hswaw
/
hscloud
mirror of https://gerrit.hackerspace.pl/hscloud
4
0
Fork 2
Code Actions

cluster/cert-manager: update to v1.5.0 

Change-Id: I7a4cdadc9956141292302bc004d09d6e9e22855e
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1497
Reviewed-by: informatic <informatic@hackerspace.pl>
changes/97/1497/6
q3k 2023-03-31 22:40:09 +00:00 committed by q3k
parent 926252c871
commit 3dd3ff5dcd
3 changed files with 16647 additions and 556 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

470
cluster/kube/lib/cert-manager-rbac.libsonnet Normal file
View File

@ -0,0 +1,470 @@
local kube = import "../../../kube/kube.libsonnet";
{
local top = self,
crs: {
cainjector: kube.ClusterRole("cert-manager-cainjector") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["certificates"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["get", "create", "update", "patch"],
},
{
apiGroups: ["admissionregistration.k8s.io"],
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"],
verbs: ["get", "list", "watch", "update"],
},
{
apiGroups: ["apiregistration.k8s.io"],
resources: ["apiservices"],
verbs: ["get", "list", "watch", "update"],
},
{
apiGroups: ["apiextensions.k8s.io"],
resources: ["customresourcedefinitions"],
verbs: ["get", "list", "watch", "update"],
},
{
apiGroups: ["auditregistration.k8s.io"],
resources: ["auditsinks"],
verbs: ["get", "list", "watch", "update"],
},
],
},
controllerIssuers: kube.ClusterRole("cert-manager-controller-issuers") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["issuers", "issuers/status"],
verbs: ["update"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["issuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
],
},
controllerClusterissuers: kube.ClusterRole("cert-manager-controller-clusterissuers") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["clusterissuers", "clusterissuers/status"],
verbs: ["update"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["clusterissuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
],
},
controllerCertificates: kube.ClusterRole("cert-manager-controller-certificates") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"],
verbs: ["update"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["certificates/finalizers", "certificaterequests/finalizers"],
verbs: ["update"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["orders"],
verbs: ["create", "delete", "get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
],
},
controllerOrders: kube.ClusterRole("cert-manager-controller-orders") {
rules: [
{
apiGroups: ["acme.cert-manager.io"],
resources: ["orders", "orders/status"],
verbs: ["update"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["orders", "challenges"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["clusterissuers", "issuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges"],
verbs: ["create", "delete"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["orders/finalizers"],
verbs: ["update"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
],
},
controllerChallenges: kube.ClusterRole("cert-manager-controller-challenges") {
rules: [
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges", "challenges/status"],
verbs: ["update"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["issuers", "clusterissuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
{
apiGroups: [""],
resources: ["pods", "services"],
verbs: ["get", "list", "watch", "create", "delete"],
},
{
apiGroups: ["networking.k8s.io"],
resources: ["ingresses"],
verbs: ["get", "list", "watch", "create", "delete", "update"],
},
{
apiGroups: ["networking.x-k8s.io"],
resources: ["httproutes"],
verbs: ["get", "list", "watch", "create", "delete", "update"],
},
{
apiGroups: ["route.openshift.io"],
resources: ["routes/custom-host"],
verbs: ["create"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges/finalizers"],
