clean cert-manager
This commit is contained in:
Philip Haupt
@@ -1,7 +0,0 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: ca-issuer
|
||||
spec:
|
||||
ca:
|
||||
secretName: ca-key-pair
|
||||
@@ -1,26 +0,0 @@
|
||||
annotations:
|
||||
artifacthub.io/category: security
|
||||
artifacthub.io/license: Apache-2.0
|
||||
artifacthub.io/prerelease: "false"
|
||||
artifacthub.io/signKey: |
|
||||
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
|
||||
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
|
||||
apiVersion: v2
|
||||
appVersion: v1.17.0
|
||||
description: A Helm chart for cert-manager
|
||||
home: https://cert-manager.io
|
||||
icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
|
||||
keywords:
|
||||
- cert-manager
|
||||
- kube-lego
|
||||
- letsencrypt
|
||||
- tls
|
||||
kubeVersion: '>= 1.22.0-0'
|
||||
maintainers:
|
||||
- email: cert-manager-maintainers@googlegroups.com
|
||||
name: cert-manager-maintainers
|
||||
url: https://cert-manager.io
|
||||
name: cert-manager
|
||||
sources:
|
||||
- https://github.com/cert-manager/cert-manager
|
||||
version: v1.17.0
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,18 +0,0 @@
|
||||
{{- if .Values.installCRDs }}
|
||||
⚠️ WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
|
||||
{{- end }}
|
||||
cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
|
||||
|
||||
In order to begin issuing certificates, you will need to set up a ClusterIssuer
|
||||
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
|
||||
|
||||
More information on the different types of issuers and how to configure them
|
||||
can be found in our documentation:
|
||||
|
||||
https://cert-manager.io/docs/configuration/
|
||||
|
||||
For information on how to configure cert-manager to automatically provision
|
||||
Certificates for Ingress resources, take a look at the `ingress-shim`
|
||||
documentation:
|
||||
|
||||
https://cert-manager.io/docs/usage/ingress/
|
||||
@@ -1,202 +0,0 @@
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "cert-manager.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "cert-manager.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "cert-manager.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Webhook templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'webhook' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "webhook.name" -}}
|
||||
{{- printf "webhook" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "webhook.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}}
|
||||
{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "webhook.caRef" -}}
|
||||
{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "webhook.serviceAccountName" -}}
|
||||
{{- if .Values.webhook.serviceAccount.create -}}
|
||||
{{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.webhook.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
cainjector templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "cainjector.name" -}}
|
||||
{{- printf "cainjector" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "cainjector.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
|
||||
{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "cainjector.serviceAccountName" -}}
|
||||
{{- if .Values.cainjector.serviceAccount.create -}}
|
||||
{{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.cainjector.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
startupapicheck templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "startupapicheck.name" -}}
|
||||
{{- printf "startupapicheck" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "startupapicheck.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
|
||||
{{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "startupapicheck.serviceAccountName" -}}
|
||||
{{- if .Values.startupapicheck.serviceAccount.create -}}
|
||||
{{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.startupapicheck.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "chartName" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Labels that should be added on each resource
|
||||
*/}}
|
||||
{{- define "labels" -}}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- if eq .Values.creator "helm" }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
helm.sh/chart: {{ include "chartName" . }}
|
||||
{{- end -}}
|
||||
{{- if .Values.global.commonLabels}}
|
||||
{{ toYaml .Values.global.commonLabels }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Namespace for all resources to be installed into
|
||||
If not defined in values file then the helm release namespace is used
|
||||
By default this is not set so the helm release namespace will be used
|
||||
|
||||
This gets around an problem within helm discussed here
|
||||
https://github.com/helm/helm/issues/5358
|
||||
*/}}
|
||||
{{- define "cert-manager.namespace" -}}
|
||||
{{ .Values.namespace | default .Release.Namespace }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Util function for generating the image URL based on the provided options.
|
||||
IMPORTANT: This function is standardized across all charts in the cert-manager GH organization.
|
||||
Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
|
||||
See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
|
||||
*/}}
|
||||
{{- define "image" -}}
|
||||
{{- $defaultTag := index . 1 -}}
|
||||
{{- with index . 0 -}}
|
||||
{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
|
||||
{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Check that the user has not set both .installCRDs and .crds.enabled or
|
||||
set .installCRDs and disabled .crds.keep.
