mirror of https://gerrit.hackerspace.pl/hscloud
cluster/cert-manager: update to v1.5.0
Change-Id: I7a4cdadc9956141292302bc004d09d6e9e22855e Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1497 Reviewed-by: informatic <informatic@hackerspace.pl>changes/97/1497/6
parent
926252c871
commit
3dd3ff5dcd
|
@ -0,0 +1,470 @@
|
|||
local kube = import "../../../kube/kube.libsonnet";
|
||||
{
|
||||
local top = self,
|
||||
crs: {
|
||||
cainjector: kube.ClusterRole("cert-manager-cainjector") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["certificates"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["secrets"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["events"],
|
||||
verbs: ["get", "create", "update", "patch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["admissionregistration.k8s.io"],
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"],
|
||||
verbs: ["get", "list", "watch", "update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["apiregistration.k8s.io"],
|
||||
resources: ["apiservices"],
|
||||
verbs: ["get", "list", "watch", "update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["apiextensions.k8s.io"],
|
||||
resources: ["customresourcedefinitions"],
|
||||
verbs: ["get", "list", "watch", "update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["auditregistration.k8s.io"],
|
||||
resources: ["auditsinks"],
|
||||
verbs: ["get", "list", "watch", "update"],
|
||||
},
|
||||
],
|
||||
},
|
||||
controllerIssuers: kube.ClusterRole("cert-manager-controller-issuers") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["issuers", "issuers/status"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["issuers"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["secrets"],
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["events"],
|
||||
verbs: ["create", "patch"],
|
||||
},
|
||||
],
|
||||
},
|
||||
controllerClusterissuers: kube.ClusterRole("cert-manager-controller-clusterissuers") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["clusterissuers", "clusterissuers/status"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["clusterissuers"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["secrets"],
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["events"],
|
||||
verbs: ["create", "patch"],
|
||||
},
|
||||
],
|
||||
},
|
||||
controllerCertificates: kube.ClusterRole("cert-manager-controller-certificates") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["certificates/finalizers", "certificaterequests/finalizers"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["acme.cert-manager.io"],
|
||||
resources: ["orders"],
|
||||
verbs: ["create", "delete", "get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["secrets"],
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["events"],
|
||||
verbs: ["create", "patch"],
|
||||
},
|
||||
],
|
||||
},
|
||||
controllerOrders: kube.ClusterRole("cert-manager-controller-orders") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["acme.cert-manager.io"],
|
||||
resources: ["orders", "orders/status"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["acme.cert-manager.io"],
|
||||
resources: ["orders", "challenges"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["clusterissuers", "issuers"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["acme.cert-manager.io"],
|
||||
resources: ["challenges"],
|
||||
verbs: ["create", "delete"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["acme.cert-manager.io"],
|
||||
resources: ["orders/finalizers"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["secrets"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["events"],
|
||||
verbs: ["create", "patch"],
|
||||
},
|
||||
],
|
||||
},
|
||||
controllerChallenges: kube.ClusterRole("cert-manager-controller-challenges") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["acme.cert-manager.io"],
|
||||
resources: ["challenges", "challenges/status"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["acme.cert-manager.io"],
|
||||
resources: ["challenges"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["issuers", "clusterissuers"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["secrets"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["events"],
|
||||
verbs: ["create", "patch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["pods", "services"],
|
||||
verbs: ["get", "list", "watch", "create", "delete"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["networking.k8s.io"],
|
||||
resources: ["ingresses"],
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["networking.x-k8s.io"],
|
||||
resources: ["httproutes"],
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["route.openshift.io"],
|
||||
resources: ["routes/custom-host"],
|
||||