verbs: ["update"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch"],
},
],
},
controllerIngressShim: kube.ClusterRole("cert-manager-controller-ingress-shim") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificaterequests"],
verbs: ["create", "update", "delete"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["networking.k8s.io"],
resources: ["ingresses"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["networking.k8s.io"],
resources: ["ingresses/finalizers"],
verbs: ["update"],
},
{
apiGroups: ["networking.x-k8s.io"],
resources: ["gateways", "httproutes"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["networking.x-k8s.io"],
resources: ["gateways/finalizers", "httproutes/finalizers"],
verbs: ["update"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
],
},
view: kube.ClusterRole("cert-manager-view") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificaterequests", "issuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges", "orders"],
verbs: ["get", "list", "watch"],
},
],
},
edit: kube.ClusterRole("cert-manager-edit") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificaterequests", "issuers"],
verbs: ["create", "delete", "deletecollection", "patch", "update"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges", "orders"],
verbs: ["create", "delete", "deletecollection", "patch", "update"],
},
],
},
controllerApproveCertManagerIo: kube.ClusterRole("cert-manager-controller-approve:cert-manager-io") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["signers"],
verbs: ["approve"],
},
],
},
controllerCertificatesigningrequests: kube.ClusterRole("cert-manager-controller-certificatesigningrequests") {
rules: [
{
apiGroups: ["certificates.k8s.io"],
resources: ["certificatesigningrequests"],
verbs: ["get", "list", "watch", "update"],
},
{
apiGroups: ["certificates.k8s.io"],
resources: ["certificatesigningrequests/status"],
verbs: ["update"],
},
{
apiGroups: ["certificates.k8s.io"],
resources: ["signers"],
verbs: ["sign"],
},
{
apiGroups: ["authorization.k8s.io"],
resources: ["subjectaccessreviews"],
verbs: ["create"],
},
],
},
webhookSubjectaccessreviews: kube.ClusterRole("cert-manager-webhook:subjectaccessreviews") {
rules: [
{
apiGroups: ["authorization.k8s.io"],
resources: ["subjectaccessreviews"],
verbs: ["create"],
},
],
},
},
crbs: {
cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") {
roleRef_: top.crs.cainjector,
subjects_: [top.sas.cainjector],
},
controllerIssuers: kube.ClusterRoleBinding("cert-manager-controller-issuers") {
roleRef_: top.crs.controllerIssuers,
subjects_: [top.sas.certManager],
},
controllerClusterissuers: kube.ClusterRoleBinding("cert-manager-controller-clusterissuers") {
roleRef_: top.crs.controllerClusterissuers,
subjects_: [top.sas.certManager],
},
controllerCertificates: kube.ClusterRoleBinding("cert-manager-controller-certificates") {
roleRef_: top.crs.controllerCertificates,
subjects_: [top.sas.certManager],
},
controllerOrders: kube.ClusterRoleBinding("cert-manager-controller-orders") {
roleRef_: top.crs.controllerOrders,
subjects_: [top.sas.certManager],
},
controllerChallenges: kube.ClusterRoleBinding("cert-manager-controller-challenges") {
roleRef_: top.crs.controllerChallenges,
subjects_: [top.sas.certManager],
},
controllerIngressShim: kube.ClusterRoleBinding("cert-manager-controller-ingress-shim") {
roleRef_: top.crs.controllerIngressShim,
subjects_: [top.sas.certManager],
},
controllerApproveCertManagerIo: kube.ClusterRoleBinding("cert-manager-controller-approve:cert-manager-io") {
roleRef_: top.crs.controllerApproveCertManagerIo,
subjects_: [top.sas.certManager],
},
controllerCertificatesigningrequests: kube.ClusterRoleBinding("cert-manager-controller-certificatesigningrequests") {
roleRef_: top.crs.controllerCertificatesigningrequests,
subjects_: [top.sas.certManager],
},
webhookSubjectaccessreviews: kube.ClusterRoleBinding("cert-manager-webhook:subjectaccessreviews") {
roleRef_: top.crs.webhookSubjectaccessreviews,
subjects_: [top.sas.webhook],
},
},
roles: {
cainjectorLeaderelection: kube.Role("cert-manager-cainjector:leaderelection") {
metadata+: top.env.metadata {
namespace: "kube-system",
},
rules: [
{
apiGroups: [""],
resources: ["configmaps"],
verbs: ["get", "update", "patch"],
},
{
apiGroups: [""],
resources: ["configmaps"],
verbs: ["create"],
},
{
apiGroups: ["coordination.k8s.io"],
resources: ["leases"],
verbs: ["get", "update", "patch"],
},
{
apiGroups: ["coordination.k8s.io"],
resources: ["leases"],
verbs: ["create"],
}
],
},
leaderelection: kube.Role("cert-manager:leaderelection") {
metadata+: top.env.metadata {
namespace: "kube-system",
},
rules: [
{
apiGroups: [""],
resources: ["configmaps"],
verbs: ["get", "update", "patch"],
},
{
apiGroups: [""],
resources: ["configmaps"],
verbs: ["create"],
},
{
apiGroups: ["coordination.k8s.io"],
resources: ["leases"],
verbs: ["get", "update", "patch"],
},
{
apiGroups: ["coordination.k8s.io"],
resources: ["leases"],
verbs: ["create"],
},
],
},
webhookDynamicServing: kube.Role("cert-manager-webhook:dynamic-serving") {
metadata+: top.env.metadata,
rules: [
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch", "update"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["create"],
},
],
},
},
rbs: {
cainjectorLeaderelection: kube.RoleBinding("cert-manager-cainjector:leaderelection") {
metadata+: {
namespace: "kube-system",
},
roleRef_: top.roles.cainjectorLeaderelection,
subjects_: [top.sas.cainjector],
},
leaderelection: kube.RoleBinding("cert-manager:leaderelection") {
metadata+: {
namespace: "kube-system",
},
roleRef_: top.roles.leaderelection,
subjects_: [top.sas.certManager],
},
webhookDynamicServing: kube.RoleBinding("cert-manager-webhook:dynamic-serving") {
metadata+: {
namespace: top.env.metadata.namespace,
},
roleRef_: top.roles.webhookDynamicServing,
subjects_: [top.sas.webhook],
},
},
}

16065
cluster/kube/lib/cert-manager.crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

640
cluster/kube/lib/cert-manager.libsonnet
View File

@ -10,8 +10,9 @@ local kube = import "../../../kube/kube.libsonnet";
cfg:: { cfg:: {
namespace: "cert-manager", namespace: "cert-manager",
leaderElectionNamespace: "kube-system",
enableWebhook: false, enableWebhook: false,
version: "v0.9.1", version: "v1.5.0",
}, },
metadata:: { metadata:: {
@ -23,246 +24,6 @@ local kube = import "../../../kube/kube.libsonnet";
labels: { "certmanager.k8s.io/disable-validation": "true" }, labels: { "certmanager.k8s.io/disable-validation": "true" },
}, },
}, },
crds: {
certificates: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Certificate") {
spec+: {
additionalPrinterColumns: [
{ name: "Ready", type: "string", JSONPath: ".status.conditions[?(@.type==\"Ready\")].status" },
{ name: "Secret", type: "string", JSONPath: ".spec.secretName" },
{ name: "Issuer", type: "string", JSONPath: ".spec.issuerRef.name", priority: 1 },
{ name: "Status", type: "string", JSONPath: ".status.conditions[?(@.type==\"Ready\")].message", priority: 1 },
{ name: "Age", type: "date", JSONPath: ".metadata.creationTimestamp" },
],
names+: {
shortNames+: ["cert", "certs"],
},
scope: "Namespaced",
validation: {
# Converted from official YAML
"openAPIV3Schema": {
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation\nof an object. Servers should convert recognized schemas to the latest\ninternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this\nobject represents. Servers may infer this from the endpoint the client\nsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"acme": {
"description": "ACME contains configuration specific to ACME Certificates.\nNotably, this contains details on how the domain names listed on this\nCertificate resource should be 'solved', i.e. mapping HTTP01 and DNS01\nproviders to DNS names.",