|
||||
.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
|
||||
*/}}
|
||||
{{- define "cert-manager.crd-check" -}}
|
||||
{{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
|
||||
{{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
|
||||
{{- end }}
|
||||
{{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
|
||||
{{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
@@ -1,19 +0,0 @@
|
||||
{{- if .Values.cainjector.config -}}
|
||||
{{- $config := .Values.cainjector.config -}}
|
||||
{{- $_ := set $config "apiVersion" (default "cainjector.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
|
||||
{{- $_ := set $config "kind" (default "CAInjectorConfiguration" $config.kind) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- $config | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
@@ -1,166 +0,0 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.cainjector.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.cainjector.replicaCount }}
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- with .Values.cainjector.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.cainjector.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
|
||||
{{- if not .Values.cainjector.podAnnotations }}
|
||||
annotations:
|
||||
{{- end }}
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/scrape: 'true'
|
||||
prometheus.io/port: '9402'
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if not .Values.cainjector.serviceAccount.create }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
|
||||
{{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-cainjector
|
||||
image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
|
||||
args:
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.cainjector.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- with .Values.global.leaderElection }}
|
||||
- --leader-election-namespace={{ .namespace }}
|
||||
{{- if .leaseDuration }}
|
||||
- --leader-election-lease-duration={{ .leaseDuration }}
|
||||
{{- end }}
|
||||
{{- if .renewDeadline }}
|
||||
- --leader-election-renew-deadline={{ .renewDeadline }}
|
||||
{{- end }}
|
||||
{{- if .retryPeriod }}
|
||||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.featureGates}}
|
||||
- --feature-gates={{ . }}
|
||||
{{- end}}
|
||||
{{- with .Values.cainjector.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.prometheus.enabled }}
|
||||
- --metrics-listen-address=0
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.enabled }}
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.cainjector.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.cainjector.config .Values.cainjector.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if .Values.cainjector.config }}
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.volumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.cainjector.volumes .Values.cainjector.config }}
|
||||
volumes:
|
||||
{{- if .Values.cainjector.config }}
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
{{- end }}
|
||||
{{ with .Values.cainjector.volumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,29 +0,0 @@
|
||||
{{- if .Values.cainjector.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
|
||||
{{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
|
||||
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
|
||||
minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
|
||||
maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,20 +0,0 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "cainjector.fullname" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,22 +0,0 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,51 +0,0 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,156 +0,0 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["get", "create", "update", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["apiregistration.k8s.io"]
|
||||
resources: ["apiservices"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
subjects:
|
||||
- name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
# leader election rules
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
# Used for leader election by the controller
|
||||
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
|
||||
# see cmd/cainjector/start.go#L113
|
||||
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||
# see cmd/cainjector/start.go#L137
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cainjector.fullname" . }}:leaderelection
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $certmanagerNamespace := include "cert-manager.namespace" . }}
|
||||
{{- if (.Values.cainjector.config.metricsTLSConfig).dynamic }}
|
||||
{{- if $certmanagerNamespace | eq .Values.cainjector.config.metricsTLSConfig.dynamic.secretNamespace }}
|
||||
|
||||
---
|
||||
|
||||
# Metrics server dynamic TLS serving certificate rules
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}:dynamic-serving
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames:
