mirror of https://gerrit.hackerspace.pl/hscloud
cluster/cert-manager: update to v1.5.0
Change-Id: I7a4cdadc9956141292302bc004d09d6e9e22855e Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1497 Reviewed-by: informatic <informatic@hackerspace.pl>changes/97/1497/6
parent
926252c871
commit
3dd3ff5dcd
|
@ -0,0 +1,470 @@
|
||||||
|
local kube = import "../../../kube/kube.libsonnet";
|
||||||
|
{
|
||||||
|
local top = self,
|
||||||
|
crs: {
|
||||||
|
cainjector: kube.ClusterRole("cert-manager-cainjector") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["certificates"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["secrets"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["events"],
|
||||||
|
verbs: ["get", "create", "update", "patch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["admissionregistration.k8s.io"],
|
||||||
|
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"],
|
||||||
|
verbs: ["get", "list", "watch", "update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["apiregistration.k8s.io"],
|
||||||
|
resources: ["apiservices"],
|
||||||
|
verbs: ["get", "list", "watch", "update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["apiextensions.k8s.io"],
|
||||||
|
resources: ["customresourcedefinitions"],
|
||||||
|
verbs: ["get", "list", "watch", "update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["auditregistration.k8s.io"],
|
||||||
|
resources: ["auditsinks"],
|
||||||
|
verbs: ["get", "list", "watch", "update"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
controllerIssuers: kube.ClusterRole("cert-manager-controller-issuers") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["issuers", "issuers/status"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["issuers"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["secrets"],
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "delete"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["events"],
|
||||||
|
verbs: ["create", "patch"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
controllerClusterissuers: kube.ClusterRole("cert-manager-controller-clusterissuers") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["clusterissuers", "clusterissuers/status"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["clusterissuers"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["secrets"],
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "delete"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["events"],
|
||||||
|
verbs: ["create", "patch"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
controllerCertificates: kube.ClusterRole("cert-manager-controller-certificates") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["certificates/finalizers", "certificaterequests/finalizers"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["acme.cert-manager.io"],
|
||||||
|
resources: ["orders"],
|
||||||
|
verbs: ["create", "delete", "get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["secrets"],
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "delete"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["events"],
|
||||||
|
verbs: ["create", "patch"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
controllerOrders: kube.ClusterRole("cert-manager-controller-orders") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["acme.cert-manager.io"],
|
||||||
|
resources: ["orders", "orders/status"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["acme.cert-manager.io"],
|
||||||
|
resources: ["orders", "challenges"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["clusterissuers", "issuers"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["acme.cert-manager.io"],
|
||||||
|
resources: ["challenges"],
|
||||||
|
verbs: ["create", "delete"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["acme.cert-manager.io"],
|
||||||
|
resources: ["orders/finalizers"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["secrets"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["events"],
|
||||||
|
verbs: ["create", "patch"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
controllerChallenges: kube.ClusterRole("cert-manager-controller-challenges") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["acme.cert-manager.io"],
|
||||||
|
resources: ["challenges", "challenges/status"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["acme.cert-manager.io"],
|
||||||
|
resources: ["challenges"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["issuers", "clusterissuers"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["secrets"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["events"],
|
||||||
|
verbs: ["create", "patch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["pods", "services"],
|
||||||
|
verbs: ["get", "list", "watch", "create", "delete"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["networking.k8s.io"],
|
||||||
|
resources: ["ingresses"],
|
||||||
|
verbs: ["get", "list", "watch", "create", "delete", "update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["networking.x-k8s.io"],
|
||||||
|
resources: ["httproutes"],
|
||||||
|
verbs: ["get", "list", "watch", "create", "delete", "update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["route.openshift.io"],
|
||||||
|
resources: ["routes/custom-host"],
|
||||||
|
verbs: ["create"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["acme.cert-manager.io"],
|
||||||
|