"properties": {
"config": {
"items": {
"properties": {
"domains": {
"description": "Domains is the list of domains that this SolverConfig\napplies to.",
"items": {
"type": "string"
},
"type": "array"
}
},
"required": [
"domains"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"config"
],
"type": "object"
},
"commonName": {
"description": "CommonName is a common name to be used on the Certificate",
"type": "string"
},
"dnsNames": {
"description": "DNSNames is a list of subject alt names to be used on the\nCertificate",
"items": {
"type": "string"
},
"type": "array"
},
"duration": {
"description": "Certificate default Duration",
"type": "string"
},
"ipAddresses": {
"description": "IPAddresses is a list of IP addresses to be used on the\nCertificate",
"items": {
"type": "string"
},
"type": "array"
},
"isCA": {
"description": "IsCA will mark this Certificate as valid for signing. This\nimplies that the 'signing' usage is set",
"type": "boolean"
},
"issuerRef": {
"description": "IssuerRef is a reference to the issuer for this certificate.\nIf the 'kind' field is not set, or set to 'Issuer', an Issuer resource\nwith the given name in the same namespace as the Certificate will\nbe used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer\nwith the provided name will be used. The 'name' field in this stanza\nis required at all times.",
"properties": {
"kind": {
"type": "string"
},
"name": {
"type": "string"
}
},
"required": [
"name"
],
"type": "object"
},
"keyAlgorithm": {
"description": "KeyAlgorithm is the private key algorithm of the corresponding\nprivate key for this certificate. If provided, allowed values are\neither \"rsa\" or \"ecdsa\" If KeyAlgorithm is specified and KeySize is\nnot provided, key size of 256 will be used for \"ecdsa\" key algorithm\nand key size of 2048 will be used for \"rsa\" key algorithm.",
"enum": [
"rsa",
"ecdsa"
],
"type": "string"
},
"keySize": {
"description": "KeySize is the key bit size of the corresponding private\nkey for this certificate. If provided, value must be between 2048\nand 8192 inclusive when KeyAlgorithm is empty or is set to \"rsa\",\nand value must be one of (256, 384, 521) when KeyAlgorithm is set\nto \"ecdsa\".",
"format": "int64",
"type": "integer"
},
"organization": {
"description": "Organization is the organization to be used on the Certificate",
"items": {
"type": "string"
},
"type": "array"
},
"renewBefore": {
"description": "Certificate renew before expiration duration",
"type": "string"
},
"secretName": {
"description": "SecretName is the name of the secret resource to store\nthis secret in",
"type": "string"
}
},
"required": [
"secretName",
"issuerRef"
],
"type": "object"
},
"status": {
"properties": {
"conditions": {
"items": {
"properties": {
"lastTransitionTime": {
"description": "LastTransitionTime is the timestamp corresponding\nto the last status change of this condition.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "Message is a human readable description of the details\nof the last transition, complementing reason.",
"type": "string"
},
"reason": {
"description": "Reason is a brief machine readable explanation for\nthe condition's last transition.",
"type": "string"
},
"status": {
"description": "Status of the condition, one of ('True', 'False',\n'Unknown').",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "Type of the condition, currently ('Ready').",
"type": "string"
}
},
"required": [
"type",
"status",
"lastTransitionTime",
"reason",
"message"
],
"type": "object"
},
"type": "array"
},
"lastFailureTime": {
"format": "date-time",
"type": "string"
},
"notAfter": {
"description": "The expiration time of the certificate stored in the secret\nnamed by this resource in spec.secretName.",
"format": "date-time",
"type": "string"
}
},
"type": "object"
}
}
}
}
},
},
challenges: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Challenge") {
spec+: {
additionalPrinterColumns: [
{ name: "State", type: "string", JSONPath: ".status.state" },
{ name: "Domain", type: "string", JSONPath: ".spec.dnsName" },
{ name: "Reason", type: "string", JSONPath: ".status.reason", priority: 1 },
{ name: "Age", type: "date", JSONPath: ".metadata.creationTimestamp" },
],
validation: {
# ...
},
},
},
clusterissuers: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "ClusterIssuer") {
spec+: {
validation: {
# ...
},
scope: "Cluster",
},
},
issuers: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Issuer") {
spec+: {
validation: {
# ...
},
scope: "Namespaced",
},
},
orders: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Order") {
spec+: {
additionalPrinterColumns: [
{ name: "State", type: "string", JSONPath: ".status.state" },
{ name: "Issuer", type: "string", JSONPath: ".spec.issuerRef.name", priority: 1 },
{ name: "Reason", type: "string", JSONPath: ".status.reason", priority: 1 },
{ name: "Age", type: "date", JSONPath: ".metadata.creationTimestamp" },
],
validation: {
# ...
},
scope: "Namespaced",
},
},
},
sas: { sas: {
cainjector: kube.ServiceAccount("cert-manager-cainjector") { cainjector: kube.ServiceAccount("cert-manager-cainjector") {
metadata+: env.metadata, metadata+: env.metadata,
@ -270,116 +31,18 @@ local kube = import "../../../kube/kube.libsonnet";
webhook: kube.ServiceAccount("cert-manager-webhook") { webhook: kube.ServiceAccount("cert-manager-webhook") {
metadata+: env.metadata, metadata+: env.metadata,
}, },
certmanager: kube.ServiceAccount("cert-manager") { certManager: kube.ServiceAccount("cert-manager") {
metadata+: env.metadata, metadata+: env.metadata,
}, },
}, },
crs: { crds: (std.native("parseYaml"))(importstr "./cert-manager.crds.yaml"),
cainjector: kube.ClusterRole("cert-manager-cainjector") {
rules: [ rbac: (import "./cert-manager-rbac.libsonnet") {
{ env:: env,
apiGroups: ["certmanager.k8s.io"], sas:: env.sas,
resources: ["certificates"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["configmaps", "events"],
verbs: ["*"],
}, },
{
apiGroups: ["admissionregistration.k8s.io"],
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"],
verbs: ["*"],
},
{
apiGroups: ["apiregistration.k8s.io"],
resources: ["apiservices"],
verbs: ["*"],
},
],
},
certmanager: kube.ClusterRole("cert-manager") {
rules: [
{
apiGroups: ["certmanager.k8s.io"],
resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"],
verbs: ["*"],
},
{
apiGroups: [""],
resources: ["configmaps", "secrets", "events", "services", "pods"],
verbs: ["*"],
},
{
apiGroups: ["extensions"],
resources: ["ingresses"],
verbs: ["*"],
},
],
},
certmanagerView: kube.ClusterRole("cert-manager-view") {
rules: [
{
apiGroups: ["certmanager.k8s.io"],
resources: ["certificates", "issuers"],
verbs: ["get", "list", "watch"],
},
],
},
certmanagerEdit: kube.ClusterRole("cert-manager-edit") {
rules: [
{
apiGroups: ["certmanager.k8s.io"],
resources: ["certificates", "issuers"],
verbs: ["create", "delete", "deletecollection", "patch", "update"],
},
],
},
webhookRequester: kube.ClusterRole("cert-manager-webhook:webhook-requester") {
rules: [
{
apiGroups: ["admission.certmanager.k8s.io"],
resources: ["certificates", "issuers", "clusterissuers"],
