--- a/10-cert-manager/cert-manager.yaml Wed Jun 16 03:24:23 2021 -0500
+++ b/10-cert-manager/cert-manager.yaml Wed Jun 16 03:25:35 2021 -0500
@@ -48,12 +48,20 @@
- additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Approved")].status + - jsonPath: .status.conditions[?(@.type=="Denied")].status - jsonPath: .status.conditions[?(@.type=="Ready")].status
- jsonPath: .spec.issuerRef.name
+ - jsonPath: .spec.username - jsonPath: .status.conditions[?(@.type=="Ready")].message
@@ -100,6 +108,23 @@
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types.
+ description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + x-kubernetes-list-type: atomic description: IsCA will request to mark the certificate as valid for
certificate signing when submitting to the issuer. This will automatically
@@ -127,6 +152,10 @@
+ description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. description: Usages is the set of x509 usages that are requested for
the certificate. Defaults to `digital signature` and `key encipherment`
@@ -167,6 +196,11 @@
+ description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation @@ -219,7 +253,7 @@
description: Type of the condition, known values are (`Ready`,
+ `InvalidRequest`, `Approved`, `Denied`). @@ -238,12 +272,20 @@
- additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Approved")].status + - jsonPath: .status.conditions[?(@.type=="Denied")].status - jsonPath: .status.conditions[?(@.type=="Ready")].status
- jsonPath: .spec.issuerRef.name
+ - jsonPath: .spec.username - jsonPath: .status.conditions[?(@.type=="Ready")].message
@@ -290,6 +332,23 @@
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types.
+ description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + x-kubernetes-list-type: atomic description: IsCA will request to mark the certificate as valid for
certificate signing when submitting to the issuer. This will automatically
@@ -317,6 +376,10 @@
+ description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. description: Usages is the set of x509 usages that are requested for
the certificate. Defaults to `digital signature` and `key encipherment`
@@ -357,6 +420,11 @@
+ description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation @@ -409,7 +477,7 @@
description: Type of the condition, known values are (`Ready`,
+ `InvalidRequest`, `Approved`, `Denied`). @@ -428,12 +496,20 @@
- additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Approved")].status + - jsonPath: .status.conditions[?(@.type=="Denied")].status - jsonPath: .status.conditions[?(@.type=="Ready")].status
- jsonPath: .spec.issuerRef.name
+ - jsonPath: .spec.username - jsonPath: .status.conditions[?(@.type=="Ready")].message
@@ -475,6 +551,23 @@
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types.
+ description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + x-kubernetes-list-type: atomic description: IsCA will request to mark the certificate as valid for
certificate signing when submitting to the issuer. This will automatically
@@ -507,6 +600,10 @@
submitted to the CA for signing.
+ description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. description: Usages is the set of x509 usages that are requested for
the certificate. Defaults to `digital signature` and `key encipherment`
@@ -547,6 +644,11 @@
+ description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation @@ -599,7 +701,7 @@
description: Type of the condition, known values are (`Ready`,
+ `InvalidRequest`, `Approved`, `Denied`). @@ -620,12 +722,20 @@
- additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Approved")].status + - jsonPath: .status.conditions[?(@.type=="Denied")].status - jsonPath: .status.conditions[?(@.type=="Ready")].status
- jsonPath: .spec.issuerRef.name
+ - jsonPath: .spec.username - jsonPath: .status.conditions[?(@.type=="Ready")].message
@@ -667,6 +777,23 @@
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types.
+ description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + x-kubernetes-list-type: atomic description: IsCA will request to mark the certificate as valid for
certificate signing when submitting to the issuer. This will automatically
@@ -699,6 +826,10 @@
submitted to the CA for signing.
+ description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. description: Usages is the set of x509 usages that are requested for
the certificate. If usages are set they SHOULD be encoded inside
@@ -740,6 +871,11 @@
+ description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation @@ -792,7 +928,7 @@
description: Type of the condition, known values are (`Ready`,
+ `InvalidRequest`, `Approved`, `Denied`). @@ -1084,6 +1220,17 @@
of the certificate (i.e. notAfter - notBefore), it will be automatically
renewed 2/3rds of the way through the certificate's duration.