resources: ["challenges/finalizers"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["secrets"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
controllerIngressShim: kube.ClusterRole("cert-manager-controller-ingress-shim") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["certificates", "certificaterequests"],
|
||||||
|
verbs: ["create", "update", "delete"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["networking.k8s.io"],
|
||||||
|
resources: ["ingresses"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["networking.k8s.io"],
|
||||||
|
resources: ["ingresses/finalizers"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["networking.x-k8s.io"],
|
||||||
|
resources: ["gateways", "httproutes"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["networking.x-k8s.io"],
|
||||||
|
resources: ["gateways/finalizers", "httproutes/finalizers"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["events"],
|
||||||
|
verbs: ["create", "patch"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
view: kube.ClusterRole("cert-manager-view") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["certificates", "certificaterequests", "issuers"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["acme.cert-manager.io"],
|
||||||
|
resources: ["challenges", "orders"],
|
||||||
|
verbs: ["get", "list", "watch"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
edit: kube.ClusterRole("cert-manager-edit") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["certificates", "certificaterequests", "issuers"],
|
||||||
|
verbs: ["create", "delete", "deletecollection", "patch", "update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["acme.cert-manager.io"],
|
||||||
|
resources: ["challenges", "orders"],
|
||||||
|
verbs: ["create", "delete", "deletecollection", "patch", "update"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
controllerApproveCertManagerIo: kube.ClusterRole("cert-manager-controller-approve:cert-manager-io") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["cert-manager.io"],
|
||||||
|
resources: ["signers"],
|
||||||
|
verbs: ["approve"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
controllerCertificatesigningrequests: kube.ClusterRole("cert-manager-controller-certificatesigningrequests") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["certificates.k8s.io"],
|
||||||
|
resources: ["certificatesigningrequests"],
|
||||||
|
verbs: ["get", "list", "watch", "update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["certificates.k8s.io"],
|
||||||
|
resources: ["certificatesigningrequests/status"],
|
||||||
|
verbs: ["update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["certificates.k8s.io"],
|
||||||
|
resources: ["signers"],
|
||||||
|
verbs: ["sign"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["authorization.k8s.io"],
|
||||||
|
resources: ["subjectaccessreviews"],
|
||||||
|
verbs: ["create"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
webhookSubjectaccessreviews: kube.ClusterRole("cert-manager-webhook:subjectaccessreviews") {
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: ["authorization.k8s.io"],
|
||||||
|
resources: ["subjectaccessreviews"],
|
||||||
|
verbs: ["create"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
crbs: {
|
||||||
|
cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") {
|
||||||
|
roleRef_: top.crs.cainjector,
|
||||||
|
subjects_: [top.sas.cainjector],
|
||||||
|
},
|
||||||
|
controllerIssuers: kube.ClusterRoleBinding("cert-manager-controller-issuers") {
|
||||||
|
roleRef_: top.crs.controllerIssuers,
|
||||||
|
subjects_: [top.sas.certManager],
|
||||||
|
},
|
||||||
|
controllerClusterissuers: kube.ClusterRoleBinding("cert-manager-controller-clusterissuers") {
|
||||||
|
roleRef_: top.crs.controllerClusterissuers,
|
||||||
|
subjects_: [top.sas.certManager],
|
||||||
|
},
|
||||||
|
controllerCertificates: kube.ClusterRoleBinding("cert-manager-controller-certificates") {
|
||||||
|
roleRef_: top.crs.controllerCertificates,
|
||||||
|
subjects_: [top.sas.certManager],
|
||||||
|
},
|
||||||
|
controllerOrders: kube.ClusterRoleBinding("cert-manager-controller-orders") {
|
||||||
|
roleRef_: top.crs.controllerOrders,
|
||||||
|
subjects_: [top.sas.certManager],
|
||||||
|
},
|
||||||
|
controllerChallenges: kube.ClusterRoleBinding("cert-manager-controller-challenges") {
|
||||||
|
roleRef_: top.crs.controllerChallenges,
|
||||||
|
subjects_: [top.sas.certManager],
|
||||||
|
},
|
||||||
|
controllerIngressShim: kube.ClusterRoleBinding("cert-manager-controller-ingress-shim") {
|
||||||
|
roleRef_: top.crs.controllerIngressShim,
|
||||||
|
subjects_: [top.sas.certManager],
|
||||||
|
},
|
||||||
|
controllerApproveCertManagerIo: kube.ClusterRoleBinding("cert-manager-controller-approve:cert-manager-io") {
|
||||||
|
roleRef_: top.crs.controllerApproveCertManagerIo,
|
||||||
|
subjects_: [top.sas.certManager],
|
||||||
|
},
|
||||||
|
controllerCertificatesigningrequests: kube.ClusterRoleBinding("cert-manager-controller-certificatesigningrequests") {
|
||||||
|
roleRef_: top.crs.controllerCertificatesigningrequests,
|
||||||
|
subjects_: [top.sas.certManager],
|
||||||
|
},
|
||||||
|
webhookSubjectaccessreviews: kube.ClusterRoleBinding("cert-manager-webhook:subjectaccessreviews") {
|
||||||
|
roleRef_: top.crs.webhookSubjectaccessreviews,
|
||||||
|
subjects_: [top.sas.webhook],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
roles: {
|
||||||
|