verbs: ["create"],
},
],
},
},
rbs: {
cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") {
roleRef_: env.crs.cainjector,
subjects_: [ env.sas.cainjector ],
},
certmanager: kube.ClusterRoleBinding("cert-manager") {
roleRef_: env.crs.certmanager,
subjects_: [ env.sas.certmanager ],
},
webhookAuthDelegator: kube.ClusterRoleBinding("cert-manager-webhook:auth-delegator") {
roleRef_: {
kind: "ClusterRole",
metadata: { name: "system:auth-delegator" },
},
subjects_: [ env.sas.webhook ],
},
webhookAuthReader: kube.RoleBinding("cert-manager-webhook:webhook-authentication-reader") {
metadata+: {
namespace: "kube-system",
},
roleRef_: {
kind: "Role",
metadata: { name: "extension-apiserver-authentication-reader" },
},
subjects_: [ env.sas.webhook ],
},
},
deployments: { deployments: {
cainjector: kube.Deployment("cert-manager-cainjector") { cainjector: kube.Deployment("cert-manager-cainjector") {
metadata+: env.metadata, metadata+: env.metadata,
@ -392,7 +55,8 @@ local kube = import "../../../kube/kube.libsonnet";
cainjector: kube.Container("cainjector") { cainjector: kube.Container("cainjector") {
image: "quay.io/jetstack/cert-manager-cainjector:" + cfg.version, image: "quay.io/jetstack/cert-manager-cainjector:" + cfg.version,
args: [ args: [
"--leader-election-namespace=%s" % [cfg.namespace], "--v=2",
"--leader-election-namespace=%s" % [cfg.leaderElectionNamespace],
], ],
env_: { env_: {
POD_NAMESPACE: kube.FieldRef("metadata.namespace"), POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
@ -410,7 +74,7 @@ local kube = import "../../../kube/kube.libsonnet";
}, },
}, },
spec+: { spec+: {
replicas: 1, replicas: if cfg.enableWebhook then 1 else 0,
template+: { template+: {
spec+: { spec+: {
serviceAccountName: env.sas.webhook.metadata.name, serviceAccountName: env.sas.webhook.metadata.name,
@ -418,28 +82,20 @@ local kube = import "../../../kube/kube.libsonnet";
webhook: kube.Container("webhook") { webhook: kube.Container("webhook") {
image: "quay.io/jetstack/cert-manager-webhook:" + cfg.version, image: "quay.io/jetstack/cert-manager-webhook:" + cfg.version,
args: [ args: [
"--v=12", "--v=2",
"--secure-port=6443", "--secure-port=10250",
"--tls-cert-file=/certs/tls.crt", "--dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)",
"--tls-private-key-file=/certs/tls.key", "--dynamic-serving-ca-secret-name=cert-manager-webhook-ca",
"--dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc",
], ],
env_: { env_: {
POD_NAMESPACE: kube.FieldRef("metadata.namespace"), POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
}, },
ports_: { // changed ports_: {
https: { containerPort: 6443 }, https: { containerPort: 10250 },
},
volumeMounts_: {
certs: { mountPath: "/certs" },
}, },
}, },
}, },
volumes_: {
certs: {
secret: { secretName: env.certificates.webhookTLS.spec.secretName },
},
// kube.SecretVolume(env.secrets.webhook_tls),
},
}, },
}, },
}, },
@ -450,17 +106,19 @@ local kube = import "../../../kube/kube.libsonnet";
replicas: 1, replicas: 1,
template+: { template+: {
spec+: { spec+: {
serviceAccountName: env.sas.certmanager.metadata.name, serviceAccountName: env.sas.certManager.metadata.name,
dnsPolicy: "None", dnsPolicy: "None",
dnsConfig: { dnsConfig: {
nameservers: ["8.8.8.8"], nameservers: ["8.8.8.8"],
}, },
# TODO: liveness probe, readiness probe
containers_: { containers_: {
webhook: kube.Container("cert-manager") { webhook: kube.Container("cert-manager") {
image: "quay.io/jetstack/cert-manager-controller:" + cfg.version, image: "quay.io/jetstack/cert-manager-controller:" + cfg.version,
args: [ args: [
"--v=2",
"--cluster-resource-namespace=%s" % [cfg.namespace], "--cluster-resource-namespace=%s" % [cfg.namespace],
"--leader-election-namespace=%s" % [cfg.namespace], "--leader-election-namespace=%s" % [cfg.leaderElectionNamespace],
], ],
env_: { env_: {
POD_NAMESPACE: kube.FieldRef("metadata.namespace"), POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
@ -481,16 +139,28 @@ local kube = import "../../../kube/kube.libsonnet";
}, },
}, },
}, },
service: kube.Service("cert-manager-webhook") { services: {
certmanager: kube.Service("cert-manager") {
metadata+: env.metadata,
target_pod:: env.deployments.certmanager.spec.template,
spec+: {
type: "ClusterIP",
ports: [
{ name: "tcp-prometheus-servicemonitor", port: 9402, targetPort: 9402, protocol: "TCP"},
],
},
},
webhook: kube.Service("cert-manager-webhook") {
metadata+: env.metadata, metadata+: env.metadata,
target_pod:: env.deployments.webhook.spec.template, target_pod:: env.deployments.webhook.spec.template,
spec+: { spec+: {
type: "ClusterIP", type: "ClusterIP",
ports: [ ports: [
{ name: "https", port: 443, targetPort: 6443, protocol: "TCP" }, { name: "https", port: 443, targetPort: 10250, protocol: "TCP" },
], ],
}, },
}, },
},
apiservice: if cfg.enableWebhook then kube._Object("apiregistration.k8s.io/v1beta1", "APIService", "v1beta1.admission.certmanager.k8s.io") { apiservice: if cfg.enableWebhook then kube._Object("apiregistration.k8s.io/v1beta1", "APIService", "v1beta1.admission.certmanager.k8s.io") {
spec+: { spec+: {
version: "v1beta1", version: "v1beta1",
@ -504,200 +174,86 @@ local kube = import "../../../kube/kube.libsonnet";
}, },
}, },
issuers: { webhooks: if cfg.enableWebhook then {
webhookSelfsign: kube.Issuer("cert-manager-webhook-selfsign") { mutating: kube._Object("admissionregistration.k8s.io/v1", "MutatingWebhookConfiguration", "cert-manager-webhook") {
metadata+: env.metadata,
spec: {
selfSigned: {},
},
},
webhookCA: kube.Issuer("cert-manager-webhook-ca") {
metadata+: env.metadata,
spec: {
ca: {
secretName: env.certificates.webhookCA.spec.secretName,
},
},
},
},
certificates: {
webhookCA: kube.Certificate("cert-manager-webhook-ca") {
metadata+: env.metadata,
spec: {
secretName: "cert-manager-webhook-ca",
duration: "43800h0m0s", // 5 years
issuerRef: {
name: env.issuers.webhookSelfsign.metadata.name,
},
commonName: "ca.webhook.cert-manager",
isCA: true,
},
},
webhookTLS: kube.Certificate("cert-manager-webhook-webhook-tls") {
metadata+: env.metadata,
spec: {
secretName: "cert-manager-webhook-webhook-tls",
duration: "8760h0m0s", // 1 year
issuerRef: {
name: env.issuers.webhookSelfsign.metadata.name,
},
dnsNames: [
"cert-manager-webhook",
"cert-manager-webhook.cert-manager",
"cert-manager-webhook.cert-manager.svc",
],
},
},
},
admission: if cfg.enableWebhook then kube._Object("admissionregistration.k8s.io/v1beta1", "ValidatingWebhookConfiguration", "cert-manager-webhook") {
metadata+: { metadata+: {
annotations: { annotations: {
"cert-manager.io/inject-ca-from-secret": "%s/cert-manager-webhook-ca" % [cfg.namespace],
},
},
webhooks: [
{
name: "webhook.cert-manager.io",
rules: [
{
apiGRoups: ["cert-manager.io", "acme.cert-manager.io"],
apiVersions: ["v1"],
operations: ["CREATE", "UPDATE"],
resources: ["*/*"],
}
],
admissionReviewVersions: ["v1", "v1beta1"],
matchPolicy: "Equivalent",
timeoutSeconds: 10,
failurePolicy: "Fail",
sideEffects: "None",
clientConfig: {
service: {
name: "cert-manager-webhook",
namespace: cfg.namespace,
path: "/mutate",
},
},
}
],
},
validating: kube._Object("admissionregistration.k8s.io/v1", "ValidatingWebhookConfiguration", "cert-manager-webhook") {
metadata+: {
annotations: {
"cert-manager.io/inject-ca-from-secret": "%s/cert-manager-webhook-ca" % [cfg.namespace],
}, },
}, },
// Copied from official yaml // Copied from official yaml
webhooks: [ webhooks: [
{ {
"name": "certificates.admission.certmanager.k8s.io", name: "webhook.cert-manager.io",
"namespaceSelector": { namespaceSelector: {
"matchExpressions": [ matchExpressions: [
{ {
"key": "certmanager.k8s.io/disable-validation", key: "cert-manager.io/disable-validation",
"operator": "NotIn", operator: "NotIn",
"values": [ values: ["true"],
"true"
]
}, },
{ {
"key": "name", key: "name",
"operator": "NotIn", operator: "NotIn",
"values": [ values: ["cert-manager"],
"cert-manager"
]
}
]
}, },
"rules": [ ],
},
rules: [
{ {
"apiGroups": [ apiGroups: ["cert-manager.io", "acme.cert-manager.io"],
"certmanager.k8s.io" apiVersions: ["v1"],
], operations: ["CREATE", "UPDATE"],
"apiVersions": [ resources: ["*/*"],
"v1alpha1"
],
"operations": [
"CREATE",
"UPDATE"
],
"resources": [
"certificates"
]
} }
], ],
"failurePolicy": "Fail", admissionReviewVersions: ["v1", "v1beta1"],
"clientConfig": { matchPolicy: "Equivalent",
"service": { timeoutSeconds: 10,
"name": "kubernetes", failurePolicy: "Fail",
"namespace": "default", sideEffects: "None",
"path": "/apis/admission.certmanager.k8s.io/v1beta1/certificates" clientConfig: {
service: {
name: "cert-manager-webhook",
namespace: cfg.namespace,
path: "/validate",
}, },
"caBundle": "",
}
}, },
{
"name": "issuers.admission.certmanager.k8s.io",
"namespaceSelector": {
"matchExpressions": [
{
"key": "certmanager.k8s.io/disable-validation",
"operator": "NotIn",
"values": [
"true"
]
}, },
{ ],
"key": "name",
"operator": "NotIn",
"values": [
"cert-manager"
]
}
]
}, },
"rules": [
{
"apiGroups": [
"certmanager.k8s.io"
],
"apiVersions": [
"v1alpha1"
],
"operations": [
"CREATE",
"UPDATE"
],
"resources": [
"issuers"
]
}
],
"failurePolicy": "Fail",
"clientConfig": {
"service": {
"name": "kubernetes",
"namespace": "default",
"path": "/apis/admission.certmanager.k8s.io/v1beta1/issuers"
},
"caBundle": "",
}
},
{
"name": "clusterissuers.admission.certmanager.k8s.io",
"namespaceSelector": {
"matchExpressions": [
{
"key": "certmanager.k8s.io/disable-validation",
"operator": "NotIn",
"values": [
"true"
]
},
{
"key": "name",
"operator": "NotIn",
"values": [
"cert-manager"
]
}
]
},
"rules": [
{
"apiGroups": [
"certmanager.k8s.io"
],
"apiVersions": [
"v1alpha1"
],
"operations": [
"CREATE",
"UPDATE"
],
"resources": [
"clusterissuers"
]
}
],
"failurePolicy": "Fail",
"clientConfig": {
"service": {
"name": "kubernetes",
"namespace": "default",
"path": "/apis/admission.certmanager.k8s.io/v1beta1/clusterissuers"
},
"caBundle": "",
}
}
],
}, },
}, },
} }