+ description: revisionHistoryLimit is the maximum number of CertificateRequest + revisions that are maintained in the Certificate's history. Each + revision represents a single `CertificateRequest` created by this + Certificate, either when it was created, renewed, or Spec was changed. + Revisions will be removed by oldest first if the number of revisions + exceeds this number. If set, revisionHistoryLimit must be a value + of `1` or greater. If unset (`nil`), revisions will not be garbage + collected. Default value is `nil`. description: SecretName is the name of the secret resource that will
be automatically created and managed by this Certificate resource.
@@ -1196,6 +1343,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -1494,6 +1649,17 @@
of the certificate (i.e. notAfter - notBefore), it will be automatically
renewed 2/3rds of the way through the certificate's duration.
+ description: revisionHistoryLimit is the maximum number of CertificateRequest + revisions that are maintained in the Certificate's history. Each + revision represents a single `CertificateRequest` created by this + Certificate, either when it was created, renewed, or Spec was changed. + Revisions will be removed by oldest first if the number of revisions + exceeds this number. If set, revisionHistoryLimit must be a value + of `1` or greater. If unset (`nil`), revisions will not be garbage + collected. Default value is `nil`. description: SecretName is the name of the secret resource that will
be automatically created and managed by this Certificate resource.
@@ -1611,6 +1777,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -1903,6 +2077,17 @@
of the certificate (i.e. notAfter - notBefore), it will be automatically
renewed 2/3rds of the way through the certificate's duration.
+ description: revisionHistoryLimit is the maximum number of CertificateRequest + revisions that are maintained in the Certificate's history. Each + revision represents a single `CertificateRequest` created by this + Certificate, either when it was created, renewed, or Spec was changed. + Revisions will be removed by oldest first if the number of revisions + exceeds this number. If set, revisionHistoryLimit must be a value + of `1` or greater. If unset (`nil`), revisions will not be garbage + collected. Default value is `nil`. description: SecretName is the name of the secret resource that will
be automatically created and managed by this Certificate resource.
@@ -2020,6 +2205,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -2149,10 +2342,10 @@
description: The requested 'duration' (i.e. lifetime) of the Certificate.
- This option may be ignored/overridden by some issuer types. If overridden
- and `renewBefore` is greater than the actual certificate duration,
- the certificate will be automatically renewed 2/3rds of the way
- through the certificate's duration.
+ This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. If overridden and `renewBefore` is greater + than the actual certificate duration, the certificate will be automatically + renewed 2/3rds of the way through the certificate's duration. description: EmailAddresses is a list of email subjectAltNames to
@@ -2316,10 +2509,22 @@
description: The amount of time before the currently issued certificate's
`notAfter` time that cert-manager will begin to attempt to renew
- the certificate. If this value is greater than the total duration
- of the certificate (i.e. notAfter - notBefore), it will be automatically
- renewed 2/3rds of the way through the certificate's duration.
+ the certificate. If unset this defaults to 30 days. If this value + is greater than the total duration of the certificate (i.e. notAfter + - notBefore), it will be automatically renewed 2/3rds of the way + through the certificate's duration. + description: revisionHistoryLimit is the maximum number of CertificateRequest + revisions that are maintained in the Certificate's history. Each + revision represents a single `CertificateRequest` created by this + Certificate, either when it was created, renewed, or Spec was changed. + Revisions will be removed by oldest first if the number of revisions + exceeds this number. If set, revisionHistoryLimit must be a value + of `1` or greater. If unset (`nil`), revisions will not be garbage + collected. Default value is `nil`. description: SecretName is the name of the secret resource that will
be automatically created and managed by this Certificate resource.
@@ -2437,6 +2642,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -10275,7 +10488,7 @@
description: The OCSP server list is an X.509 v3 extension that
defines a list of URLs of OCSP responders. The OCSP responders
can be queried for the revocation status of an issued certificate.
- If not set, the certificate wil be issued with no OCSP servers
+ If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
@@ -10536,6 +10749,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -12263,7 +12484,7 @@
description: The OCSP server list is an X.509 v3 extension that
defines a list of URLs of OCSP responders. The OCSP responders
can be queried for the revocation status of an issued certificate.
- If not set, the certificate wil be issued with no OCSP servers
+ If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
@@ -12524,6 +12745,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -14251,7 +14480,7 @@
description: The OCSP server list is an X.509 v3 extension that
defines a list of URLs of OCSP responders. The OCSP responders
can be queried for the revocation status of an issued certificate.
- If not set, the certificate wil be issued with no OCSP servers
+ If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
@@ -14512,6 +14741,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -16241,7 +16478,7 @@
description: The OCSP server list is an X.509 v3 extension that
defines a list of URLs of OCSP responders. The OCSP responders
can be queried for the revocation status of an issued certificate.
- If not set, the certificate wil be issued with no OCSP servers
+ If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
@@ -16502,6 +16739,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -18269,7 +18514,7 @@
description: The OCSP server list is an X.509 v3 extension that
defines a list of URLs of OCSP responders. The OCSP responders
can be queried for the revocation status of an issued certificate.
- If not set, the certificate wil be issued with no OCSP servers
+ If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
@@ -18530,6 +18775,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -20256,7 +20509,7 @@
description: The OCSP server list is an X.509 v3 extension that
defines a list of URLs of OCSP responders. The OCSP responders
can be queried for the revocation status of an issued certificate.
- If not set, the certificate wil be issued with no OCSP servers
+ If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
@@ -20517,6 +20770,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -22243,7 +22504,7 @@
description: The OCSP server list is an X.509 v3 extension that
defines a list of URLs of OCSP responders. The OCSP responders
can be queried for the revocation status of an issued certificate.
- If not set, the certificate wil be issued with no OCSP servers
+ If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
@@ -22504,6 +22765,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -24232,7 +24501,7 @@
description: The OCSP server list is an X.509 v3 extension that
defines a list of URLs of OCSP responders. The OCSP responders
can be queried for the revocation status of an issued certificate.
- If not set, the certificate wil be issued with no OCSP servers
+ If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
@@ -24493,6 +24762,14 @@
description: Message is a human readable description of the
details of the last transition, complementing reason.
+ description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current description: Reason is a brief machine readable explanation
for the condition's last transition.
@@ -25452,6 +25729,7 @@
+automountServiceAccountToken: true @@ -25463,6 +25741,7 @@
+automountServiceAccountToken: true @@ -25474,6 +25753,7 @@
+automountServiceAccountToken: true @@ -25982,9 +26262,48 @@
+apiVersion: rbac.authorization.k8s.io/v1 + app.kubernetes.io/component: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + name: cert-manager-controller-approve:cert-manager-io + - issuers.cert-manager.io/* + - clusterissuers.cert-manager.io/* +apiVersion: rbac.authorization.k8s.io/v1 + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: webhook + name: cert-manager-webhook:subjectaccessreviews apiVersion: rbac.authorization.k8s.io/v1
@@ -26113,6 +26432,43 @@
apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding + app.kubernetes.io/component: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + name: cert-manager-controller-approve:cert-manager-io + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-approve:cert-manager-io + namespace: cert-manager +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: webhook + name: cert-manager-webhook:subjectaccessreviews + apiGroup: rbac.authorization.k8s.io + name: cert-manager-webhook:subjectaccessreviews + name: cert-manager-webhook + namespace: cert-manager +apiVersion: rbac.authorization.k8s.io/v1 @@ -26333,7 +26689,7 @@
fieldPath: metadata.namespace
- image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
+ image: quay.io/jetstack/cert-manager-cainjector:v1.3.1 imagePullPolicy: IfNotPresent
@@ -26378,7 +26734,7 @@
fieldPath: metadata.namespace
- image: quay.io/jetstack/cert-manager-controller:v1.2.0
+ image: quay.io/jetstack/cert-manager-controller:v1.3.1 imagePullPolicy: IfNotPresent
@@ -26424,7 +26780,7 @@
fieldPath: metadata.namespace
- image: quay.io/jetstack/cert-manager-webhook:v1.2.0
+ image: quay.io/jetstack/cert-manager-webhook:v1.3.1 imagePullPolicy: IfNotPresent