verbs: ["create"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["acme.cert-manager.io"],
|
||||
resources: ["challenges/finalizers"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["secrets"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
],
|
||||
},
|
||||
controllerIngressShim: kube.ClusterRole("cert-manager-controller-ingress-shim") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["certificates", "certificaterequests"],
|
||||
verbs: ["create", "update", "delete"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["networking.k8s.io"],
|
||||
resources: ["ingresses"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["networking.k8s.io"],
|
||||
resources: ["ingresses/finalizers"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["networking.x-k8s.io"],
|
||||
resources: ["gateways", "httproutes"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["networking.x-k8s.io"],
|
||||
resources: ["gateways/finalizers", "httproutes/finalizers"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["events"],
|
||||
verbs: ["create", "patch"],
|
||||
},
|
||||
],
|
||||
},
|
||||
view: kube.ClusterRole("cert-manager-view") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["certificates", "certificaterequests", "issuers"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["acme.cert-manager.io"],
|
||||
resources: ["challenges", "orders"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
],
|
||||
},
|
||||
edit: kube.ClusterRole("cert-manager-edit") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["certificates", "certificaterequests", "issuers"],
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["acme.cert-manager.io"],
|
||||
resources: ["challenges", "orders"],
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"],
|
||||
},
|
||||
],
|
||||
},
|
||||
controllerApproveCertManagerIo: kube.ClusterRole("cert-manager-controller-approve:cert-manager-io") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["cert-manager.io"],
|
||||
resources: ["signers"],
|
||||
verbs: ["approve"],
|
||||
},
|
||||
],
|
||||
},
|
||||
controllerCertificatesigningrequests: kube.ClusterRole("cert-manager-controller-certificatesigningrequests") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["certificates.k8s.io"],
|
||||
resources: ["certificatesigningrequests"],
|
||||
verbs: ["get", "list", "watch", "update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["certificates.k8s.io"],
|
||||
resources: ["certificatesigningrequests/status"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["certificates.k8s.io"],
|
||||
resources: ["signers"],
|
||||
verbs: ["sign"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["authorization.k8s.io"],
|
||||
resources: ["subjectaccessreviews"],
|
||||
verbs: ["create"],
|
||||
},
|
||||
],
|
||||
},
|
||||
webhookSubjectaccessreviews: kube.ClusterRole("cert-manager-webhook:subjectaccessreviews") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["authorization.k8s.io"],
|
||||
resources: ["subjectaccessreviews"],
|
||||
verbs: ["create"],
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
crbs: {
|
||||
cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") {
|
||||
roleRef_: top.crs.cainjector,
|
||||
subjects_: [top.sas.cainjector],
|
||||
},
|
||||
controllerIssuers: kube.ClusterRoleBinding("cert-manager-controller-issuers") {
|
||||
roleRef_: top.crs.controllerIssuers,
|
||||
subjects_: [top.sas.certManager],
|
||||
},
|
||||
controllerClusterissuers: kube.ClusterRoleBinding("cert-manager-controller-clusterissuers") {
|
||||
roleRef_: top.crs.controllerClusterissuers,
|
||||
subjects_: [top.sas.certManager],
|
||||
},
|
||||
controllerCertificates: kube.ClusterRoleBinding("cert-manager-controller-certificates") {
|
||||
roleRef_: top.crs.controllerCertificates,
|
||||
subjects_: [top.sas.certManager],
|
||||
},
|
||||
controllerOrders: kube.ClusterRoleBinding("cert-manager-controller-orders") {
|
||||
roleRef_: top.crs.controllerOrders,
|
||||
subjects_: [top.sas.certManager],
|
||||
},
|
||||
controllerChallenges: kube.ClusterRoleBinding("cert-manager-controller-challenges") {
|
||||
roleRef_: top.crs.controllerChallenges,
|
||||
subjects_: [top.sas.certManager],
|
||||
},
|
||||
controllerIngressShim: kube.ClusterRoleBinding("cert-manager-controller-ingress-shim") {
|
||||
roleRef_: top.crs.controllerIngressShim,
|
||||
subjects_: [top.sas.certManager],
|
||||
},
|
||||
controllerApproveCertManagerIo: kube.ClusterRoleBinding("cert-manager-controller-approve:cert-manager-io") {
|
||||
roleRef_: top.crs.controllerApproveCertManagerIo,
|
||||
subjects_: [top.sas.certManager],
|
||||
},
|
||||
controllerCertificatesigningrequests: kube.ClusterRoleBinding("cert-manager-controller-certificatesigningrequests") {
|
||||
roleRef_: top.crs.controllerCertificatesigningrequests,
|
||||
subjects_: [top.sas.certManager],
|
||||
},
|
||||
webhookSubjectaccessreviews: kube.ClusterRoleBinding("cert-manager-webhook:subjectaccessreviews") {
|
||||
roleRef_: top.crs.webhookSubjectaccessreviews,
|
||||
subjects_: [top.sas.webhook],
|
||||
},
|
||||
},
|
||||
roles: {
|
||||
cainjectorLeaderelection: kube.Role("cert-manager-cainjector:leaderelection") {
|
||||
metadata+: top.env.metadata {
|
||||
namespace: "kube-system",
|
||||
},
|
||||
rules: [
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["configmaps"],
|
||||
verbs: ["get", "update", "patch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["configmaps"],
|
||||
verbs: ["create"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["coordination.k8s.io"],
|
||||
resources: ["leases"],
|
||||
verbs: ["get", "update", "patch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["coordination.k8s.io"],
|
||||
resources: ["leases"],
|
||||
verbs: ["create"],
|
||||
}
|
||||
],
|
||||
},
|
||||
leaderelection: kube.Role("cert-manager:leaderelection") {
|
||||
metadata+: top.env.metadata {
|
||||
namespace: "kube-system",
|
||||
},
|
||||
rules: [
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["configmaps"],
|
||||
verbs: ["get", "update", "patch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["configmaps"],
|
||||
verbs: ["create"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["coordination.k8s.io"],
|
||||
resources: ["leases"],
|
||||
verbs: ["get", "update", "patch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["coordination.k8s.io"],
|
||||
resources: ["leases"],
|
||||
verbs: ["create"],
|
||||
},
|
||||
],
|
||||
},
|
||||
webhookDynamicServing: kube.Role("cert-manager-webhook:dynamic-serving") {
|
||||
metadata+: top.env.metadata,
|
||||
rules: [
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["secrets"],
|
||||
verbs: ["get", "list", "watch", "update"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["secrets"],
|
||||
verbs: ["create"],
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
rbs: {
|
||||
cainjectorLeaderelection: kube.RoleBinding("cert-manager-cainjector:leaderelection") {
|
||||
metadata+: {
|
||||
namespace: "kube-system",
|
||||
},
|
||||
roleRef_: top.roles.cainjectorLeaderelection,
|
||||
subjects_: [top.sas.cainjector],
|
||||
},
|
||||
leaderelection: kube.RoleBinding("cert-manager:leaderelection") {
|
||||
metadata+: {
|
||||
namespace: "kube-system",
|
||||
},
|
||||
roleRef_: top.roles.leaderelection,
|
||||
subjects_: [top.sas.certManager],
|
||||
},
|
||||
webhookDynamicServing: kube.RoleBinding("cert-manager-webhook:dynamic-serving") {
|
||||
metadata+: {
|
||||
namespace: top.env.metadata.namespace,
|
||||
},
|
||||
roleRef_: top.roles.webhookDynamicServing,
|
||||
subjects_: [top.sas.webhook],
|
||||
},
|
||||
},
|
||||
}
|
File diff suppressed because it is too large
Load Diff
|
@ -10,8 +10,9 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
|
||||
cfg:: {
|
||||
namespace: "cert-manager",
|
||||
leaderElectionNamespace: "kube-system",
|
||||
enableWebhook: false,
|
||||
version: "v0.9.1",
|
||||
version: "v1.5.0",
|
||||
},
|
||||
|
||||
metadata:: {
|
||||
|
@ -23,246 +24,6 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
labels: { "certmanager.k8s.io/disable-validation": "true" },
|
||||
},
|
||||
},
|
||||
|
||||
crds: {
|
||||
certificates: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Certificate") {
|
||||
spec+: {
|
||||
additionalPrinterColumns: [
|
||||
{ name: "Ready", type: "string", JSONPath: ".status.conditions[?(@.type==\"Ready\")].status" },
|
||||
{ name: "Secret", type: "string", JSONPath: ".spec.secretName" },
|
||||
{ name: "Issuer", type: "string", JSONPath: ".spec.issuerRef.name", priority: 1 },
|
||||
{ name: "Status", type: "string", JSONPath: ".status.conditions[?(@.type==\"Ready\")].message", priority: 1 },
|
||||
{ name: "Age", type: "date", JSONPath: ".metadata.creationTimestamp" },
|
||||
],
|
||||
names+: {
|
||||
shortNames+: ["cert", "certs"],
|
||||
},
|
||||
scope: "Namespaced",
|
||||
validation: {
|
||||
# Converted from official YAML
|
||||
"openAPIV3Schema": {
|
||||
"properties": {
|
||||
"apiVersion": {
|
||||
"description": "APIVersion defines the versioned schema of this representation\nof an object. Servers should convert recognized schemas to the latest\ninternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
|
||||
"type": "string"
|
||||
},
|
||||
"kind": {
|
||||
"description": "Kind is a string value representing the REST resource this\nobject represents. Servers may infer this from the endpoint the client\nsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
|
||||
"type": "string"
|
||||
},
|
||||
"metadata": {
|
||||
"type": "object"
|
||||
},
|
||||
"spec": {
|
||||
"properties": {
|
||||
"acme": {
|
||||
"description": "ACME contains configuration specific to ACME Certificates.\nNotably, this contains details on how the domain names listed on this\nCertificate resource should be 'solved', i.e. mapping HTTP01 and DNS01\nproviders to DNS names.",
|
||||
"properties": {
|
||||
"config": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"domains": {
|
||||
"description": "Domains is the list of domains that this SolverConfig\napplies to.",
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"domains"
|
||||
],
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"config"
|
||||
],
|
||||
"type": "object"
|
||||
},
|
||||
"commonName": {
|
||||
"description": "CommonName is a common name to be used on the Certificate",
|
||||
"type": "string"
|
||||
},
|
||||
"dnsNames": {
|
||||
"description": "DNSNames is a list of subject alt names to be used on the\nCertificate",
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": "array"
|
||||
},
|
||||
"duration": {
|
||||
"description": "Certificate default Duration",
|
||||
"type": "string"
|
||||
},
|
||||
"ipAddresses": {
|
||||
"description": "IPAddresses is a list of IP addresses to be used on the\nCertificate",
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": "array"
|
||||
},
|
||||
"isCA": {
|
||||
"description": "IsCA will mark this Certificate as valid for signing. This\nimplies that the 'signing' usage is set",
|
||||
"type": "boolean"
|
||||
},
|
||||
"issuerRef": {
|
||||
"description": "IssuerRef is a reference to the issuer for this certificate.\nIf the 'kind' field is not set, or set to 'Issuer', an Issuer resource\nwith the given name in the same namespace as the Certificate will\nbe used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer\nwith the provided name will be used. The 'name' field in this stanza\nis required at all times.",
|
||||
"properties": {
|
||||
"kind": {
|
||||
"type": "string"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"name"
|
||||
],
|
||||
"type": "object"
|
||||
},
|
||||
"keyAlgorithm": {
|
||||
"description": "KeyAlgorithm is the private key algorithm of the corresponding\nprivate key for this certificate. If provided, allowed values are\neither \"rsa\" or \"ecdsa\" If KeyAlgorithm is specified and KeySize is\nnot provided, key size of 256 will be used for \"ecdsa\" key algorithm\nand key size of 2048 will be used for \"rsa\" key algorithm.",
|
||||
"enum": [
|
||||
"rsa",
|
||||
"ecdsa"
|
||||
],
|
||||
"type": "string"
|
||||
},
|
||||
"keySize": {
|
||||
"description": "KeySize is the key bit size of the corresponding private\nkey for this certificate. If provided, value must be between 2048\nand 8192 inclusive when KeyAlgorithm is empty or is set to \"rsa\",\nand value must be one of (256, 384, 521) when KeyAlgorithm is set\nto \"ecdsa\".",
|
||||
"format": "int64",
|
||||
"type": "integer"
|
||||
},
|
||||
"organization": {
|
||||
"description": "Organization is the organization to be used on the Certificate",
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": "array"
|
||||
},
|
||||
"renewBefore": {
|
||||
"description": "Certificate renew before expiration duration",
|
||||
"type": "string"
|
||||
},
|
||||
"secretName": {
|
||||
"description": "SecretName is the name of the secret resource to store\nthis secret in",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"secretName",
|
||||
"issuerRef"
|
||||
],
|
||||
"type": "object"
|
||||
},
|
||||
"status": {
|
||||
"properties": {
|
||||
"conditions": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"lastTransitionTime": {
|
||||
"description": "LastTransitionTime is the timestamp corresponding\nto the last status change of this condition.",
|
||||
"format": "date-time",
|
||||
"type": "string"
|
||||
},
|
||||
"message": {
|
||||
"description": "Message is a human readable description of the details\nof the last transition, complementing reason.",
|
||||
"type": "string"
|
||||
},
|
||||
"reason": {
|
||||
"description": "Reason is a brief machine readable explanation for\nthe condition's last transition.",
|
||||
"type": "string"
|
||||
},
|
||||
"status": {
|
||||
"description": "Status of the condition, one of ('True', 'False',\n'Unknown').",
|
||||
"enum": [
|
||||
"True",
|
||||
"False",
|
||||
"Unknown"
|
||||
],
|
||||
"type": "string"
|
||||
},
|
||||
"type": {
|
||||
"description": "Type of the condition, currently ('Ready').",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"type",
|
||||
"status",
|
||||
"lastTransitionTime",
|
||||
"reason",
|
||||
"message"
|
||||
],
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
},
|
||||
"lastFailureTime": {
|
||||
"format": "date-time",
|
||||
"type": "string"
|
||||
},
|
||||
"notAfter": {
|
||||
"description": "The expiration time of the certificate stored in the secret\nnamed by this resource in spec.secretName.",
|
||||
"format": "date-time",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
},
|
||||
challenges: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Challenge") {
|
||||
spec+: {
|
||||
additionalPrinterColumns: [
|
||||
{ name: "State", type: "string", JSONPath: ".status.state" },
|
||||
{ name: "Domain", type: "string", JSONPath: ".spec.dnsName" },
|
||||
{ name: "Reason", type: "string", JSONPath: ".status.reason", priority: 1 },
|
||||
{ name: "Age", type: "date", JSONPath: ".metadata.creationTimestamp" },
|
||||
],
|
||||
validation: {
|
||||
# ...
|
||||
},
|
||||
},
|
||||
},
|
||||
clusterissuers: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "ClusterIssuer") {
|
||||
spec+: {
|
||||
validation: {
|
||||
# ...
|
||||
},
|
||||
scope: "Cluster",
|
||||
},
|
||||
},
|
||||
issuers: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Issuer") {
|
||||
spec+: {
|
||||
validation: {
|
||||
# ...
|
||||
},
|
||||
scope: "Namespaced",
|
||||
},
|
||||
},
|
||||
orders: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Order") {
|
||||
spec+: {
|
||||
additionalPrinterColumns: [
|
||||
{ name: "State", type: "string", JSONPath: ".status.state" },
|
||||
{ name: "Issuer", type: "string", JSONPath: ".spec.issuerRef.name", priority: 1 },
|
||||
{ name: "Reason", type: "string", JSONPath: ".status.reason", priority: 1 },
|
||||
{ name: "Age", type: "date", JSONPath: ".metadata.creationTimestamp" },
|
||||
],
|
||||
validation: {
|
||||
# ...
|
||||
},
|
||||
scope: "Namespaced",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
sas: {
|
||||
cainjector: kube.ServiceAccount("cert-manager-cainjector") {
|
||||
metadata+: env.metadata,
|
||||
|
@ -270,116 +31,18 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
webhook: kube.ServiceAccount("cert-manager-webhook") {
|
||||
metadata+: env.metadata,
|
||||
},
|
||||
certmanager: kube.ServiceAccount("cert-manager") {
|
||||
certManager: kube.ServiceAccount("cert-manager") {
|
||||
metadata+: env.metadata,
|
||||
},
|
||||
},
|
||||
|
||||
crs: {
|
||||
cainjector: kube.ClusterRole("cert-manager-cainjector") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["certmanager.k8s.io"],
|
||||
resources: ["certificates"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["secrets"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["configmaps", "events"],
|
||||
verbs: ["*"],
|
||||
crds: (std.native("parseYaml"))(importstr "./cert-manager.crds.yaml"),
|
||||
|
||||
rbac: (import "./cert-manager-rbac.libsonnet") {
|
||||
env:: env,
|
||||
sas:: env.sas,
|
||||
},
|
||||
|
||||
{
|
||||
apiGroups: ["admissionregistration.k8s.io"],
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"],
|
||||
verbs: ["*"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["apiregistration.k8s.io"],
|
||||
resources: ["apiservices"],
|
||||
verbs: ["*"],
|
||||
},
|
||||
],
|
||||
},
|
||||
certmanager: kube.ClusterRole("cert-manager") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["certmanager.k8s.io"],
|
||||
resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"],
|
||||
verbs: ["*"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["configmaps", "secrets", "events", "services", "pods"],
|
||||
verbs: ["*"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["extensions"],
|
||||
resources: ["ingresses"],
|
||||
verbs: ["*"],
|
||||
},
|
||||
],
|
||||
},
|
||||
certmanagerView: kube.ClusterRole("cert-manager-view") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["certmanager.k8s.io"],
|
||||
resources: ["certificates", "issuers"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
],
|
||||
},
|
||||
certmanagerEdit: kube.ClusterRole("cert-manager-edit") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["certmanager.k8s.io"],
|
||||
resources: ["certificates", "issuers"],
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"],
|
||||
},
|
||||
],
|
||||
},
|
||||
webhookRequester: kube.ClusterRole("cert-manager-webhook:webhook-requester") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["admission.certmanager.k8s.io"],
|
||||
resources: ["certificates", "issuers", "clusterissuers"],
|
||||
verbs: ["create"],
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
rbs: {
|
||||
cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") {
|
||||
roleRef_: env.crs.cainjector,
|
||||
subjects_: [ env.sas.cainjector ],
|
||||
},
|
||||
certmanager: kube.ClusterRoleBinding("cert-manager") {
|
||||
roleRef_: env.crs.certmanager,
|
||||
subjects_: [ env.sas.certmanager ],
|
||||
},
|
||||
webhookAuthDelegator: kube.ClusterRoleBinding("cert-manager-webhook:auth-delegator") {
|
||||
roleRef_: {
|
||||
kind: "ClusterRole",
|
||||
metadata: { name: "system:auth-delegator" },
|
||||
},
|
||||
subjects_: [ env.sas.webhook ],
|
||||
},
|
||||
webhookAuthReader: kube.RoleBinding("cert-manager-webhook:webhook-authentication-reader") {
|
||||
metadata+: {
|
||||
namespace: "kube-system",
|
||||
},
|
||||
roleRef_: {
|
||||
kind: "Role",
|
||||
metadata: { name: "extension-apiserver-authentication-reader" },
|
||||
},
|
||||
subjects_: [ env.sas.webhook ],
|
||||
},
|
||||
},
|
||||
deployments: {
|
||||
cainjector: kube.Deployment("cert-manager-cainjector") {
|
||||
metadata+: env.metadata,
|
||||
|
@ -392,7 +55,8 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
cainjector: kube.Container("cainjector") {
|
||||
image: "quay.io/jetstack/cert-manager-cainjector:" + cfg.version,
|
||||
args: [
|
||||
"--leader-election-namespace=%s" % [cfg.namespace],
|
||||
"--v=2",
|
||||
"--leader-election-namespace=%s" % [cfg.leaderElectionNamespace],
|
||||
],
|
||||
env_: {
|
||||
POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
|
||||
|
@ -410,7 +74,7 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
},
|
||||
},
|
||||
spec+: {
|
||||
replicas: 1,
|
||||
replicas: if cfg.enableWebhook then 1 else 0,
|
||||
template+: {
|
||||
spec+: {
|
||||
serviceAccountName: env.sas.webhook.metadata.name,
|
||||
|
@ -418,28 +82,20 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
webhook: kube.Container("webhook") {
|
||||
image: "quay.io/jetstack/cert-manager-webhook:" + cfg.version,
|
||||
args: [
|
||||
"--v=12",
|
||||
"--secure-port=6443",
|
||||
"--tls-cert-file=/certs/tls.crt",
|
||||
"--tls-private-key-file=/certs/tls.key",
|
||||
"--v=2",
|
||||
"--secure-port=10250",
|
||||
"--dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)",
|
||||
"--dynamic-serving-ca-secret-name=cert-manager-webhook-ca",
|
||||
"--dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc",
|
||||
],
|
||||
env_: {
|
||||
POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
|
||||
},
|
||||
ports_: { // changed
|
||||
https: { containerPort: 6443 },
|
||||
},
|
||||
volumeMounts_: {
|
||||
certs: { mountPath: "/certs" },
|
||||
ports_: {
|
||||
https: { containerPort: 10250 },
|
||||
},
|
||||
},
|
||||
},
|
||||
volumes_: {
|
||||
certs: {
|
||||
secret: { secretName: env.certificates.webhookTLS.spec.secretName },
|
||||
},
|
||||
// kube.SecretVolume(env.secrets.webhook_tls),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -450,17 +106,19 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
replicas: 1,
|
||||
template+: {
|
||||
spec+: {
|
||||
serviceAccountName: env.sas.certmanager.metadata.name,
|
||||
serviceAccountName: env.sas.certManager.metadata.name,
|
||||
dnsPolicy: "None",
|
||||
dnsConfig: {
|
||||
nameservers: ["8.8.8.8"],
|
||||
},
|
||||
# TODO: liveness probe, readiness probe
|
||||
containers_: {
|
||||
webhook: kube.Container("cert-manager") {
|
||||
image: "quay.io/jetstack/cert-manager-controller:" + cfg.version,
|
||||
args: [
|
||||
"--v=2",
|
||||
"--cluster-resource-namespace=%s" % [cfg.namespace],
|
||||
"--leader-election-namespace=%s" % [cfg.namespace],
|
||||
"--leader-election-namespace=%s" % [cfg.leaderElectionNamespace],
|
||||
],
|
||||
env_: {
|
||||
POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
|
||||
|
@ -481,16 +139,28 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
},
|
||||
},
|
||||
},
|
||||
service: kube.Service("cert-manager-webhook") {
|
||||
services: {
|
||||
certmanager: kube.Service("cert-manager") {
|
||||
metadata+: env.metadata,
|
||||
target_pod:: env.deployments.certmanager.spec.template,
|
||||
spec+: {
|
||||
type: "ClusterIP",
|
||||
ports: [
|
||||
{ name: "tcp-prometheus-servicemonitor", port: 9402, targetPort: 9402, protocol: "TCP"},
|
||||
],
|
||||
},
|
||||
},
|
||||
webhook: kube.Service("cert-manager-webhook") {
|
||||
metadata+: env.metadata,
|
||||
target_pod:: env.deployments.webhook.spec.template,
|
||||
spec+: {
|
||||
type: "ClusterIP",
|
||||
ports: [
|
||||
{ name: "https", port: 443, targetPort: 6443, protocol: "TCP" },
|
||||
{ name: "https", port: 443, targetPort: 10250, protocol: "TCP" },
|
||||
],
|
||||
},
|
||||
},
|
||||
},
|
||||
apiservice: if cfg.enableWebhook then kube._Object("apiregistration.k8s.io/v1beta1", "APIService", "v1beta1.admission.certmanager.k8s.io") {
|
||||
spec+: {
|
||||
version: "v1beta1",
|
||||
|
@ -504,200 +174,86 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
},
|
||||
},
|
||||
|
||||
issuers: {
|
||||
webhookSelfsign: kube.Issuer("cert-manager-webhook-selfsign") {
|
||||
metadata+: env.metadata,
|
||||
spec: {
|
||||
selfSigned: {},
|
||||
},
|
||||
},
|
||||
webhookCA: kube.Issuer("cert-manager-webhook-ca") {
|
||||
metadata+: env.metadata,
|
||||
spec: {
|
||||
ca: {
|
||||
secretName: env.certificates.webhookCA.spec.secretName,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
certificates: {
|
||||
webhookCA: kube.Certificate("cert-manager-webhook-ca") {
|
||||
metadata+: env.metadata,
|
||||
spec: {
|
||||
secretName: "cert-manager-webhook-ca",
|
||||
duration: "43800h0m0s", // 5 years
|
||||
issuerRef: {
|
||||
name: env.issuers.webhookSelfsign.metadata.name,
|
||||
},
|
||||
commonName: "ca.webhook.cert-manager",
|
||||
isCA: true,
|
||||
},
|
||||
},
|
||||
webhookTLS: kube.Certificate("cert-manager-webhook-webhook-tls") {
|
||||
metadata+: env.metadata,
|
||||
spec: {
|
||||
secretName: "cert-manager-webhook-webhook-tls",
|
||||
duration: "8760h0m0s", // 1 year
|
||||
issuerRef: {
|
||||
name: env.issuers.webhookSelfsign.metadata.name,
|
||||
},
|
||||
dnsNames: [
|
||||
"cert-manager-webhook",
|
||||
"cert-manager-webhook.cert-manager",
|
||||
"cert-manager-webhook.cert-manager.svc",
|
||||
],
|
||||
},
|
||||
},
|
||||
},
|
||||
admission: if cfg.enableWebhook then kube._Object("admissionregistration.k8s.io/v1beta1", "ValidatingWebhookConfiguration", "cert-manager-webhook") {
|
||||
webhooks: if cfg.enableWebhook then {
|
||||
mutating: kube._Object("admissionregistration.k8s.io/v1", "MutatingWebhookConfiguration", "cert-manager-webhook") {
|
||||
metadata+: {
|
||||
annotations: {
|
||||
"cert-manager.io/inject-ca-from-secret": "%s/cert-manager-webhook-ca" % [cfg.namespace],
|
||||
},
|
||||
},
|
||||
webhooks: [
|
||||
{
|
||||
name: "webhook.cert-manager.io",
|
||||
rules: [
|
||||
{
|
||||
apiGRoups: ["cert-manager.io", "acme.cert-manager.io"],
|
||||
apiVersions: ["v1"],
|
||||
operations: ["CREATE", "UPDATE"],
|
||||
resources: ["*/*"],
|
||||
}
|
||||
],
|
||||
admissionReviewVersions: ["v1", "v1beta1"],
|
||||
matchPolicy: "Equivalent",
|
||||
timeoutSeconds: 10,
|
||||
failurePolicy: "Fail",
|
||||
sideEffects: "None",
|
||||
clientConfig: {
|
||||
service: {
|
||||
name: "cert-manager-webhook",
|
||||
namespace: cfg.namespace,
|
||||
path: "/mutate",
|
||||
},
|
||||
},
|
||||
}
|
||||
],
|
||||
},
|
||||
validating: kube._Object("admissionregistration.k8s.io/v1", "ValidatingWebhookConfiguration", "cert-manager-webhook") {
|
||||
metadata+: {
|
||||
annotations: {
|
||||
"cert-manager.io/inject-ca-from-secret": "%s/cert-manager-webhook-ca" % [cfg.namespace],
|
||||
},
|
||||
},
|
||||
// Copied from official yaml
|
||||
webhooks: [
|
||||
{
|
||||
"name": "certificates.admission.certmanager.k8s.io",
|
||||
"namespaceSelector": {
|
||||
"matchExpressions": [
|
||||
name: "webhook.cert-manager.io",
|
||||
namespaceSelector: {
|
||||
matchExpressions: [
|
||||
{
|
||||
"key": "certmanager.k8s.io/disable-validation",
|
||||
"operator": "NotIn",
|
||||
"values": [
|
||||
"true"
|
||||
]
|
||||
key: "cert-manager.io/disable-validation",
|
||||
operator: "NotIn",
|
||||
values: ["true"],
|
||||
},
|
||||
{
|
||||
"key": "name",
|
||||
"operator": "NotIn",
|
||||
"values": [
|
||||
"cert-manager"
|
||||
]
|
||||
}
|
||||
]
|
||||
key: "name",
|
||||
operator: "NotIn",
|
||||
values: ["cert-manager"],
|
||||
},
|
||||
"rules": [
|
||||
],
|
||||
},
|
||||
rules: [
|
||||
{
|
||||
"apiGroups": [
|
||||
"certmanager.k8s.io"
|
||||
],
|
||||
"apiVersions": [
|
||||
"v1alpha1"
|
||||
],
|
||||
"operations": [
|
||||
"CREATE",
|
||||
"UPDATE"
|
||||
],
|
||||
"resources": [
|
||||
"certificates"
|
||||
]
|
||||
apiGroups: ["cert-manager.io", "acme.cert-manager.io"],
|
||||
apiVersions: ["v1"],
|
||||
operations: ["CREATE", "UPDATE"],
|
||||
resources: ["*/*"],
|
||||
}
|
||||
],
|
||||
"failurePolicy": "Fail",
|
||||
"clientConfig": {
|
||||
"service": {
|
||||
"name": "kubernetes",
|
||||
"namespace": "default",
|
||||
"path": "/apis/admission.certmanager.k8s.io/v1beta1/certificates"
|
||||
admissionReviewVersions: ["v1", "v1beta1"],
|
||||
matchPolicy: "Equivalent",
|
||||
timeoutSeconds: 10,
|
||||
failurePolicy: "Fail",
|
||||
sideEffects: "None",
|
||||
clientConfig: {
|
||||
service: {
|
||||
name: "cert-manager-webhook",
|
||||
namespace: cfg.namespace,
|
||||
path: "/validate",
|
||||
},
|
||||
"caBundle": "",
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "issuers.admission.certmanager.k8s.io",
|
||||
"namespaceSelector": {
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "certmanager.k8s.io/disable-validation",
|
||||
"operator": "NotIn",
|
||||
"values": [
|
||||
"true"
|
||||
]
|
||||
},
|
||||
{
|
||||
"key": "name",
|
||||
"operator": "NotIn",
|
||||
"values": [
|
||||
"cert-manager"
|
||||
]
|
||||
}
|
||||
]
|
||||
],
|
||||
},
|
||||
"rules": [
|
||||
{
|
||||
"apiGroups": [
|
||||
"certmanager.k8s.io"
|
||||
],
|
||||
"apiVersions": [
|
||||
"v1alpha1"
|
||||
],
|
||||
"operations": [
|
||||
"CREATE",
|
||||
"UPDATE"
|
||||
],
|
||||
"resources": [
|
||||
"issuers"
|
||||
]
|
||||
}
|
||||
],
|
||||
"failurePolicy": "Fail",
|
||||
"clientConfig": {
|
||||
"service": {
|
||||
"name": "kubernetes",
|
||||
"namespace": "default",
|
||||
"path": "/apis/admission.certmanager.k8s.io/v1beta1/issuers"
|
||||
},
|
||||
"caBundle": "",
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "clusterissuers.admission.certmanager.k8s.io",
|
||||
"namespaceSelector": {
|
||||
"matchExpressions": [
|
||||
{
|
||||
"key": "certmanager.k8s.io/disable-validation",
|
||||
"operator": "NotIn",
|
||||
"values": [
|
||||
"true"
|
||||
]
|
||||
},
|
||||
{
|
||||
"key": "name",
|
||||
"operator": "NotIn",
|
||||
"values": [
|
||||
"cert-manager"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"rules": [
|
||||
{
|
||||
"apiGroups": [
|
||||
"certmanager.k8s.io"
|
||||
],
|
||||
"apiVersions": [
|
||||
"v1alpha1"
|
||||
],
|
||||
"operations": [
|
||||
"CREATE",
|
||||
"UPDATE"
|
||||
],
|
||||
"resources": [
|
||||
"clusterissuers"
|
||||
]
|
||||
}
|
||||
],
|
||||
"failurePolicy": "Fail",
|
||||
"clientConfig": {
|
||||
"service": {
|
||||
"name": "kubernetes",
|
||||
"namespace": "default",
|
||||
"path": "/apis/admission.certmanager.k8s.io/v1beta1/clusterissuers"
|
||||
},
|
||||
"caBundle": "",
|
||||
}
|
||||
}
|
||||
],
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue