diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/Chart.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/Chart.yaml index 1405cb3..0747fb7 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/Chart.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/Chart.yaml @@ -1,19 +1,19 @@ annotations: artifacthub.io/prerelease: "false" apiVersion: v1 -appVersion: v1.5.3 +appVersion: v1.6.1 description: A Helm chart for cert-manager home: https://github.com/jetstack/cert-manager icon: https://raw.githubusercontent.com/jetstack/cert-manager/master/logo/logo.png keywords: -- cert-manager -- kube-lego -- letsencrypt -- tls + - cert-manager + - kube-lego + - letsencrypt + - tls maintainers: -- email: cert-manager-maintainers@googlegroups.com - name: cert-manager-maintainers + - email: cert-manager-maintainers@googlegroups.com + name: cert-manager-maintainers name: cert-manager sources: -- https://github.com/jetstack/cert-manager -version: v1.5.3 + - https://github.com/jetstack/cert-manager +version: 1.6.1 diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/README.md b/chart/jetstack-secure-gcm/charts/cert-manager/README.md index c5ed139..b273de5 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/README.md +++ b/chart/jetstack-secure-gcm/charts/cert-manager/README.md @@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources. ```bash -$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.crds.yaml +$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.crds.yaml ``` To install the chart with the release name `my-release`: @@ -29,7 +29,7 @@ To install the chart with the release name `my-release`: $ helm repo add jetstack https://charts.jetstack.io ## Install the cert-manager helm chart -$ helm install my-release --namespace cert-manager --version v1.5.3 jetstack/cert-manager +$ helm install my-release --namespace cert-manager --version v1.6.1 jetstack/cert-manager ``` In order to begin issuing certificates, you will need to set up a ClusterIssuer @@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als delete the previously installed CustomResourceDefinition resources: ```console -$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.crds.yaml +$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.crds.yaml ``` ## Configuration @@ -85,7 +85,7 @@ The following table lists the configurable parameters of the cert-manager chart | `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | | | `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` | | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` | -| `image.tag` | Image tag | `v1.5.3` | +| `image.tag` | Image tag | `v1.6.1` | | `image.pullPolicy` | Image pull policy | `IfNotPresent` | | `replicaCount` | Number of cert-manager replicas | `1` | | `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod | @@ -123,6 +123,7 @@ The following table lists the configurable parameters of the cert-manager chart | `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | | | `podLabels` | Labels to add to the cert-manager pod | `{}` | | `serviceLabels` | Labels to add to the cert-manager controller service | `{}` | +| `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` | | `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | | | `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | | | `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | | @@ -134,6 +135,7 @@ The following table lists the configurable parameters of the cert-manager chart | `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` | | `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` | | `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` | +| `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` | | `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` | | `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` | | `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | | @@ -144,7 +146,7 @@ The following table lists the configurable parameters of the cert-manager chart | `webhook.affinity` | Node affinity for webhook pod assignment | `{}` | | `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` | | `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` | -| `webhook.image.tag` | Webhook image tag | `v1.5.3` | +| `webhook.image.tag` | Webhook image tag | `v1.6.1` | | `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | | `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` | | `webhook.securityContext` | Security context for webhook pod assignment | `{}` | @@ -178,7 +180,7 @@ The following table lists the configurable parameters of the cert-manager chart | `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` | | `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` | | `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` | -| `cainjector.image.tag` | cainjector image tag | `v1.5.3` | +| `cainjector.image.tag` | cainjector image tag | `v1.6.1` | | `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | | `cainjector.securityContext` | Security context for cainjector pod assignment | `{}` | | `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | `{}` | @@ -195,7 +197,7 @@ The following table lists the configurable parameters of the cert-manager chart | `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` | | `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` | | `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` | -| `startupapicheck.image.tag` | startupapicheck image tag | `v1.5.3` | +| `startupapicheck.image.tag` | startupapicheck image tag | `v1.6.1` | | `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` | | `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` | | `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | | diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/_helpers.tpl b/chart/jetstack-secure-gcm/charts/cert-manager/templates/_helpers.tpl index e61fc27..dfebe53 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/_helpers.tpl +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/_helpers.tpl @@ -38,6 +38,15 @@ Create the name of the service account to use Webhook templates */}} +{{/* +Expand the name of the chart. +Manually fix the 'app' and 'name' labels to 'webhook' to maintain +compatibility with the v0.9 deployment selector. +*/}} +{{- define "webhook.name" -}} +{{- printf "webhook" -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -67,6 +76,15 @@ Create the name of the service account to use cainjector templates */}} +{{/* +Expand the name of the chart. +Manually fix the 'app' and 'name' labels to 'cainjector' to maintain +compatibility with the v0.9 deployment selector. +*/}} +{{- define "cainjector.name" -}} +{{- printf "cainjector" -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/crds.