|
||||
# Allow cainjector to read and update the metrics CA Secret when dynamic TLS is
|
||||
# enabled for the metrics server and if the Secret is configured to be in the
|
||||
# same namespace as cert-manager.
|
||||
- {{ .Values.cainjector.config.metricsTLSConfig.dynamic.secretName | quote }}
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
# It's not possible to grant CREATE permission on a single resourceName.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}:dynamic-serving
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cainjector.fullname" . }}:dynamic-serving
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,32 +0,0 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.cainjector.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.cainjector.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9402
|
||||
name: http-metrics
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,27 +0,0 @@
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.cainjector.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.cainjector.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.cainjector.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,19 +0,0 @@
|
||||
{{- if .Values.config -}}
|
||||
{{- $config := .Values.config -}}
|
||||
{{- $_ := set $config "apiVersion" (default "controller.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
|
||||
{{- $_ := set $config "kind" (default "ControllerConfiguration" $config.kind) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- $config | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,237 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- with .Values.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
|
||||
{{- if not .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- end }}
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/scrape: 'true'
|
||||
prometheus.io/port: '9402'
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if not .Values.serviceAccount.create }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
|
||||
{{- if hasKey .Values "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.volumes .Values.config}}
|
||||
volumes:
|
||||
{{- if .Values.config }}
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
{{- end }}
|
||||
{{ with .Values.volumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-controller
|
||||
image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
args:
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- $config := default .Values.config "" }}
|
||||
{{- if .Values.clusterResourceNamespace }}
|
||||
- --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
|
||||
{{- else }}
|
||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||
{{- end }}
|
||||
{{- with .Values.global.leaderElection }}
|
||||
- --leader-election-namespace={{ .namespace }}
|
||||
{{- if .leaseDuration }}
|
||||
- --leader-election-lease-duration={{ .leaseDuration }}
|
||||
{{- end }}
|
||||
{{- if .renewDeadline }}
|
||||
- --leader-election-renew-deadline={{ .renewDeadline }}
|
||||
{{- end }}
|
||||
{{- if .retryPeriod }}
|
||||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.acmesolver.image }}
|
||||
- --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}
|
||||
{{- end }}
|
||||
{{- with .Values.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.ingressShim }}
|
||||
{{- if .defaultIssuerName }}
|
||||
- --default-issuer-name={{ .defaultIssuerName }}
|
||||
{{- end }}
|
||||
{{- if .defaultIssuerKind }}
|
||||
- --default-issuer-kind={{ .defaultIssuerKind }}
|
||||
{{- end }}
|
||||
{{- if .defaultIssuerGroup }}
|
||||
- --default-issuer-group={{ .defaultIssuerGroup }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.featureGates }}
|
||||
- --feature-gates={{ .Values.featureGates }}
|
||||
{{- end }}
|
||||
{{- if .Values.maxConcurrentChallenges }}
|
||||
- --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
|
||||
{{- end }}
|
||||
{{- if .Values.enableCertificateOwnerRef }}
|
||||
- --enable-certificate-owner-ref=true
|
||||
{{- end }}
|
||||
{{- if .Values.dns01RecursiveNameserversOnly }}
|
||||
- --dns01-recursive-nameservers-only=true
|
||||
{{- end }}
|
||||
{{- with .Values.dns01RecursiveNameservers }}
|
||||
- --dns01-recursive-nameservers={{ . }}
|
||||
{{- end }}
|
||||
{{- if .Values.disableAutoApproval }}
|
||||
- --controllers=-certificaterequests-approver
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
- containerPort: 9403
|
||||
name: http-healthz
|
||||
protocol: TCP
|
||||
{{- with .Values.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.config .Values.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if .Values.config }}
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.volumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.http_proxy }}
|
||||
- name: HTTP_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.https_proxy }}
|
||||
- name: HTTPS_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.no_proxy }}
|
||||
- name: NO_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
|
||||
{{- with .Values.livenessProbe }}
|
||||
{{- if .enabled }}
|
||||
# LivenessProbe settings are based on those used for the Kubernetes
|
||||
# controller-manager. See:
|
||||
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
port: http-healthz
|
||||
path: /livez
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .initialDelaySeconds }}
|
||||
periodSeconds: {{ .periodSeconds }}
|
||||
timeoutSeconds: {{ .timeoutSeconds }}
|
||||
successThreshold: {{ .successThreshold }}
|
||||
failureThreshold: {{ .failureThreshold }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.podDnsPolicy }}
|
||||
dnsPolicy: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.podDnsConfig }}
|
||||
dnsConfig:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.hostAliases }}
|
||||
hostAliases: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
@@ -1,4 +0,0 @@
|
||||
{{ range .Values.extraObjects }}
|
||||
---
|
||||
{{ tpl . $ }}
|
||||
{{ end }}
|
||||
@@ -1,19 +0,0 @@
|
||||
{{- if .Values.webhook.networkPolicy.enabled }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-allow-egress
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
spec:
|
||||
egress:
|
||||
{{- with .Values.webhook.networkPolicy.egress }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
policyTypes:
|
||||
- Egress
|
||||
{{- end }}
|
||||
@@ -1,21 +0,0 @@
|
||||
{{- if .Values.webhook.networkPolicy.enabled }}
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-allow-ingress
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
spec:
|
||||
ingress:
|
||||
{{- with .Values.webhook.networkPolicy.ingress }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
{{- end }}
|
||||
@@ -1,29 +0,0 @@
|
||||
{{- if .Values.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
|
||||
{{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
|
||||
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
|
||||
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
|
||||
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,63 +0,0 @@
|
||||
{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
|
||||
{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
|
||||
{{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PodMonitor
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
{{- if .Values.prometheus.podmonitor.namespace }}
|
||||
namespace: {{ .Values.prometheus.podmonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }}
|
||||
{{- with .Values.prometheus.podmonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.podmonitor.annotations }}
|
||||
annotations:
|
||||
{{- with .Values.prometheus.podmonitor.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: {{ template "cert-manager.fullname" . }}
|
||||
selector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values:
|
||||
- {{ include "cainjector.name" . }}
|
||||
- {{ template "cert-manager.name" . }}
|
||||
- {{ include "webhook.name" . }}
|
||||
- key: app.kubernetes.io/instance
|
||||
operator: In
|
||||
values:
|
||||
- {{ .Release.Name }}
|
||||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values:
|
||||
- cainjector
|
||||
- controller
|
||||
- webhook
|
||||
{{- if .Values.prometheus.podmonitor.namespace }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
podMetricsEndpoints:
|
||||
- port: http-metrics
|
||||
path: {{ .Values.prometheus.podmonitor.path }}
|
||||
interval: {{ .Values.prometheus.podmonitor.interval }}
|
||||
scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }}
|
||||
honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }}
|
||||
{{- with .Values.prometheus.podmonitor.endpointAdditionalProperties }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,18 +0,0 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "cert-manager.fullname" . }}
|
||||
{{- end }}
|
||||
@@ -1,20 +0,0 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
@@ -1,49 +0,0 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
@@ -1,617 +0,0 @@
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-controller"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
|
||||
---
|
||||
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["serviceaccounts/token"]
|
||||
resourceNames: ["{{ template "cert-manager.serviceAccountName" . }}"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
# grant cert-manager permission to create tokens for the serviceaccount
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}-{{ template "cert-manager.serviceAccountName" . }}-tokenrequest
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
|
||||
# Issuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "issuers/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
|
||||
# ClusterIssuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "clusterissuers/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Certificates controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders"]
|
||||
verbs: ["create", "delete", "get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Orders controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "orders/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["create", "delete"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Challenges controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
# Use to update challenge resource status
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "challenges/status"]
|
||||
verbs: ["update", "patch"]
|
||||
# Used to watch challenge resources
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to watch challenges, issuer and clusterissuer resources
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Need to be able to retrieve ACME account private key to complete challenges
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to create events
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
# HTTP01 rules
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "services"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
- apiGroups: [ "gateway.networking.k8s.io" ]
|
||||
resources: [ "httproutes" ]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
# We require the ability to specify a custom hostname when we are creating
|
||||
# new ingress resources.
|
||||
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
||||
- apiGroups: ["route.openshift.io"]
|
||||
resources: ["routes/custom-host"]
|
||||
verbs: ["create"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges/finalizers"]
|
||||
verbs: ["update"]
|
||||
# DNS01 rules (duplicated above)
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
---
|
||||
|
||||
# ingress-shim controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests"]
|
||||
verbs: ["create", "update", "delete"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways", "httproutes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-cluster-view
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
{{- end }}
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-view
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-edit
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/status"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
|
||||
---
|
||||
|
||||
{{- if not .Values.disableAutoApproval -}}
|
||||
|
||||
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["signers"]
|
||||
verbs: ["approve"]
|
||||
{{- with .Values.approveSignerNames }}
|
||||
resourceNames:
|
||||
{{- range . }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
{{- end -}}
|
||||
|
||||
# Permission to:
|
||||
# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["signers"]
|
||||
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
||||
verbs: ["sign"]
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
{{- end }}
|
||||
@@ -1,37 +0,0 @@
|
||||
{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
{{- if .Values.serviceIPFamilyPolicy }}
|
||||
ipFamilyPolicy: {{ .Values.serviceIPFamilyPolicy }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceIPFamilies }}
|
||||
ipFamilies: {{ .Values.serviceIPFamilies | toYaml | nindent 2 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9402
|
||||
name: tcp-prometheus-servicemonitor
|
||||
targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- end }}
|
||||
@@ -1,27 +0,0 @@
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- range $k, $v := . }}
|
||||
{{- printf "%s: %s" (tpl $k $) (tpl $v $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,63 +0,0 @@
|
||||
{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
|
||||
{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
|
||||
{{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||
namespace: {{ .Values.prometheus.servicemonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
|
||||
{{- with .Values.prometheus.servicemonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.servicemonitor.annotations }}
|
||||
annotations:
|
||||
{{- with .Values.prometheus.servicemonitor.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: {{ template "cert-manager.fullname" . }}
|
||||
selector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values:
|
||||
- {{ include "cainjector.name" . }}
|
||||
- {{ template "cert-manager.name" . }}
|
||||
- {{ include "webhook.name" . }}
|
||||
- key: app.kubernetes.io/instance
|
||||
operator: In
|
||||
values:
|
||||
- {{ .Release.Name }}
|
||||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values:
|
||||
- cainjector
|
||||
- controller
|
||||
- webhook
|
||||
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
endpoints:
|
||||
- targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||
path: {{ .Values.prometheus.servicemonitor.path }}
|
||||
interval: {{ .Values.prometheus.servicemonitor.interval }}
|
||||
scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
|
||||
honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
|
||||
{{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,95 +0,0 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "startupapicheck.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.jobAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.startupapicheck.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
{{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-startupapicheck
|
||||
image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
|
||||
args:
|
||||
- check
|
||||
- api
|
||||
- --wait={{ .Values.startupapicheck.timeout }}
|
||||
{{- with .Values.startupapicheck.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.startupapicheck.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.volumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,24 +0,0 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "startupapicheck.fullname" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,26 +0,0 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,51 +0,0 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,48 +0,0 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
# create certificate role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificaterequests"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "startupapicheck.fullname" . }}:create-cert
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,27 +0,0 @@
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.startupapicheck.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.startupapicheck.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,19 +0,0 @@
|
||||
{{- if .Values.webhook.config -}}
|
||||
{{- $config := .Values.webhook.config -}}
|
||||
{{- $_ := set $config "apiVersion" (default "webhook.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
|
||||
{{- $_ := set $config "kind" (default "WebhookConfiguration" $config.kind) -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- $config | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
@@ -1,217 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.webhook.replicaCount }}
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
|
||||
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- with .Values.webhook.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.webhook.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
|
||||
{{- if not .Values.webhook.podAnnotations }}
|
||||
annotations:
|
||||
{{- end }}
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/scrape: 'true'
|
||||
prometheus.io/port: '9402'
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if not .Values.webhook.serviceAccount.create }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "webhook.serviceAccountName" . }}
|
||||
{{- if hasKey .Values.webhook "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
hostNetwork: true
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}-webhook
|
||||
image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}"
|
||||
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
|
||||
args:
|
||||
{{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
|
||||
{{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- $config := default .Values.webhook.config "" }}
|
||||
{{ if not $config.securePort -}}
|
||||
- --secure-port={{ .Values.webhook.securePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.featureGates }}
|
||||
- --feature-gates={{ .Values.webhook.featureGates }}
|
||||
{{- end }}
|
||||
{{- $tlsConfig := default $config.tlsConfig "" }}
|
||||
{{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
|
||||
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
||||
- --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
|
||||
{{ if .Values.webhook.url.host }}
|
||||
- --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.prometheus.enabled }}
|
||||
- --metrics-listen-address=0
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https
|
||||
protocol: TCP
|
||||
{{- if $config.securePort }}
|
||||
containerPort: {{ $config.securePort }}
|
||||
{{- else if .Values.webhook.securePort }}
|
||||
containerPort: {{ .Values.webhook.securePort }}
|
||||
{{- else }}
|
||||
containerPort: 6443
|
||||
{{- end }}
|
||||
- name: healthcheck
|
||||
protocol: TCP
|
||||
{{- if $config.healthzPort }}
|
||||
containerPort: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
containerPort: 6080
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.enabled }}
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /livez
|
||||
{{- if $config.healthzPort }}
|
||||
port: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
port: 6080
|
||||
{{- end }}
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
{{- if $config.healthzPort }}
|
||||
port: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
port: 6080
|
||||
{{- end }}
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
|
||||
{{- with .Values.webhook.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.webhook.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.webhook.config .Values.webhook.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if .Values.webhook.config }}
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.volumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.webhook.config .Values.webhook.volumes }}
|
||||
volumes:
|
||||
{{- if .Values.webhook.config }}
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.volumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,48 +0,0 @@
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }}
|
||||
{{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
{{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }}
|
||||
namespaceSelector:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
apiVersions:
|
||||
- "v1"
|
||||
operations:
|
||||
- CREATE
|
||||
resources:
|
||||
- "certificaterequests"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
|
||||
failurePolicy: Fail
|
||||
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
{{- if .Values.webhook.url.host }}
|
||||
url: https://{{ .Values.webhook.url.host }}/mutate
|
||||
{{- else }}
|
||||
service:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
path: /mutate
|
||||
{{- end }}
|
||||
@@ -1,29 +0,0 @@
|
||||
{{- if .Values.webhook.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
|
||||
{{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
|
||||
minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
|
||||
minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
|
||||
maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,18 +0,0 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "webhook.fullname" . }}
|
||||
{{- end }}
|
||||
@@ -1,20 +0,0 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
@@ -1,54 +0,0 @@
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: {{ .Values.webhook.hostNetwork }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
hostPorts:
|
||||
- max: {{ .Values.webhook.securePort }}
|
||||
min: {{ .Values.webhook.securePort }}
|
||||
{{- end }}
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
@@ -1,90 +0,0 @@
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames:
|
||||
- '{{ template "webhook.fullname" . }}-ca'
|
||||
{{- $certmanagerNamespace := include "cert-manager.namespace" . }}
|
||||
{{- with (.Values.webhook.config.metricsTLSConfig).dynamic }}
|
||||
{{- if $certmanagerNamespace | eq .secretNamespace }}
|
||||
# Allow webhook to read and update the metrics CA Secret when dynamic TLS is
|
||||
# enabled for the metrics server and if the Secret is configured to be in the
|
||||
# same namespace as cert-manager.
|
||||
- {{ .secretName | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
# It's not possible to grant CREATE permission on a single resourceName.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
@@ -1,44 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.webhook.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.webhook.serviceType }}
|
||||
{{- if .Values.webhook.serviceIPFamilyPolicy }}
|
||||
ipFamilyPolicy: {{ .Values.webhook.serviceIPFamilyPolicy }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.serviceIPFamilies }}
|
||||
ipFamilies: {{ .Values.webhook.serviceIPFamilies | toYaml | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.loadBalancerIP }}
|
||||
loadBalancerIP: {{ . }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: "https"
|
||||
{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
|
||||
- name: metrics
|
||||
port: 9402
|
||||
protocol: TCP
|
||||
targetPort: "http-metrics"
|
||||
{{- end }}
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
@@ -1,25 +0,0 @@
|
||||
{{- if .Values.webhook.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.webhook.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,49 +0,0 @@
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}}
|
||||
{{- with .Values.webhook.validatingWebhookConfigurationAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
{{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }}
|
||||
namespaceSelector:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
- "acme.cert-manager.io"
|
||||
apiVersions:
|
||||
- "v1"
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- "*/*"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
|
||||
failurePolicy: Fail
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
{{- if .Values.webhook.url.host }}
|
||||
url: https://{{ .Values.webhook.url.host }}/validate
|
||||
{{- else }}
|
||||
service:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
path: /validate
|
||||
{{- end }}
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,10 +0,0 @@
|
||||
# argocd/kustomization.yaml
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
helmCharts:
|
||||
- name: cert-manager
|
||||
repo: https://charts.jetstack.io
|
||||
version: 1.17.0
|
||||
releaseName: cert-manager
|
||||
valuesFile: values.yaml
|
||||
@@ -1,9 +0,0 @@
|
||||
crds:
|
||||
enabled: true
|
||||
|
||||
extraArgs:
|
||||
- --enable-gateway-api
|
||||
|
||||
global:
|
||||
leaderElection:
|
||||
namespace: cert-manager
|
||||
Reference in New Issue
Block a user