cainjectorLeaderelection: kube.Role("cert-manager-cainjector:leaderelection") {
|
||||||
|
metadata+: top.env.metadata {
|
||||||
|
namespace: "kube-system",
|
||||||
|
},
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["configmaps"],
|
||||||
|
verbs: ["get", "update", "patch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["configmaps"],
|
||||||
|
verbs: ["create"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["coordination.k8s.io"],
|
||||||
|
resources: ["leases"],
|
||||||
|
verbs: ["get", "update", "patch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["coordination.k8s.io"],
|
||||||
|
resources: ["leases"],
|
||||||
|
verbs: ["create"],
|
||||||
|
}
|
||||||
|
],
|
||||||
|
},
|
||||||
|
leaderelection: kube.Role("cert-manager:leaderelection") {
|
||||||
|
metadata+: top.env.metadata {
|
||||||
|
namespace: "kube-system",
|
||||||
|
},
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["configmaps"],
|
||||||
|
verbs: ["get", "update", "patch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["configmaps"],
|
||||||
|
verbs: ["create"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["coordination.k8s.io"],
|
||||||
|
resources: ["leases"],
|
||||||
|
verbs: ["get", "update", "patch"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: ["coordination.k8s.io"],
|
||||||
|
resources: ["leases"],
|
||||||
|
verbs: ["create"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
webhookDynamicServing: kube.Role("cert-manager-webhook:dynamic-serving") {
|
||||||
|
metadata+: top.env.metadata,
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["secrets"],
|
||||||
|
verbs: ["get", "list", "watch", "update"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
apiGroups: [""],
|
||||||
|
resources: ["secrets"],
|
||||||
|
verbs: ["create"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
rbs: {
|
||||||
|
cainjectorLeaderelection: kube.RoleBinding("cert-manager-cainjector:leaderelection") {
|
||||||
|
metadata+: {
|
||||||
|
namespace: "kube-system",
|
||||||
|
},
|
||||||
|
roleRef_: top.roles.cainjectorLeaderelection,
|
||||||
|
subjects_: [top.sas.cainjector],
|
||||||
|
},
|
||||||
|
leaderelection: kube.RoleBinding("cert-manager:leaderelection") {
|
||||||
|
metadata+: {
|
||||||
|
namespace: "kube-system",
|
||||||
|
},
|
||||||
|
roleRef_: top.roles.leaderelection,
|
||||||
|
subjects_: [top.sas.certManager],
|
||||||
|
},
|
||||||
|
webhookDynamicServing: kube.RoleBinding("cert-manager-webhook:dynamic-serving") {
|
||||||
|
metadata+: {
|
||||||
|
namespace: top.env.metadata.namespace,
|
||||||
|
},
|
||||||
|
roleRef_: top.roles.webhookDynamicServing,
|
||||||
|
subjects_: [top.sas.webhook],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
File diff suppressed because it is too large
Load Diff
|
@ -10,8 +10,9 @@ local kube = import "../../../kube/kube.libsonnet";
|
||||||
|
|
||||||
cfg:: {
|
cfg:: {
|
||||||
namespace: "cert-manager",
|
namespace: "cert-manager",
|
||||||
|
leaderElectionNamespace: "kube-system",
|
||||||
enableWebhook: false,
|
enableWebhook: false,
|
||||||
version: "v0.9.1",
|
version: "v1.5.0",
|
||||||
},
|
},
|
||||||
|
|
||||||
metadata:: {
|
metadata:: {
|
||||||
|
@ -23,246 +24,6 @@ local kube = import "../../../kube/kube.libsonnet";
|
||||||
labels: { "certmanager.k8s.io/disable-validation": "true" },
|
labels: { "certmanager.k8s.io/disable-validation": "true" },
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
crds: {
|
|
||||||
certificates: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Certificate") {
|
|
||||||
spec+: {
|
|
||||||
additionalPrinterColumns: [
|
|
||||||
{ name: "Ready", type: "string", JSONPath: ".status.conditions[?(@.type==\"Ready\")].status" },
|
|
||||||
{ name: "Secret", type: "string", JSONPath: ".spec.secretName" },
|
|
||||||
{ name: "Issuer", type: "string", JSONPath: ".spec.issuerRef.name", priority: 1 },
|
|
||||||
{ name: "Status", type: "string", JSONPath: ".status.conditions[?(@.type==\"Ready\")].message", priority: 1 },
|
|
||||||
{ name: "Age", type: "date", JSONPath: ".metadata.creationTimestamp" },
|
|
||||||
],
|
|
||||||
names+: {
|
|
||||||
shortNames+: ["cert", "certs"],
|
|
||||||
},
|
|
||||||
scope: "Namespaced",
|
|
||||||
validation: {
|
|
||||||
# Converted from official YAML
|
|
||||||
"openAPIV3Schema": {
|
|
||||||
"properties": {
|
|
||||||
"apiVersion": {
|
|
||||||
"description": "APIVersion defines the versioned schema of this representation\nof an object. Servers should convert recognized schemas to the latest\ninternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"kind": {
|
|
||||||
"description": "Kind is a string value representing the REST resource this\nobject represents. Servers may infer this from the endpoint the client\nsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"metadata": {
|
|
||||||
"type": "object"
|
|
||||||
},
|
|
||||||
"spec": {
|
|
||||||
"properties": {
|
|
||||||
"acme": {
|
|
||||||
"description": "ACME contains configuration specific to ACME Certificates.\nNotably, this contains details on how the domain names listed on this\nCertificate resource should be 'solved', i.e. mapping HTTP01 and DNS01\nproviders to DNS names.",
|
|
||||||
"properties": {
|
|
||||||
"config": {
|
|
||||||
"items": {
|
|
||||||
"properties": {
|
|
||||||
"domains": {
|
|
||||||
"description": "Domains is the list of domains that this SolverConfig\napplies to.",
|
|
||||||
"items": {
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"type": "array"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"required": [
|
|
||||||
"domains"
|
|
||||||
],
|
|
||||||
"type": "object"
|
|
||||||
},
|
|
||||||
"type": "array"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"required": [
|
|
||||||
"config"
|
|
||||||
],
|
|
||||||
"type": "object"
|
|
||||||
},
|
|
||||||
"commonName": {
|
|
||||||
"description": "CommonName is a common name to be used on the Certificate",
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"dnsNames": {
|
|
||||||
"description": "DNSNames is a list of subject alt names to be used on the\nCertificate",
|
|
||||||
"items": {
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"type": "array"
|
|
||||||
},
|
|
||||||
"duration": {
|
|
||||||
"description": "Certificate default Duration",
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"ipAddresses": {
|
|
||||||
"description": "IPAddresses is a list of IP addresses to be used on the\nCertificate",
|
|
||||||
"items": {
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"type": "array"
|
|
||||||
},
|
|
||||||
"isCA": {
|
|
||||||
"description": "IsCA will mark this Certificate as valid for signing. This\nimplies that the 'signing' usage is set",
|
|
||||||
"type": "boolean"
|
|
||||||
},
|
|
||||||
"issuerRef": {
|
|
||||||
"description": "IssuerRef is a reference to the issuer for this certificate.\nIf the 'kind' field is not set, or set to 'Issuer', an Issuer resource\nwith the given name in the same namespace as the Certificate will\nbe used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer\nwith the provided name will be used. The 'name' field in this stanza\nis required at all times.",
|
|
||||||
"properties": {
|
|
||||||
"kind": {
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"name": {
|
|
||||||
"type": "string"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"required": [
|
|
||||||
"name"
|
|
||||||
],
|
|
||||||
"type": "object"
|
|
||||||
},
|
|
||||||
"keyAlgorithm": {
|
|
||||||
"description": "KeyAlgorithm is the private key algorithm of the corresponding\nprivate key for this certificate. If provided, allowed values are\neither \"rsa\" or \"ecdsa\" If KeyAlgorithm is specified and KeySize is\nnot provided, key size of 256 will be used for \"ecdsa\" key algorithm\nand key size of 2048 will be used for \"rsa\" key algorithm.",
|
|
||||||
"enum": [
|
|
||||||
"rsa",
|
|
||||||
"ecdsa"
|
|
||||||
],
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"keySize": {
|
|
||||||
"description": "KeySize is the key bit size of the corresponding private\nkey for this certificate. If provided, value must be between 2048\nand 8192 inclusive when KeyAlgorithm is empty or is set to \"rsa\",\nand value must be one of (256, 384, 521) when KeyAlgorithm is set\nto \"ecdsa\".",
|
|
||||||
"format": "int64",
|
|
||||||
"type": "integer"
|
|
||||||
},
|
|
||||||
"organization": {
|
|
||||||
"description": "Organization is the organization to be used on the Certificate",
|
|
||||||
"items": {
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"type": "array"
|
|
||||||
},
|
|
||||||
"renewBefore": {
|
|
||||||
"description": "Certificate renew before expiration duration",
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"secretName": {
|
|
||||||
"description": "SecretName is the name of the secret resource to store\nthis secret in",
|
|
||||||
"type": "string"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"required": [
|
|
||||||
"secretName",
|
|
||||||
"issuerRef"
|
|
||||||
],
|
|
||||||
"type": "object"
|
|
||||||
},
|
|
||||||
"status": {
|
|
||||||
"properties": {
|
|
||||||
"conditions": {
|
|
||||||
"items": {
|
|
||||||
"properties": {
|
|
||||||
"lastTransitionTime": {
|
|
||||||
"description": "LastTransitionTime is the timestamp corresponding\nto the last status change of this condition.",
|
|
||||||
"format": "date-time",
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"message": {
|
|
||||||
"description": "Message is a human readable description of the details\nof the last transition, complementing reason.",
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"reason": {
|
|
||||||
"description": "Reason is a brief machine readable explanation for\nthe condition's last transition.",
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"status": {
|
|
||||||
"description": "Status of the condition, one of ('True', 'False',\n'Unknown').",
|
|
||||||
"enum": [
|
|
||||||
"True",
|
|
||||||
"False",
|
|
||||||
"Unknown"
|
|
||||||
],
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"type": {
|
|
||||||
"description": "Type of the condition, currently ('Ready').",
|
|
||||||
"type": "string"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"required": [
|
|
||||||
"type",
|
|
||||||
"status",
|
|
||||||
"lastTransitionTime",
|
|
||||||
"reason",
|
|
||||||
"message"
|
|
||||||
],
|
|
||||||
"type": "object"
|
|
||||||
},
|
|
||||||
"type": "array"
|
|
||||||
},
|
|
||||||
"lastFailureTime": {
|
|
||||||
"format": "date-time",
|
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"notAfter": {
|
|
||||||
"description": "The expiration time of the certificate stored in the secret\nnamed by this resource in spec.secretName.",
|
|
||||||
"format": "date-time",
|
|
||||||
"type": "string"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"type": "object"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