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/crds.yaml index 0ce5723..b33121f 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/crds.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/crds.yaml @@ -6,7 +6,6 @@ metadata: annotations: cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}' labels: - app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' # Generated labels {{- include "labels" . | nindent 4 }} @@ -213,7 +212,7 @@ spec: description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. type: string format: date-time - served: true + served: false storage: false - name: v1alpha3 subresources: @@ -382,7 +381,7 @@ spec: description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. type: string format: date-time - served: true + served: false storage: false - name: v1beta1 subresources: @@ -553,7 +552,7 @@ spec: description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. type: string format: date-time - served: true + served: false storage: false - name: v1 subresources: @@ -734,7 +733,6 @@ metadata: annotations: cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}' labels: - app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' # Generated labels {{- include "labels" . | nindent 4 }} @@ -1089,7 +1087,7 @@ spec: revision: description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." type: integer - served: true + served: false storage: false - name: v1alpha3 subresources: @@ -1406,7 +1404,7 @@ spec: revision: description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." type: integer - served: true + served: false storage: false - name: v1beta1 subresources: @@ -1725,7 +1723,7 @@ spec: revision: description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." type: integer - served: true + served: false storage: false - name: v1 subresources: @@ -2055,7 +2053,6 @@ metadata: annotations: cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}' labels: - app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' # Generated labels {{- include "labels" . | nindent 4 }} @@ -2259,6 +2256,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -2266,10 +2264,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -2665,7 +2676,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -2746,7 +2757,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -2834,7 +2845,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -2915,7 +2926,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -3046,7 +3057,7 @@ spec: - invalid - expired - errored - served: true + served: false storage: false subresources: status: {} @@ -3216,6 +3227,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -3223,10 +3235,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -3622,7 +3647,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -3703,7 +3728,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -3791,7 +3816,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -3872,7 +3897,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -4003,7 +4028,7 @@ spec: - invalid - expired - errored - served: true + served: false storage: false subresources: status: {} @@ -4174,6 +4199,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -4181,10 +4207,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -4580,7 +4619,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -4661,7 +4700,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -4749,7 +4788,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -4830,7 +4869,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -4961,7 +5000,7 @@ spec: - invalid - expired - errored - served: true + served: false storage: false subresources: status: {} @@ -5132,6 +5171,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -5139,10 +5179,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -5538,7 +5591,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -5619,7 +5672,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -5707,7 +5760,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -5788,7 +5841,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -5931,7 +5984,6 @@ metadata: annotations: cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}' labels: - app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' # Generated labels {{- include "labels" . | nindent 4 }} @@ -6169,6 +6221,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -6176,10 +6229,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -6575,7 +6641,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -6656,7 +6722,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -6744,7 +6810,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -6825,7 +6891,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -7135,7 +7201,7 @@ spec: type: description: Type of the condition, known values are (`Ready`). type: string - served: true + served: false storage: false - name: v1alpha3 subresources: @@ -7338,6 +7404,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -7345,10 +7412,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -7744,7 +7824,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -7825,7 +7905,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -7913,7 +7993,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -7994,7 +8074,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -8304,7 +8384,7 @@ spec: type: description: Type of the condition, known values are (`Ready`). type: string - served: true + served: false storage: false - name: v1beta1 subresources: @@ -8509,6 +8589,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -8516,10 +8597,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -8915,7 +9009,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -8996,7 +9090,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -9084,7 +9178,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -9165,7 +9259,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -9475,7 +9569,7 @@ spec: type: description: Type of the condition, known values are (`Ready`). type: string - served: true + served: false storage: false - name: v1 subresources: @@ -9680,6 +9774,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -9687,10 +9782,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -10086,7 +10194,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -10167,7 +10275,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -10255,7 +10363,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -10336,7 +10444,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -10656,7 +10764,6 @@ metadata: annotations: cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}' labels: - app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' # Generated labels {{- include "labels" . | nindent 4 }} @@ -10894,6 +11001,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -10901,10 +11009,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -11300,7 +11421,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -11381,7 +11502,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -11469,7 +11590,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -11550,7 +11671,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -11860,7 +11981,7 @@ spec: type: description: Type of the condition, known values are (`Ready`). type: string - served: true + served: false storage: false - name: v1alpha3 subresources: @@ -12063,6 +12184,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -12070,10 +12192,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -12469,7 +12604,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -12550,7 +12685,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -12638,7 +12773,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -12719,7 +12854,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -13029,7 +13164,7 @@ spec: type: description: Type of the condition, known values are (`Ready`). type: string - served: true + served: false storage: false - name: v1beta1 subresources: @@ -13234,6 +13369,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -13241,10 +13377,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -13640,7 +13789,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -13721,7 +13870,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -13809,7 +13958,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -13890,7 +14039,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -14200,7 +14349,7 @@ spec: type: description: Type of the condition, known values are (`Ready`). type: string - served: true + served: false storage: false - name: v1 subresources: @@ -14405,6 +14554,7 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string environment: + description: name of the Azure environment (default AzurePublicCloud) type: string enum: - AzurePublicCloud @@ -14412,10 +14562,23 @@ spec: - AzureGermanCloud - AzureUSGovernmentCloud hostedZoneName: + description: name of the DNS zone that should be used type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string resourceGroupName: + description: resource group the DNS zone is located in type: string subscriptionID: + description: ID of the Azure subscription type: string tenantID: description: when specifying ClientID and ClientSecret then this field is also needed @@ -14811,7 +14974,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -14892,7 +15055,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -14980,7 +15143,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -15061,7 +15224,7 @@ spec: additionalProperties: type: string namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. type: object properties: matchExpressions: @@ -15381,7 +15544,6 @@ metadata: annotations: cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}' labels: - app: '{{ template "cert-manager.name" . }}' app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' app.kubernetes.io/instance: '{{ .Release.Name }}' # Generated labels {{- include "labels" . | nindent 4 }} @@ -15574,7 +15736,7 @@ spec: url: description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. type: string - served: true + served: false storage: false - name: v1alpha3 subresources: @@ -15731,7 +15893,7 @@ spec: url: description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. type: string - served: true + served: false storage: false - name: v1beta1 subresources: @@ -15889,7 +16051,7 @@ spec: url: description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. type: string - served: true + served: false storage: false - name: v1 subresources: diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/deployment.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/deployment.yaml index 5f342d7..eb0cf2a 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/deployment.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/deployment.yaml @@ -174,6 +174,9 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + runAsUser: 1001 + runAsNonRoot: true {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp-clusterrole.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp-clusterrole.yaml index 1d40a02..6f289a2 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp-clusterrole.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp-clusterrole.yaml @@ -4,7 +4,6 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "cert-manager.fullname" . }}-psp labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp-clusterrolebinding.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp-clusterrolebinding.yaml index 1da89c8..842e589 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp-clusterrolebinding.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp-clusterrolebinding.yaml @@ -4,7 +4,6 @@ kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-psp labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp.yaml index 9e99f5c..1ba3493 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/psp.yaml @@ -4,7 +4,6 @@ kind: PodSecurityPolicy metadata: name: {{ template "cert-manager.fullname" . }} labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/rbac.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/rbac.yaml index 0b02648..d3f9e9b 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/rbac.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/rbac.yaml @@ -5,7 +5,6 @@ metadata: name: {{ template "cert-manager.fullname" . }}:leaderelection namespace: {{ .Values.global.leaderElection.namespace }} labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -38,7 +37,6 @@ metadata: name: {{ include "cert-manager.fullname" . }}:leaderelection namespace: {{ .Values.global.leaderElection.namespace }} labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -61,7 +59,6 @@ kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-issuers labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -88,7 +85,6 @@ kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -115,7 +111,6 @@ kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-certificates labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -151,7 +146,6 @@ kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-orders labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -190,7 +184,6 @@ kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-challenges labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -251,7 +244,6 @@ kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -289,7 +281,6 @@ kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-issuers labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -310,7 +301,6 @@ kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -331,7 +321,6 @@ kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-certificates labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -352,7 +341,6 @@ kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-orders labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -373,7 +361,6 @@ kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-challenges labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -394,7 +381,6 @@ kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -415,7 +401,6 @@ kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-view labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -439,7 +424,6 @@ kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-edit labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -462,7 +446,6 @@ kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "cert-manager" @@ -480,7 +463,6 @@ kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "cert-manager" @@ -504,7 +486,6 @@ kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "cert-manager" @@ -531,7 +512,6 @@ kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "cert-manager" diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/service.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/service.yaml index dd20679..29e0eaa 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/service.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/service.yaml @@ -5,7 +5,6 @@ metadata: name: {{ template "cert-manager.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" @@ -13,6 +12,10 @@ metadata: {{- if .Values.serviceLabels }} {{ toYaml .Values.serviceLabels | indent 4 }} {{- end }} +{{- if .Values.serviceAnnotations }} + annotations: + {{ toYaml .Values.serviceAnnotations | indent 4 }} +{{- end }} spec: type: ClusterIP ports: diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/serviceaccount.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/serviceaccount.yaml index bacff5a..04bb188 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/serviceaccount.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/serviceaccount.yaml @@ -13,7 +13,6 @@ metadata: {{ toYaml .Values.serviceAccount.annotations | indent 4 }} {{- end }} labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/servicemonitor.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/servicemonitor.yaml index 36584f3..ae194db 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/servicemonitor.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/servicemonitor.yaml @@ -9,7 +9,6 @@ metadata: namespace: {{ .Release.Namespace | quote }} {{- end }} labels: - app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml index d22786f..3bbba17 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml @@ -5,8 +5,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "startupapicheck.fullname" . }}-psp labels: - app: {{ include "startupapicheck.name" . }} - app.kubernetes.io/name: {{ include "startupapicheck.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "startupapicheck" {{- include "labels" . | nindent 4 }} diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml index 119a260..1edc905 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml @@ -5,8 +5,7 @@ kind: ClusterRoleBinding metadata: name: {{ template "startupapicheck.fullname" . }}-psp labels: - app: {{ include "startupapicheck.name" . }} - app.kubernetes.io/name: {{ include "startupapicheck.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "startupapicheck" {{- include "labels" . | nindent 4 }} diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp.yaml new file mode 100644 index 0000000..0e852b1 --- /dev/null +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-psp.yaml @@ -0,0 +1,50 @@ +{{- if .Values.startupapicheck.enabled -}} +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "startupapicheck.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "startupapicheck" + {{- include "labels" . | nindent 4 }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.global.podSecurityPolicy.useAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} + {{- if .Values.startupapicheck.rbac.annotations }} + {{ toYaml .Values.startupapicheck.rbac.annotations | nindent 4 }} + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: [] # default set of capabilities are implicitly allowed + volumes: + - 'projected' + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 +{{- end -}} +{{- end -}} diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-rbac.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-rbac.yaml index 89fa0ac..9e245de 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-rbac.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/startupapicheck-rbac.yaml @@ -19,6 +19,7 @@ rules: - apiGroups: ["cert-manager.io"] resources: ["certificates"] verbs: ["create"] + --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/templates/webhook-service.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/templates/webhook-service.yaml index 1626d57..488a1cc 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/templates/webhook-service.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/templates/webhook-service.yaml @@ -11,16 +11,20 @@ metadata: {{- if .Values.webhook.serviceLabels }} {{ toYaml .Values.webhook.serviceLabels | indent 4 }} {{- end }} +{{- if .Values.webhook.serviceAnnotations }} + annotations: + {{ toYaml .Values.webhook.serviceAnnotations | indent 4 }} +{{- end }} spec: type: {{ .Values.webhook.serviceType }} {{- if .Values.webhook.loadBalancerIP }} loadBalancerIP: {{ .Values.webhook.loadBalancerIP }} {{- end }} ports: - - name: https - port: 443 - protocol: TCP - targetPort: {{ .Values.webhook.securePort }} + - name: https + port: 443 + protocol: TCP + targetPort: {{ .Values.webhook.securePort }} selector: app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/chart/jetstack-secure-gcm/charts/cert-manager/values.yaml b/chart/jetstack-secure-gcm/charts/cert-manager/values.yaml index e140ecc..cbc0257 100644 --- a/chart/jetstack-secure-gcm/charts/cert-manager/values.yaml +++ b/chart/jetstack-secure-gcm/charts/cert-manager/values.yaml @@ -53,8 +53,7 @@ installCRDs: false replicaCount: 1 -strategy: - {} +strategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: 0 @@ -95,8 +94,7 @@ serviceAccount: automountServiceAccountToken: true # Optional additional arguments -extraArgs: - [] +extraArgs: [] # Use this flag to set a namespace that cert-manager will use to store # supporting resources required for each ClusterIssuer (default is kube-system) # - --cluster-resource-namespace=kube-system @@ -109,8 +107,7 @@ extraEnv: [] # - name: SOME_VAR # value: 'some value' -resources: - {} +resources: {} # requests: # cpu: 10m # memory: 32Mi @@ -133,14 +130,14 @@ securityContext: # Container Security Context to be set on the controller component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -containerSecurityContext: - {} +containerSecurityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true + volumes: [] volumeMounts: [] @@ -156,6 +153,9 @@ podLabels: {} # Optional additional labels to add to the controller Service # serviceLabels: {} +# Optional additional annotations to add to the controller service +# serviceAnnotations: {} + # Optional DNS settings, useful if you have a public and private DNS zone for # the same domain on Route 53. What follows is an example of ensuring # cert-manager can access an ingress or DNS TXT records at all times. @@ -169,8 +169,7 @@ podLabels: {} nodeSelector: {} -ingressShim: - {} +ingressShim: {} # defaultIssuerName: "" # defaultIssuerKind: "" # defaultIssuerGroup: "" @@ -217,8 +216,7 @@ webhook: replicaCount: 1 timeoutSeconds: 10 - strategy: - {} + strategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: 0 @@ -231,8 +229,7 @@ webhook: # Container Security Context to be set on the webhook component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - containerSecurityContext: - {} + containerSecurityContext: {} # capabilities: # drop: # - ALL @@ -251,11 +248,13 @@ webhook: # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration # validatingWebhookConfigurationAnnotations: {} + # Optional additional annotations to add to the webhook service + # serviceAnnotations: {} + # Optional additional arguments for webhook extraArgs: [] - resources: - {} + resources: {} # requests: # cpu: 10m # memory: 32Mi @@ -347,8 +346,7 @@ cainjector: enabled: true replicaCount: 1 - strategy: - {} + strategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: 0 @@ -361,14 +359,14 @@ cainjector: # Container Security Context to be set on the cainjector component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - containerSecurityContext: - {} + containerSecurityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true + # Optional additional annotations to add to the cainjector Deployment # deploymentAnnotations: {} @@ -378,8 +376,7 @@ cainjector: # Optional additional arguments for cainjector extraArgs: [] - resources: - {} + resources: {} # requests: # cpu: 10m # memory: 32Mi @@ -421,6 +418,11 @@ cainjector: # This startupapicheck is a Helm post-install hook that waits for the webhook # endpoints to become available. +# The check is implemented using a Kubernetes Job- if you are injecting mesh +# sidecar proxies into cert-manager pods, you probably want to ensure that they +# are not injected into this Job's pod. Otherwise the installation may time out +# due to the Job never being completed because the sidecar proxy does not exit. +# See https://github.com/jetstack/cert-manager/pull/4414 for context. startupapicheck: enabled: true @@ -439,7 +441,7 @@ startupapicheck: jobAnnotations: helm.sh/hook: post-install helm.sh/hook-weight: "1" - helm.sh/hook-delete-policy: hook-succeeded + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Optional additional annotations to add to the startupapicheck Pods # podAnnotations: {} @@ -477,10 +479,11 @@ startupapicheck: pullPolicy: IfNotPresent rbac: + # annotations for the startup API Check job RBAC and PSP resources annotations: helm.sh/hook: post-install helm.sh/hook-weight: "-5" - helm.sh/hook-delete-policy: hook-succeeded + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded serviceAccount: # Specifies whether a service account should be created @@ -494,7 +497,7 @@ startupapicheck: annotations: helm.sh/hook: post-install helm.sh/hook-weight: "-5" - helm.sh/hook-delete-policy: hook-succeeded + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Automount API credentials for a Service Account. automountServiceAccountToken: true diff --git a/chart/jetstack-secure-gcm/values.yaml b/chart/jetstack-secure-gcm/values.yaml index 9018ade..93ede4e 100644 --- a/chart/jetstack-secure-gcm/values.yaml +++ b/chart/jetstack-secure-gcm/values.yaml @@ -15,26 +15,26 @@ cert-manager: create: false # see note (1) image: repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager - tag: 1.1.0-gcm.1 + tag: 1.6.1-gcm.0 acmesolver: image: repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-acmesolver - tag: 1.1.0-gcm.1 + tag: 1.6.1-gcm.0 webhook: serviceAccount: create: false # see note (1) image: repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-webhook - tag: 1.1.0-gcm.1 + tag: 1.6.1-gcm.0 cainjector: serviceAccount: create: false # see note (1) image: repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-cainjector - tag: 1.1.0-gcm.1 + tag: 1.6.1-gcm.0 # In the context of click-to-deploy, the RBAC rules and service accounts # must be defined statically in the schema.yaml. @@ -51,7 +51,7 @@ cert-manager: # reportingSecretName: chartname-license image: repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/ubbagent - tag: 1.1.0-gcm.1 + tag: 1.6.1-gcm.0 google-cas-issuer: nameOverride: jetstack-secure-gcm @@ -61,7 +61,7 @@ google-cas-issuer: create: false # see note (1) image: repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-google-cas-issuer - tag: 1.1.0-gcm.1 + tag: 1.6.1-gcm.0 preflight: # By default, the preflight deployment is "disabled" by setting replicas=0. @@ -76,4 +76,4 @@ preflight: create: false # see note (1) image: repository: marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/preflight - tag: 1.1.0-gcm.1 + tag: 1.6.1-gcm.0 diff --git a/schema.yaml b/schema.yaml index e887e32..8b48a02 100644 --- a/schema.yaml +++ b/schema.yaml @@ -11,7 +11,7 @@ x-google-marketplace: # We are not "truely" following semver.org since we use a "-" for a final # release ("-" is meant for pre-releases). This is due to a Docker # limitation: https://github.com/distribution/distribution/issues/1201 - publishedVersion: 1.5.4-gcm.0 + publishedVersion: 1.6.1-gcm.0 publishedVersionMetadata: releaseNote: >- Initial release. diff --git a/smoke-test.Dockerfile b/smoke-test.Dockerfile index e37f47e..18e0200 100644 --- a/smoke-test.Dockerfile +++ b/smoke-test.Dockerfile @@ -9,11 +9,9 @@ # Dockerfile: https://github.com/GoogleCloudPlatform/marketplace-testrunner/blob/master/Dockerfile FROM python:alpine -RUN apk add curl patch +RUN apk add curl patch bash RUN pip3 install cram -RUN curl -L https://github.com/stern/stern/releases/download/v1.19.0/stern_1.19.0_linux_amd64.tar.gz | tar xz -C /tmp \ - && mv /tmp/stern_1.19.0_linux_amd64/stern /usr/local/bin \ - && curl -L https://storage.googleapis.com/kubernetes-release/release/v1.19.6/bin/linux/amd64/kubectl --output-dir /usr/local/bin -O \ +RUN curl -L https://storage.googleapis.com/kubernetes-release/release/v1.19.6/bin/linux/amd64/kubectl --output-dir /usr/local/bin -O \ && chmod 755 /usr/local/bin/kubectl WORKDIR /opt @@ -24,4 +22,4 @@ ENV NAMESPACE=test # We don't use "kubectl logs" because we need to know to which container each # logs comes from. Also, stern follows logs and never returns, so we do the # pause trick. -CMD ["sh", "-c", "cram smoke-test.t || (stern -A -l app.kubernetes.io/name=jetstack-secure-gcm & (sleep 5; exit 1))"] +CMD ["sh", "-c", "cram smoke-test.t"] diff --git a/smoke-test.t b/smoke-test.t index 723313f..09baa04 100644 --- a/smoke-test.t +++ b/smoke-test.t @@ -7,7 +7,22 @@ test suite. This image is used in a Job in data-test. mpdev verify detects the presence of this Job thanks to the annotation "marketplace.cloud.google.com/verification: test" -First, let us create a self-signed Issuer and a Certificate. This is a good way +Let's make sure the cert-manager API is actually ready. We do 2>/dev/null due to +the fact that this command outputs an unknown number of lines, which is +something I don't know how to express in cram syntax. + + $ timeout 5m bash -c "until kubectl apply --dry-run=server -f- <<<$'kind: Issuer\napiVersion: cert-manager.io/v1\nmetadata:\n name: a\nspec:\n selfSigned: {}' 2>/dev/null >&2; do sleep 10s; done" + $ kubectl apply --dry-run=server -f- < kind: Issuer + > apiVersion: cert-manager.io/v1 + > metadata: + > name: a + > spec: + > selfSigned: {} + > EOF + issuer.cert-manager.io/a created (server dry run) + +Let us create a self-signed Issuer and a Certificate. This is a good way to spot webhook misconfigurations. $ kubectl apply -n ${NAMESPACE} -f - <