+ value, the solver with the most matching labels in matchLabels

+ will be selected. If neither has more matches, the solver

+ defined earlier in the list will be selected.

+ items:

+ type: string

+ type: array

+ dnsZones:

+ description: List of DNSZones that this solver will be

+ used to solve. The most specific DNS zone match specified

+ here will take precedence over other DNS zone matches,

+ so a solver specifying sys.example.com will be selected

+ over one specifying example.com for the domain www.sys.example.com.

+ If multiple solvers match with the same dnsZones value,

+ the solver with the most matching labels in matchLabels

+ will be selected. If neither has more matches, the solver

+ defined earlier in the list will be selected.

+ items:

+ type: string

+ type: array

+ matchLabels:

+ description: A label selector that is used to refine the

+ set of certificate's that this challenge solver will

+ apply to.

+ type: object

+ type: array

+ required:

+ - server

+ - privateKeySecretRef

+ type: object

+ ca:

+ properties:

+ secretName:

+ description: SecretName is the name of the secret used to sign Certificates

+ issued by this Issuer.

+ type: string

+ required:

+ - secretName

+ type: object

+ selfSigned:

+ type: object

+ vault:

+ properties:

+ auth:

+ description: Vault authentication

+ properties:

+ appRole:

+ description: This Secret contains a AppRole and Secret

+ properties:

+ path:

+ description: Where the authentication path is mounted in

+ Vault.

+ type: string

+ roleId:

+ type: string

+ secretRef:

+ properties:

+ key:

+ description: The key of the secret to select from. Must

+ be a valid secret key.

+ type: string

+ name:

+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+ TODO: Add other useful fields. apiVersion, kind, uid?'

+ type: string

+ required:

+ - name

+ type: object

+ required:

+ - path

+ - roleId

+ - secretRef

+ type: object

+ tokenSecretRef:

+ description: This Secret contains the Vault token key

+ properties:

+ key:

+ description: The key of the secret to select from. Must

+ be a valid secret key.

+ type: string

+ name:

+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+ TODO: Add other useful fields. apiVersion, kind, uid?'

+ type: string

+ required:

+ - name

+ type: object

+ caBundle:

+ description: Base64 encoded CA bundle to validate Vault server certificate.

+ Only used if the Server URL is using HTTPS protocol. This parameter

+ is ignored for plain HTTP protocol connection. If not set the

+ system root certificates are used to validate the TLS connection.

+ format: byte

+ type: string

+ path:

+ description: Vault URL path to the certificate role

+ type: string

+ server:

+ description: Server is the vault connection address

+ type: string

+ required:

+ - auth

+ - server

+ - path

+ type: object

+ venafi:

+ properties:

+ cloud:

+ description: Cloud specifies the Venafi cloud configuration settings.

+ Only one of TPP or Cloud may be specified.

+ properties:

+ apiTokenSecretRef:

+ description: APITokenSecretRef is a secret key selector for

+ the Venafi Cloud API token.

+ properties:

+ key:

+ description: The key of the secret to select from. Must

+ be a valid secret key.

+ type: string

+ name:

+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+ TODO: Add other useful fields. apiVersion, kind, uid?'

+ type: string

+ required:

+ - name

+ type: object

+ url:

+ description: URL is the base URL for Venafi Cloud

+ type: string

+ required:

+ - url

+ - apiTokenSecretRef

+ type: object

+ tpp:

+ description: TPP specifies Trust Protection Platform configuration

+ settings. Only one of TPP or Cloud may be specified.

+ properties:

+ caBundle:

+ description: CABundle is a PEM encoded TLS certifiate to use

+ to verify connections to the TPP instance. If specified, system

+ roots will not be used and the issuing CA for the TPP instance

+ must be verifiable using the provided root. If not specified,

+ the connection will be verified using the cert-manager system

+ root certificates.

+ format: byte

+ type: string

+ credentialsRef:

+ description: CredentialsRef is a reference to a Secret containing

+ the username and password for the TPP server. The secret must

+ contain two keys, 'username' and 'password'.

+ properties:

+ name:

+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+ TODO: Add other useful fields. apiVersion, kind, uid?'

+ type: string

+ required:

+ - name

+ type: object

+ url:

+ description: URL is the base URL for the Venafi TPP instance

+ type: string

+ required:

+ - url

+ - credentialsRef

+ type: object

+ zone:

+ description: Zone is the Venafi Policy Zone to use for this issuer.

+ All requests made to the Venafi platform will be restricted by

+ the named zone policy. This field is required.

+ type: string

+ required:

+ - zone

+ type: object

+ status:

+ properties:

+ acme:

+ properties:

+ lastRegisteredEmail:

+ description: LastRegisteredEmail is the email associated with the

+ latest registered ACME account, in order to track changes made

+ to registered account associated with the Issuer

+ type: string

+ uri:

+ description: URI is the unique account identifier, which can also

+ be used to retrieve account details from the CA

+ type: string

+ type: object

+ conditions:

+ items:

+ properties:

+ lastTransitionTime:

+ description: LastTransitionTime is the timestamp corresponding

+ to the last status change of this condition.

+ format: date-time

+ type: string

+ message:

+ description: Message is a human readable description of the details

+ of the last transition, complementing reason.

+ type: string

+ reason:

+ description: Reason is a brief machine readable explanation for

+ the condition's last transition.

+ type: string

+ status:

+ description: Status of the condition, one of ('True', 'False',

+ 'Unknown').

+ enum:

+ - "True"

+ - "False"

+ - Unknown

+ type: string

+ type:

+ description: Type of the condition, currently ('Ready').

+ type: string

+ required:

+ - type

+ - status

+ type: object

+ type: array

+ type: object

+ version: v1alpha1

+status:

+ acceptedNames:

+ kind: ""

+ plural: ""

+ conditions: []

+ storedVersions: []

---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ creationTimestamp: null

+ labels:

+ controller-tools.k8s.io: "1.0"

+ name: orders.certmanager.k8s.io

+spec:

+ additionalPrinterColumns:

+ - JSONPath: .status.state

+ name: State

+ type: string

+ - JSONPath: .spec.issuerRef.name

+ name: Issuer

+ priority: 1

+ type: string

+ - JSONPath: .status.reason

+ name: Reason

+ priority: 1

+ type: string

+ - JSONPath: .metadata.creationTimestamp

+ description: CreationTimestamp is a timestamp representing the server time when

+ this object was created. It is not guaranteed to be set in happens-before order

+ across separate operations. Clients may not set this value. It is represented

+ in RFC3339 form and is in UTC.

+ name: Age

+ type: date

+ group: certmanager.k8s.io

+ names:

+ kind: Order

+ plural: orders

+ scope: Namespaced

+ validation:

+ openAPIV3Schema:

+ properties:

+ apiVersion:

+ description: 'APIVersion defines the versioned schema of this representation

+ of an object. Servers should convert recognized schemas to the latest

+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'

+ type: string

+ kind:

+ description: 'Kind is a string value representing the REST resource this

+ object represents. Servers may infer this from the endpoint the client

+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'

+ type: string

+ metadata:

+ type: object

+ spec:

+ properties:

+ commonName:

+ description: CommonName is the common name as specified on the DER encoded

+ CSR. If CommonName is not specified, the first DNSName specified will

+ be used as the CommonName. At least one of CommonName or a DNSNames

+ must be set. This field must match the corresponding field on the

+ DER encoded CSR.

+ type: string

+ config:

+ description: 'Config specifies a mapping from DNS identifiers to how

+ those identifiers should be solved when performing ACME challenges.

+ A config entry must exist for each domain listed in DNSNames and CommonName.

+ Only **one** of ''config'' or ''solvers'' may be specified, and if

+ both are specified then no action will be performed on the Order resource. This

+ field will be removed when support for solver config specified on

+ the Certificate under certificate.spec.acme has been removed. DEPRECATED:

+ this field will be removed in future. Solver configuration must instead

+ be provided on ACME Issuer resources.'

+ items:

+ properties:

+ domains:

+ description: Domains is the list of domains that this SolverConfig

+ applies to.

+ items:

+ type: string

+ type: array

+ required:

+ - domains

+ type: object

+ type: array

+ csr:

+ description: Certificate signing request bytes in DER encoding. This

+ will be used when finalizing the order. This field must be set on

+ the order.

+ format: byte

+ type: string

+ dnsNames:

+ description: DNSNames is a list of DNS names that should be included

+ as part of the Order validation process. If CommonName is not specified,

+ the first DNSName specified will be used as the CommonName. At least

+ one of CommonName or a DNSNames must be set. This field must match

+ the corresponding field on the DER encoded CSR.

+ items:

+ type: string

+ type: array

+ issuerRef:

+ description: IssuerRef references a properly configured ACME-type Issuer

+ which should be used to create this Order. If the Issuer does not

+ exist, processing will be retried. If the Issuer is not an 'ACME'

+ Issuer, an error will be returned and the Order will be marked as

+ failed.

+ properties:

+ group:

+ type: string

+ kind:

+ type: string

+ name:

+ type: string

+ required:

+ - name

+ type: object

+ required:

+ - csr

+ - issuerRef

+ type: object

+ status:

+ properties:

+ certificate:

+ description: Certificate is a copy of the PEM encoded certificate for

+ this Order. This field will be populated after the order has been

+ successfully finalized with the ACME server, and the order has transitioned

+ to the 'valid' state.

+ format: byte

+ type: string

+ challenges:

+ description: Challenges is a list of ChallengeSpecs for Challenges that

+ must be created in order to complete this Order.

+ items:

+ properties:

+ authzURL:

+ description: AuthzURL is the URL to the ACME Authorization resource

+ that this challenge is a part of.

+ type: string

+ config:

+ description: 'Config specifies the solver configuration for this

+ challenge. Only **one** of ''config'' or ''solver'' may be specified,

+ and if both are specified then no action will be performed on

+ the Challenge resource. DEPRECATED: the ''solver'' field should

+ be specified instead'

+ type: object

+ dnsName:

+ description: DNSName is the identifier that this challenge is

+ for, e.g. example.com.

+ type: string

+ issuerRef:

+ description: IssuerRef references a properly configured ACME-type

+ Issuer which should be used to create this Challenge. If the

+ Issuer does not exist, processing will be retried. If the Issuer

+ is not an 'ACME' Issuer, an error will be returned and the Challenge

+ will be marked as failed.

+ properties:

+ group:

+ type: string

+ kind:

+ type: string

+ name:

+ type: string

+ required:

+ - name

+ type: object

+ key:

+ description: Key is the ACME challenge key for this challenge

+ type: string

+ solver:

+ description: Solver contains the domain solving configuration

+ that should be used to solve this challenge resource. Only **one**

+ of 'config' or 'solver' may be specified, and if both are specified

+ then no action will be performed on the Challenge resource.

+ properties:

+ selector:

+ description: Selector selects a set of DNSNames on the Certificate

+ resource that should be solved using this challenge solver.

+ properties:

+ dnsNames:

+ description: List of DNSNames that this solver will be

+ used to solve. If specified and a match is found, a

+ dnsNames selector will take precedence over a dnsZones

+ selector. If multiple solvers match with the same dnsNames

+ value, the solver with the most matching labels in matchLabels

+ will be selected. If neither has more matches, the solver

+ defined earlier in the list will be selected.

+ items:

+ type: string

+ type: array

+ dnsZones:

+ description: List of DNSZones that this solver will be

+ used to solve. The most specific DNS zone match specified

+ here will take precedence over other DNS zone matches,

+ so a solver specifying sys.example.com will be selected

+ over one specifying example.com for the domain www.sys.example.com.

+ If multiple solvers match with the same dnsZones value,

+ the solver with the most matching labels in matchLabels

+ will be selected. If neither has more matches, the solver

+ defined earlier in the list will be selected.

+ items:

+ type: string

+ type: array

+ matchLabels:

+ description: A label selector that is used to refine the

+ set of certificate's that this challenge solver will

+ apply to.

+ type: object

+ token:

+ description: Token is the ACME challenge token for this challenge.

+ type: string

+ type:

+ description: Type is the type of ACME challenge this resource

+ represents, e.g. "dns01" or "http01"

+ type: string

+ url:

+ description: URL is the URL of the ACME Challenge resource for

+ this challenge. This can be used to lookup details about the

+ status of this challenge.

+ type: string

+ wildcard:

+ description: Wildcard will be true if this challenge is for a

+ wildcard identifier, for example '*.example.com'

+ type: boolean

+ required:

+ - authzURL

+ - type

+ - url

+ - dnsName

+ - token

+ - key

+ - wildcard

+ - issuerRef

+ type: object

+ type: array

+ failureTime:

+ description: FailureTime stores the time that this order failed. This

+ is used to influence garbage collection and back-off.

+ format: date-time

+ type: string

+ finalizeURL:

+ description: FinalizeURL of the Order. This is used to obtain certificates

+ for this order once it has been completed.

+ type: string

+ reason:

+ description: Reason optionally provides more information about a why

+ the order is in the current state.

+ type: string

+ state:

+ description: State contains the current state of this Order resource.

+ States 'success' and 'expired' are 'final'

+ enum:

+ - ""

+ - valid

+ - ready

+ - pending

+ - processing

+ - invalid

+ - expired

+ - errored

+ type: string

+ url:

+ description: URL of the Order. This will initially be empty when the

+ resource is first created. The Order controller will populate this

+ field when the Order is first processed. This field will be immutable

+ after it is initially set.

+ type: string

+ type: object

+ required:

+ - metadata

+ - spec

+ - status

+ version: v1alpha1

+status:

+ acceptedNames:

+ kind: ""

+ plural: ""

+ conditions: []

+ storedVersions: []

+---

+apiVersion: v1

+kind: Namespace

+metadata:

+ name: cert-manager

+ labels:

+ certmanager.k8s.io/disable-validation: "true"

+---

+# Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: cert-manager-cainjector

+ namespace: "cert-manager"

+ labels:

+ app: cainjector

+ app.kubernetes.io/name: cainjector

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cainjector-v0.9.1

+---

+# Source: cert-manager/charts/webhook/templates/serviceaccount.yaml

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: cert-manager-webhook

+ namespace: "cert-manager"

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+---

+# Source: cert-manager/templates/serviceaccount.yaml

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: cert-manager

+ namespace: "cert-manager"

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+---

+# Source: cert-manager/charts/cainjector/templates/rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1

kind: ClusterRole

metadata:

~~- name: cert-manager~~

+ name: cert-manager-cainjector

labels:

~~- app: cert-manager~~

+ app: cainjector

+ app.kubernetes.io/name: cainjector

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cainjector-v0.9.1

rules:

- apiGroups: ["certmanager.k8s.io"]

~~- resources: ["certificates", "issuers", "clusterissuers", "orders", "challenges"]~~

~~- verbs: ["*"]~~

+ resources: ["certificates"]

+ verbs: ["get", "list", "watch"]

+ - apiGroups: [""]

+ resources: ["secrets"]

+ verbs: ["get", "list", "watch"]

- apiGroups: [""]

~~- resources: ["configmaps", "secrets", "events", "services", "pods"]~~

~~- verbs: ["*"]~~

~~- - apiGroups: ["extensions"]~~

~~- resources: ["ingresses"]~~

~~- verbs: ["*"]~~

+ resources: ["configmaps", "events"]

+ verbs: ["get", "create", "update", "patch"]

+ - apiGroups: ["admissionregistration.k8s.io"]

+ resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]

+ verbs: ["get", "list", "watch", "update"]

+ - apiGroups: ["apiregistration.k8s.io"]

+ resources: ["apiservices"]

+ verbs: ["get", "list", "watch", "update"]

+ - apiGroups: ["apiextensions.k8s.io"]

+ resources: ["customresourcedefinitions"]

+ verbs: ["get", "list", "watch", "update"]

---

apiVersion: rbac.authorization.k8s.io/v1beta1

kind: ClusterRoleBinding

metadata:

~~- name: cert-manager~~

+ name: cert-manager-cainjector

+ labels:

+ app: cainjector

+ app.kubernetes.io/name: cainjector

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cainjector-v0.9.1

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: cert-manager-cainjector

+subjects:

+ - name: cert-manager-cainjector

+ namespace: "cert-manager"

+ kind: ServiceAccount

+---

+# Source: cert-manager/templates/rbac.yaml

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRole

+metadata:

+ name: cert-manager-leaderelection

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+rules:

+ # Used for leader election by the controller

+ - apiGroups: [""]

+ resources: ["configmaps"]

+ verbs: ["get", "create", "update", "patch"]

+---

+# Issuer controller role

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRole

+metadata:

+ name: cert-manager-controller-issuers

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+rules:

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["issuers", "issuers/status"]

+ verbs: ["update"]

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["issuers"]

+ verbs: ["get", "list", "watch"]

+ - apiGroups: [""]

+ resources: ["secrets"]

+ verbs: ["get", "list", "watch", "create", "update", "delete"]

+ - apiGroups: [""]

+ resources: ["events"]

+ verbs: ["create", "patch"]

+---

+# ClusterIssuer controller role

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRole

+metadata:

+ name: cert-manager-controller-clusterissuers

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+rules:

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["clusterissuers", "clusterissuers/status"]

+ verbs: ["update"]

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["clusterissuers"]

+ verbs: ["get", "list", "watch"]

+ - apiGroups: [""]

+ resources: ["secrets"]

+ verbs: ["get", "list", "watch", "create", "update", "delete"]

+ - apiGroups: [""]

+ resources: ["events"]

+ verbs: ["create", "patch"]

+---

+# Certificates controller role

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRole

+metadata:

+ name: cert-manager-controller-certificates

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+rules:

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]

+ verbs: ["update"]

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["certificates", "certificaterequests", "clusterissuers", "issuers", "orders"]

+ verbs: ["get", "list", "watch"]

+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement

+ # admission controller enabled:

+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["certificates/finalizers"]

+ verbs: ["update"]

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["orders"]

+ verbs: ["create", "delete"]

+ - apiGroups: [""]

+ resources: ["secrets"]

+ verbs: ["get", "list", "watch", "create", "update", "delete"]

+ - apiGroups: [""]

+ resources: ["events"]

+ verbs: ["create", "patch"]

+---

+# Orders controller role

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRole

+metadata:

+ name: cert-manager-controller-orders

labels:

app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+rules:

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["orders", "orders/status"]

+ verbs: ["update"]

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["orders", "clusterissuers", "issuers", "challenges"]

+ verbs: ["get", "list", "watch"]

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["challenges"]

+ verbs: ["create", "delete"]

+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement

+ # admission controller enabled:

+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["orders/finalizers"]

+ verbs: ["update"]

+ - apiGroups: [""]

+ resources: ["secrets"]

+ verbs: ["get", "list", "watch"]

+ - apiGroups: [""]

+ resources: ["events"]

+ verbs: ["create", "patch"]

+---

+# Challenges controller role

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRole

+metadata:

+ name: cert-manager-controller-challenges

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+rules:

+ # Use to update challenge resource status

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["challenges", "challenges/status"]

+ verbs: ["update"]

+ # Used to watch challenges, issuer and clusterissuer resources

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["challenges", "issuers", "clusterissuers"]

+ verbs: ["get", "list", "watch"]

+ # Need to be able to retrieve ACME account private key to complete challenges

+ - apiGroups: [""]

+ resources: ["secrets"]

+ verbs: ["get", "list", "watch"]

+ # Used to create events

+ - apiGroups: [""]

+ resources: ["events"]

+ verbs: ["create", "patch"]

+ # HTTP01 rules

+ - apiGroups: [""]

+ resources: ["pods", "services"]

+ verbs: ["get", "list", "watch", "create", "delete"]

+ - apiGroups: ["extensions"]

+ resources: ["ingresses"]

+ verbs: ["get", "list", "watch", "create", "delete", "update"]

+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement

+ # admission controller enabled:

+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["challenges/finalizers"]

+ verbs: ["update"]

+ # DNS01 rules (duplicated above)

+ - apiGroups: [""]

+ resources: ["secrets"]

+ verbs: ["get", "list", "watch"]

+---

+# ingress-shim controller role

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRole

+metadata:

+ name: cert-manager-controller-ingress-shim

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+rules:

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["certificates", "certificaterequests"]

+ verbs: ["create", "update", "delete"]

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]

+ verbs: ["get", "list", "watch"]

+ - apiGroups: ["extensions"]

+ resources: ["ingresses"]

+ verbs: ["get", "list", "watch"]

+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement

+ # admission controller enabled:

+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement

+ - apiGroups: ["extensions"]

+ resources: ["ingresses/finalizers"]

+ verbs: ["update"]

+ - apiGroups: [""]

+ resources: ["events"]

+ verbs: ["create", "patch"]

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: cert-manager-leaderelection

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: cert-manager-leaderelection

+subjects:

+ - name: cert-manager

+ namespace: "cert-manager"

+ kind: ServiceAccount

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: cert-manager-controller-issuers

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: cert-manager-controller-issuers

+subjects:

+ - name: cert-manager

+ namespace: "cert-manager"

+ kind: ServiceAccount

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: cert-manager-controller-clusterissuers

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: cert-manager-controller-clusterissuers

+subjects:

+ - name: cert-manager

+ namespace: "cert-manager"

+ kind: ServiceAccount

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: cert-manager-controller-certificates

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

~~- name: cert-manager~~

+ name: cert-manager-controller-certificates

+subjects:

+ - name: cert-manager

+ namespace: "cert-manager"

+ kind: ServiceAccount

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: cert-manager-controller-orders

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: cert-manager-controller-orders

+subjects:

+ - name: cert-manager

+ namespace: "cert-manager"

+ kind: ServiceAccount

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: cert-manager-controller-challenges

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: cert-manager-controller-challenges

+subjects:

+ - name: cert-manager

+ namespace: "cert-manager"

+ kind: ServiceAccount

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: cert-manager-controller-ingress-shim

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: cert-manager-controller-ingress-shim

subjects:

- name: cert-manager

~~- namespace: kube-system~~

+ namespace: "cert-manager"

kind: ServiceAccount

---

~~-apiVersion: apps/v1beta1~~

+apiVersion: rbac.authorization.k8s.io/v1

+kind: ClusterRole

+metadata:

+ name: cert-manager-view

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+ rbac.authorization.k8s.io/aggregate-to-view: "true"

+ rbac.authorization.k8s.io/aggregate-to-edit: "true"

+ rbac.authorization.k8s.io/aggregate-to-admin: "true"

+rules:

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["certificates", "certificaterequests", "issuers"]

+ verbs: ["get", "list", "watch"]

+---

+apiVersion: rbac.authorization.k8s.io/v1

+kind: ClusterRole

+metadata:

+ name: cert-manager-edit

+ labels:

+ app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+ rbac.authorization.k8s.io/aggregate-to-edit: "true"

+ rbac.authorization.k8s.io/aggregate-to-admin: "true"

+rules:

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["certificates", "certificaterequests", "issuers"]

+ verbs: ["create", "delete", "deletecollection", "patch", "update"]

+---

+# Source: cert-manager/charts/webhook/templates/rbac.yaml

+### Webhook ###

+---

+# apiserver gets the auth-delegator role to delegate auth decisions to

+# the core apiserver

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: cert-manager-webhook:auth-delegator

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: system:auth-delegator

+subjects:

+- apiGroup: ""

+ kind: ServiceAccount

+ name: cert-manager-webhook

+ namespace: cert-manager

+---

+# apiserver gets the ability to read authentication. This allows it to

+# read the specific configmap that has the requestheader-* entries to

+# api agg

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: RoleBinding

+metadata:

+ name: cert-manager-webhook:webhook-authentication-reader

+ namespace: kube-system

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: Role

+ name: extension-apiserver-authentication-reader

+subjects:

+- apiGroup: ""

+ kind: ServiceAccount

+ name: cert-manager-webhook

+ namespace: cert-manager

+---

+apiVersion: rbac.authorization.k8s.io/v1

+kind: ClusterRole

+metadata:

+ name: cert-manager-webhook:webhook-requester

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+rules:

+- apiGroups:

+ - admission.certmanager.k8s.io

+ resources:

+ - certificates

+ - certificaterequests

+ - issuers

+ - clusterissuers

+ verbs:

+ - create

+---

+# Source: cert-manager/charts/webhook/templates/service.yaml

+apiVersion: v1

+kind: Service

+metadata:

+ name: cert-manager-webhook

+ namespace: "cert-manager"

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+spec:

+ type: ClusterIP

+ ports:

+ - name: https

+ port: 443

+ targetPort: 6443

+ selector:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+---

+# Source: cert-manager/charts/cainjector/templates/deployment.yaml

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: cert-manager-cainjector

+ namespace: "cert-manager"

+ labels:

+ app: cainjector

+ app.kubernetes.io/name: cainjector

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cainjector-v0.9.1

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: cainjector

+ app.kubernetes.io/name: cainjector

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ template:

+ metadata:

+ labels:

+ app: cainjector

+ app.kubernetes.io/name: cainjector

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cainjector-v0.9.1

+ annotations:

+ spec:

+ serviceAccountName: cert-manager-cainjector

+ containers:

+ - name: cainjector

+ image: "quay.io/jetstack/cert-manager-cainjector:v0.9.1"

+ imagePullPolicy: IfNotPresent

+ args:

+ - --v=2

+ - --leader-election-namespace=$(POD_NAMESPACE)

+ env:

+ - name: POD_NAMESPACE

+ valueFrom:

+ fieldRef:

+ fieldPath: metadata.namespace

+ resources:

+ {}

+---

+# Source: cert-manager/charts/webhook/templates/deployment.yaml

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: cert-manager-webhook

+ namespace: "cert-manager"

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ template:

+ metadata:

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+ annotations:

+ spec:

+ serviceAccountName: cert-manager-webhook

+ containers:

+ - name: webhook

+ image: "quay.io/jetstack/cert-manager-webhook:v0.9.1"

+ imagePullPolicy: IfNotPresent

+ args:

+ - --v=2

+ - --secure-port=6443

+ - --tls-cert-file=/certs/tls.crt

+ - --tls-private-key-file=/certs/tls.key

+ env:

+ - name: POD_NAMESPACE

+ valueFrom:

+ fieldRef:

+ fieldPath: metadata.namespace

+ resources:

+ {}

+ volumeMounts:

+ - name: certs

+ mountPath: /certs

+ volumes:

+ - name: certs

+ secret:

+ secretName: cert-manager-webhook-webhook-tls

+---

+# Source: cert-manager/templates/deployment.yaml

+apiVersion: apps/v1

kind: Deployment

metadata:

name: cert-manager

~~- namespace: kube-system~~

+ namespace: "cert-manager"

labels:

app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

spec:

replicas: 1

selector:

matchLabels:

app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

template:

metadata:

labels:

app: cert-manager

+ app.kubernetes.io/name: cert-manager

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: cert-manager-v0.9.1

+ annotations:

+ prometheus.io/path: "/metrics"

+ prometheus.io/scrape: 'true'

+ prometheus.io/port: '9402'

spec:

serviceAccountName: cert-manager

containers:

- name: cert-manager

~~- image: "quay.io/jetstack/cert-manager-controller:v0.5.0"~~

+ image: "quay.io/jetstack/cert-manager-controller:v0.9.1"

imagePullPolicy: IfNotPresent

args:

~~- - --cluster-resource-namespace=$(POD_NAMESPACE)~~

~~- - --leader-election-namespace=$(POD_NAMESPACE)~~

+ - --v=2

+ - --cluster-resource-namespace=$(POD_NAMESPACE)

+ - --leader-election-namespace=$(POD_NAMESPACE)

+ ports:

+ - containerPort: 9402

env:

~~- - name: POD_NAMESPACE~~

~~- valueFrom:~~

~~- fieldRef:~~

~~- fieldPath: metadata.namespace~~

+ - name: POD_NAMESPACE

+ valueFrom:

+ fieldRef:

+ fieldPath: metadata.namespace

resources:

requests:

cpu: 10m

memory: 32Mi

+---

+# Source: cert-manager/charts/webhook/templates/apiservice.yaml

+apiVersion: apiregistration.k8s.io/v1beta1

+kind: APIService

+metadata:

+ name: v1beta1.admission.certmanager.k8s.io

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+ annotations:

+ certmanager.k8s.io/inject-ca-from: "cert-manager/cert-manager-webhook-webhook-tls"

+spec:

+ group: admission.certmanager.k8s.io

+ groupPriorityMinimum: 1000

+ versionPriority: 15

+ service:

+ name: cert-manager-webhook

+ namespace: "cert-manager"

+ version: v1beta1

+---

+# Source: cert-manager/charts/webhook/templates/pki.yaml

+---

+# Create a selfsigned Issuer, in order to create a root CA certificate for

+# signing webhook serving certificates

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Issuer

+metadata:

+ name: cert-manager-webhook-selfsign

+ namespace: "cert-manager"

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+spec:

+ selfSigned: {}

+---

+# Generate a CA Certificate used to sign certificates for the webhook

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Certificate

+metadata:

+ name: cert-manager-webhook-ca

+ namespace: "cert-manager"

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+spec:

+ secretName: cert-manager-webhook-ca

+ duration: 43800h # 5y

+ issuerRef:

+ name: cert-manager-webhook-selfsign

+ commonName: "ca.webhook.cert-manager"

+ isCA: true

+---

+# Create an Issuer that uses the above generated CA certificate to issue certs

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Issuer

+metadata:

+ name: cert-manager-webhook-ca

+ namespace: "cert-manager"

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+spec:

+ ca:

+ secretName: cert-manager-webhook-ca

---

+# Finally, generate a serving certificate for the webhook to use

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Certificate

+metadata:

+ name: cert-manager-webhook-webhook-tls

+ namespace: "cert-manager"

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+spec:

+ secretName: cert-manager-webhook-webhook-tls

+ duration: 8760h # 1y

+ issuerRef:

+ name: cert-manager-webhook-ca

+ dnsNames:

+ - cert-manager-webhook

+ - cert-manager-webhook.cert-manager

+ - cert-manager-webhook.cert-manager.svc

+---

+# Source: cert-manager/templates/servicemonitor.yaml

+---

+# Source: cert-manager/charts/webhook/templates/validating-webhook.yaml

+apiVersion: admissionregistration.k8s.io/v1beta1

+kind: ValidatingWebhookConfiguration

+metadata:

+ name: cert-manager-webhook

+ labels:

+ app: webhook

+ app.kubernetes.io/name: webhook

+ app.kubernetes.io/instance: cert-manager

+ app.kubernetes.io/managed-by: Tiller

+ helm.sh/chart: webhook-v0.9.1

+ annotations:

+ certmanager.k8s.io/inject-apiserver-ca: "true"

+webhooks:

+ - name: certificates.admission.certmanager.k8s.io

+ namespaceSelector:

+ matchExpressions:

+ - key: "certmanager.k8s.io/disable-validation"

+ operator: "NotIn"

+ values:

+ - "true"

+ - key: "name"

+ operator: "NotIn"

+ values:

+ - cert-manager

+ rules:

+ - apiGroups:

+ - "certmanager.k8s.io"

+ apiVersions:

+ - v1alpha1

+ operations:

+ - CREATE

+ - UPDATE

+ resources:

+ - certificates

+ failurePolicy: Fail

+ clientConfig:

+ service:

+ name: kubernetes

+ namespace: default

+ path: /apis/admission.certmanager.k8s.io/v1beta1/certificates

+ - name: issuers.admission.certmanager.k8s.io

+ namespaceSelector:

+ matchExpressions:

+ - key: "certmanager.k8s.io/disable-validation"

+ operator: "NotIn"

+ values:

+ - "true"

+ - key: "name"

+ operator: "NotIn"

+ values:

+ - cert-manager

+ rules:

+ - apiGroups:

+ - "certmanager.k8s.io"

+ apiVersions:

+ - v1alpha1

+ operations:

+ - CREATE

+ - UPDATE

+ resources:

+ - issuers

+ failurePolicy: Fail

+ clientConfig:

+ service:

+ name: kubernetes

+ namespace: default

+ path: /apis/admission.certmanager.k8s.io/v1beta1/issuers

+ - name: clusterissuers.admission.certmanager.k8s.io

+ namespaceSelector:

+ matchExpressions:

+ - key: "certmanager.k8s.io/disable-validation"

+ operator: "NotIn"

+ values:

+ - "true"

+ - key: "name"

+ operator: "NotIn"

+ values:

+ - cert-manager

+ rules:

+ - apiGroups:

+ - "certmanager.k8s.io"

+ apiVersions:

+ - v1alpha1

+ operations:

+ - CREATE

+ - UPDATE

+ resources:

+ - clusterissuers

+ failurePolicy: Fail

+ clientConfig:

+ service:

+ name: kubernetes

+ namespace: default

+ path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers

imfreedom/k8s-cluster