},
|
|
||||||
challenges: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Challenge") {
|
|
||||||
spec+: {
|
|
||||||
additionalPrinterColumns: [
|
|
||||||
{ name: "State", type: "string", JSONPath: ".status.state" },
|
|
||||||
{ name: "Domain", type: "string", JSONPath: ".spec.dnsName" },
|
|
||||||
{ name: "Reason", type: "string", JSONPath: ".status.reason", priority: 1 },
|
|
||||||
{ name: "Age", type: "date", JSONPath: ".metadata.creationTimestamp" },
|
|
||||||
],
|
|
||||||
validation: {
|
|
||||||
# ...
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
clusterissuers: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "ClusterIssuer") {
|
|
||||||
spec+: {
|
|
||||||
validation: {
|
|
||||||
# ...
|
|
||||||
},
|
|
||||||
scope: "Cluster",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
issuers: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Issuer") {
|
|
||||||
spec+: {
|
|
||||||
validation: {
|
|
||||||
# ...
|
|
||||||
},
|
|
||||||
scope: "Namespaced",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
orders: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Order") {
|
|
||||||
spec+: {
|
|
||||||
additionalPrinterColumns: [
|
|
||||||
{ name: "State", type: "string", JSONPath: ".status.state" },
|
|
||||||
{ name: "Issuer", type: "string", JSONPath: ".spec.issuerRef.name", priority: 1 },
|
|
||||||
{ name: "Reason", type: "string", JSONPath: ".status.reason", priority: 1 },
|
|
||||||
{ name: "Age", type: "date", JSONPath: ".metadata.creationTimestamp" },
|
|
||||||
],
|
|
||||||
validation: {
|
|
||||||
# ...
|
|
||||||
},
|
|
||||||
scope: "Namespaced",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
|
|
||||||
sas: {
|
sas: {
|
||||||
cainjector: kube.ServiceAccount("cert-manager-cainjector") {
|
cainjector: kube.ServiceAccount("cert-manager-cainjector") {
|
||||||
metadata+: env.metadata,
|
metadata+: env.metadata,
|
||||||
|
@ -270,116 +31,18 @@ local kube = import "../../../kube/kube.libsonnet";
|
||||||
webhook: kube.ServiceAccount("cert-manager-webhook") {
|
webhook: kube.ServiceAccount("cert-manager-webhook") {
|
||||||
metadata+: env.metadata,
|
metadata+: env.metadata,
|
||||||
},
|
},
|
||||||
certmanager: kube.ServiceAccount("cert-manager") {
|
certManager: kube.ServiceAccount("cert-manager") {
|
||||||
metadata+: env.metadata,
|
metadata+: env.metadata,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
crs: {
|
crds: (std.native("parseYaml"))(importstr "./cert-manager.crds.yaml"),
|
||||||
cainjector: kube.ClusterRole("cert-manager-cainjector") {
|
|
||||||
rules: [
|
|
||||||
{
|
|
||||||
apiGroups: ["certmanager.k8s.io"],
|
|
||||||
resources: ["certificates"],
|
|
||||||
verbs: ["get", "list", "watch"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
apiGroups: [""],
|
|
||||||
resources: ["secrets"],
|
|
||||||
verbs: ["get", "list", "watch"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
apiGroups: [""],
|
|
||||||
resources: ["configmaps", "events"],
|
|
||||||
verbs: ["*"],
|
|
||||||
},
|
|
||||||
|
|
||||||
{
|
rbac: (import "./cert-manager-rbac.libsonnet") {
|
||||||
apiGroups: ["admissionregistration.k8s.io"],
|
env:: env,
|
||||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"],
|
sas:: env.sas,
|
||||||
verbs: ["*"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
apiGroups: ["apiregistration.k8s.io"],
|
|
||||||
resources: ["apiservices"],
|
|
||||||
verbs: ["*"],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
certmanager: kube.ClusterRole("cert-manager") {
|
|
||||||
rules: [
|
|
||||||
{
|
|
||||||
apiGroups: ["certmanager.k8s.io"],
|
|
||||||
resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"],
|
|
||||||
verbs: ["*"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
apiGroups: [""],
|
|
||||||
resources: ["configmaps", "secrets", "events", "services", "pods"],
|
|
||||||
verbs: ["*"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
apiGroups: ["extensions"],
|
|
||||||
resources: ["ingresses"],
|
|
||||||
verbs: ["*"],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
certmanagerView: kube.ClusterRole("cert-manager-view") {
|
|
||||||
rules: [
|
|
||||||
{
|
|
||||||
apiGroups: ["certmanager.k8s.io"],
|
|
||||||
resources: ["certificates", "issuers"],
|
|
||||||
verbs: ["get", "list", "watch"],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
certmanagerEdit: kube.ClusterRole("cert-manager-edit") {
|
|
||||||
rules: [
|
|
||||||
{
|
|
||||||
apiGroups: ["certmanager.k8s.io"],
|
|
||||||
resources: ["certificates", "issuers"],
|
|
||||||
verbs: ["create", "delete", "deletecollection", "patch", "update"],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
webhookRequester: kube.ClusterRole("cert-manager-webhook:webhook-requester") {
|
|
||||||
rules: [
|
|
||||||
{
|
|
||||||
apiGroups: ["admission.certmanager.k8s.io"],
|
|
||||||
resources: ["certificates", "issuers", "clusterissuers"],
|
|
||||||
verbs: ["create"],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
},
|
|
||||||
rbs: {
|
|
||||||
cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") {
|
|
||||||
roleRef_: env.crs.cainjector,
|
|
||||||
subjects_: [ env.sas.cainjector ],
|
|
||||||
},
|
|
||||||
certmanager: kube.ClusterRoleBinding("cert-manager") {
|
|
||||||
roleRef_: env.crs.certmanager,
|
|
||||||
subjects_: [ env.sas.certmanager ],
|
|
||||||
},
|
|
||||||
webhookAuthDelegator: kube.ClusterRoleBinding("cert-manager-webhook:auth-delegator") {
|
|
||||||
roleRef_: {
|
|
||||||
kind: "ClusterRole",
|
|
||||||
metadata: { name: "system:auth-delegator" },
|
|
||||||
},
|
|
||||||
subjects_: [ env.sas.webhook ],
|
|
||||||
},
|
|
||||||
webhookAuthReader: kube.RoleBinding("cert-manager-webhook:webhook-authentication-reader") {
|
|
||||||
metadata+: {
|
|
||||||
namespace: "kube-system",
|
|
||||||
},
|
|
||||||
roleRef_: {
|
|
||||||
kind: "Role",
|
|
||||||
metadata: { name: "extension-apiserver-authentication-reader" },
|
|
||||||
},
|
|
||||||
subjects_: [ env.sas.webhook ],
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
|
|
||||||
deployments: {
|
deployments: {
|
||||||
cainjector: kube.Deployment("cert-manager-cainjector") {
|
cainjector: kube.Deployment("cert-manager-cainjector") {
|
||||||
metadata+: env.metadata,
|
metadata+: env.metadata,
|
||||||
|
@ -392,7 +55,8 @@ local kube = import "../../../kube/kube.libsonnet";
|
||||||
cainjector: kube.Container("cainjector") {
|
cainjector: kube.Container("cainjector") {
|
||||||
image: "quay.io/jetstack/cert-manager-cainjector:" + cfg.version,
|
image: "quay.io/jetstack/cert-manager-cainjector:" + cfg.version,
|
||||||
args: [
|
args: [
|
||||||
"--leader-election-namespace=%s" % [cfg.namespace],
|
"--v=2",
|
||||||
|
"--leader-election-namespace=%s" % [cfg.leaderElectionNamespace],
|
||||||
],
|
],
|
||||||
env_: {
|
env_: {
|
||||||
POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
|
POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
|
||||||
|
@ -410,7 +74,7 @@ local kube = import "../../../kube/kube.libsonnet";
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
spec+: {
|
spec+: {
|
||||||
replicas: 1,
|
replicas: if cfg.enableWebhook then 1 else 0,
|
||||||
template+: {
|
template+: {
|
||||||
spec+: {
|
spec+: {
|
||||||
serviceAccountName: env.sas.webhook.metadata.name,
|
serviceAccountName: env.sas.webhook.metadata.name,
|
||||||
|
@ -418,28 +82,20 @@ local kube = import "../../../kube/kube.libsonnet";
|
||||||
webhook: kube.Container("webhook") {
|
webhook: kube.Container("webhook") {
|
||||||
image: "quay.io/jetstack/cert-manager-webhook:" + cfg.version,
|
image: "quay.io/jetstack/cert-manager-webhook:" + cfg.version,
|
||||||
args: [
|
args: [
|
||||||
"--v=12",
|
"--v=2",
|
||||||
"--secure-port=6443",
|
"--secure-port=10250",
|
||||||
"--tls-cert-file=/certs/tls.crt",
|
"--dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)",
|
||||||
"--tls-private-key-file=/certs/tls.key",
|
"--dynamic-serving-ca-secret-name=cert-manager-webhook-ca",
|
||||||
|
"--dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc",
|
||||||
],
|
],
|
||||||
env_: {
|
env_: {
|
||||||
POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
|
POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
|
||||||
},
|
},
|
||||||
ports_: { // changed
|
ports_: {
|
||||||
https: { containerPort: 6443 },
|
https: { containerPort: 10250 },
|
||||||
},
|
|
||||||
volumeMounts_: {
|
|
||||||
certs: { mountPath: "/certs" },
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
volumes_: {
|
|
||||||
certs: {
|
|
||||||
secret: { secretName: env.certificates.webhookTLS.spec.secretName },
|
|
||||||
},
|
|
||||||
// kube.SecretVolume(env.secrets.webhook_tls),
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -450,17 +106,19 @@ local kube = import "../../../kube/kube.libsonnet";
|
||||||
replicas: 1,
|
replicas: 1,
|
||||||
template+: {
|
template+: {
|
||||||
spec+: {
|
spec+: {
|
||||||
serviceAccountName: env.sas.certmanager.metadata.name,
|
serviceAccountName: env.sas.certManager.metadata.name,
|
||||||
dnsPolicy: "None",
|
dnsPolicy: "None",
|
||||||
dnsConfig: {
|
dnsConfig: {
|
||||||
nameservers: ["8.8.8.8"],
|
nameservers: ["8.8.8.8"],
|
||||||
},
|
},
|
||||||
|
# TODO: liveness probe, readiness probe
|
||||||
containers_: {
|
containers_: {
|
||||||
webhook: kube.Container("cert-manager") {
|
webhook: kube.Container("cert-manager") {
|
||||||
image: "quay.io/jetstack/cert-manager-controller:" + cfg.version,
|
image: "quay.io/jetstack/cert-manager-controller:" + cfg.version,
|
||||||
args: [
|
args: [
|
||||||
|
"--v=2",
|
||||||
"--cluster-resource-namespace=%s" % [cfg.namespace],
|
"--cluster-resource-namespace=%s" % [cfg.namespace],
|
||||||
"--leader-election-namespace=%s" % [cfg.namespace],
|
"--leader-election-namespace=%s" % [cfg.leaderElectionNamespace],
|
||||||
],
|
],
|
||||||
env_: {
|
env_: {
|
||||||
POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
|
POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
|
||||||
|
@ -481,14 +139,26 @@ local kube = import "../../../kube/kube.libsonnet";
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
service: kube.Service("cert-manager-webhook") {
|
services: {
|
||||||
metadata+: env.metadata,
|
certmanager: kube.Service("cert-manager") {
|
||||||
target_pod:: env.deployments.webhook.spec.template,
|
metadata+: env.metadata,
|
||||||
spec+: {
|
target_pod:: env.deployments.certmanager.spec.template,
|
||||||
type: "ClusterIP",
|
spec+: {
|
||||||
ports: [
|
type: "ClusterIP",
|
||||||
{ name: "https", port: 443, targetPort: 6443, protocol: "TCP" },
|
ports: [
|
||||||
],
|
{ name: "tcp-prometheus-servicemonitor", port: 9402, targetPort: 9402, protocol: "TCP"},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
webhook: kube.Service("cert-manager-webhook") {
|
||||||
|
metadata+: env.metadata,
|
||||||
|
target_pod:: env.deployments.webhook.spec.template,
|
||||||
|
spec+: {
|
||||||
|
type: "ClusterIP",
|
||||||
|
ports: [
|
||||||
|
{ name: "https", port: 443, targetPort: 10250, protocol: "TCP" },
|
||||||
|
],
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
apiservice: if cfg.enableWebhook then kube._Object("apiregistration.k8s.io/v1beta1", "APIService", "v1beta1.admission.certmanager.k8s.io") {
|
apiservice: if cfg.enableWebhook then kube._Object("apiregistration.k8s.io/v1beta1", "APIService", "v1beta1.admission.certmanager.k8s.io") {
|
||||||
|
@ -504,200 +174,86 @@ local kube = import "../../../kube/kube.libsonnet";
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
issuers: {
|
webhooks: if cfg.enableWebhook then {
|
||||||
webhookSelfsign: kube.Issuer("cert-manager-webhook-selfsign") {
|
mutating: kube._Object("admissionregistration.k8s.io/v1", "MutatingWebhookConfiguration", "cert-manager-webhook") {
|
||||||
metadata+: env.metadata,
|
metadata+: {
|
||||||
spec: {
|
annotations: {
|
||||||
selfSigned: {},
|
"cert-manager.io/inject-ca-from-secret": "%s/cert-manager-webhook-ca" % [cfg.namespace],
|
||||||
},
|
|
||||||
},
|
|
||||||
webhookCA: kube.Issuer("cert-manager-webhook-ca") {
|
|
||||||
metadata+: env.metadata,
|
|
||||||
spec: {
|
|
||||||
ca: {
|
|
||||||
secretName: env.certificates.webhookCA.spec.secretName,
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
webhooks: [
|
||||||
},
|
{
|
||||||
certificates: {
|
name: "webhook.cert-manager.io",
|
||||||
webhookCA: kube.Certificate("cert-manager-webhook-ca") {
|
rules: [
|
||||||
metadata+: env.metadata,
|
|
||||||
spec: {
|
|
||||||
secretName: "cert-manager-webhook-ca",
|
|
||||||
duration: "43800h0m0s", // 5 years
|
|
||||||
issuerRef: {
|
|
||||||
name: env.issuers.webhookSelfsign.metadata.name,
|
|
||||||
},
|
|
||||||
commonName: "ca.webhook.cert-manager",
|
|
||||||
isCA: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
webhookTLS: kube.Certificate("cert-manager-webhook-webhook-tls") {
|
|
||||||
metadata+: env.metadata,
|
|
||||||
spec: {
|
|
||||||
secretName: "cert-manager-webhook-webhook-tls",
|
|
||||||
duration: "8760h0m0s", // 1 year
|
|
||||||
issuerRef: {
|
|
||||||
name: env.issuers.webhookSelfsign.metadata.name,
|
|
||||||
},
|
|
||||||
dnsNames: [
|
|
||||||
"cert-manager-webhook",
|
|
||||||
"cert-manager-webhook.cert-manager",
|
|
||||||
"cert-manager-webhook.cert-manager.svc",
|
|
||||||
],
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
admission: if cfg.enableWebhook then kube._Object("admissionregistration.k8s.io/v1beta1", "ValidatingWebhookConfiguration", "cert-manager-webhook") {
|
|
||||||
metadata+: {
|
|
||||||
annotations: {
|
|
||||||
},
|
|
||||||
},
|
|
||||||
// Copied from official yaml
|
|
||||||
webhooks: [
|
|
||||||
{
|
|
||||||
"name": "certificates.admission.certmanager.k8s.io",
|
|
||||||
"namespaceSelector": {
|
|
||||||
"matchExpressions": [
|
|
||||||
{
|
{
|
||||||
"key": "certmanager.k8s.io/disable-validation",
|
apiGRoups: ["cert-manager.io", "acme.cert-manager.io"],
|
||||||
"operator": "NotIn",
|
apiVersions: ["v1"],
|
||||||
"values": [
|
operations: ["CREATE", "UPDATE"],
|
||||||
"true"
|
resources: ["*/*"],
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"key": "name",
|
|
||||||
"operator": "NotIn",
|
|
||||||
"values": [
|
|
||||||
"cert-manager"
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
},
|
admissionReviewVersions: ["v1", "v1beta1"],
|
||||||
"rules": [
|
matchPolicy: "Equivalent",
|
||||||
{
|
timeoutSeconds: 10,
|
||||||
"apiGroups": [
|
failurePolicy: "Fail",
|
||||||
"certmanager.k8s.io"
|
sideEffects: "None",
|
||||||
],
|
clientConfig: {
|
||||||
"apiVersions": [
|
service: {
|
||||||
"v1alpha1"
|
name: "cert-manager-webhook",
|
||||||
],
|
namespace: cfg.namespace,
|
||||||
"operations": [
|
path: "/mutate",
|
||||||
"CREATE",
|
|
||||||
"UPDATE"
|
|
||||||
],
|
|
||||||
"resources": [
|
|
||||||
"certificates"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"failurePolicy": "Fail",
|
|
||||||
"clientConfig": {
|
|
||||||
"service": {
|
|
||||||
"name": "kubernetes",
|
|
||||||
"namespace": "default",
|
|
||||||
"path": "/apis/admission.certmanager.k8s.io/v1beta1/certificates"
|
|
||||||
},
|
|
||||||
"caBundle": "",
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"name": "issuers.admission.certmanager.k8s.io",
|
|
||||||
"namespaceSelector": {
|
|
||||||
"matchExpressions": [
|
|
||||||
{
|
|
||||||
"key": "certmanager.k8s.io/disable-validation",
|
|
||||||
"operator": "NotIn",
|
|
||||||
"values": [
|
|
||||||
"true"
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"key": "name",
|
|
||||||
"operator": "NotIn",
|
|
||||||
"values": [
|
|
||||||
"cert-manager"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"rules": [
|
|
||||||
{
|
|
||||||
"apiGroups": [
|
|
||||||
"certmanager.k8s.io"
|
|
||||||
],
|
|
||||||
"apiVersions": [
|
|
||||||
"v1alpha1"
|
|
||||||
],
|
|
||||||
"operations": [
|
|
||||||
"CREATE",
|
|
||||||
"UPDATE"
|
|
||||||
],
|
|
||||||
"resources": [
|
|
||||||
"issuers"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"failurePolicy": "Fail",
|
|
||||||
"clientConfig": {
|
|
||||||
"service": {
|
|
||||||
"name": "kubernetes",
|
|
||||||
"namespace": "default",
|
|
||||||
"path": "/apis/admission.certmanager.k8s.io/v1beta1/issuers"
|
|
||||||
},
|
},
|
||||||
"caBundle": "",
|
|
||||||
}
|
}
|
||||||
|
],
|
||||||
|
},
|
||||||
|
validating: kube._Object("admissionregistration.k8s.io/v1", "ValidatingWebhookConfiguration", "cert-manager-webhook") {
|
||||||
|
metadata+: {
|
||||||
|
annotations: {
|
||||||
|
"cert-manager.io/inject-ca-from-secret": "%s/cert-manager-webhook-ca" % [cfg.namespace],
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
// Copied from official yaml
|
||||||
"name": "clusterissuers.admission.certmanager.k8s.io",
|
webhooks: [
|
||||||
"namespaceSelector": {
|
{
|
||||||
"matchExpressions": [
|
name: "webhook.cert-manager.io",
|
||||||
{
|
namespaceSelector: {
|
||||||
"key": "certmanager.k8s.io/disable-validation",
|
matchExpressions: [
|
||||||
"operator": "NotIn",
|
{
|
||||||
"values": [
|
key: "cert-manager.io/disable-validation",
|
||||||
"true"
|
operator: "NotIn",
|
||||||
]
|
values: ["true"],
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"key": "name",
|
key: "name",
|
||||||
"operator": "NotIn",
|
operator: "NotIn",
|
||||||
"values": [
|
values: ["cert-manager"],
|
||||||
"cert-manager"
|
},
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"rules": [
|
|
||||||
{
|
|
||||||
"apiGroups": [
|
|
||||||
"certmanager.k8s.io"
|
|
||||||
],
|
],
|
||||||
"apiVersions": [
|
|
||||||
"v1alpha1"
|
|
||||||
],
|
|
||||||
"operations": [
|
|
||||||
"CREATE",
|
|
||||||
"UPDATE"
|
|
||||||
],
|
|
||||||
"resources": [
|
|
||||||
"clusterissuers"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"failurePolicy": "Fail",
|
|
||||||
"clientConfig": {
|
|
||||||
"service": {
|
|
||||||
"name": "kubernetes",
|
|
||||||
"namespace": "default",
|
|
||||||
"path": "/apis/admission.certmanager.k8s.io/v1beta1/clusterissuers"
|
|
||||||
},
|
},
|
||||||
"caBundle": "",
|
rules: [
|
||||||
}
|
{
|
||||||
}
|
apiGroups: ["cert-manager.io", "acme.cert-manager.io"],
|
||||||
],
|
apiVersions: ["v1"],
|
||||||
|
operations: ["CREATE", "UPDATE"],
|
||||||
|
resources: ["*/*"],
|
||||||
|
}
|
||||||
|
],
|
||||||
|
admissionReviewVersions: ["v1", "v1beta1"],
|
||||||
|
matchPolicy: "Equivalent",
|
||||||
|
timeoutSeconds: 10,
|
||||||
|
failurePolicy: "Fail",
|
||||||
|
sideEffects: "None",
|
||||||
|
clientConfig: {
|
||||||
|
service: {
|
||||||
|
name: "cert-manager-webhook",
|
||||||
|
namespace: cfg.namespace,
|
||||||
|
path: "/validate",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue