diff --git a/class/defaults.yml b/class/defaults.yml index 448e5c0a..f2f3cdb5 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -3,7 +3,7 @@ parameters: namespace: syn-cert-manager dns01-recursive-nameservers: "1.1.1.1:53" charts: - cert-manager: v1.8.2 + cert-manager: v1.12.0 http_proxy: "" https_proxy: "" no_proxy: "" diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-deployment.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-deployment.yaml index c4fd2836..228513b0 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-deployment.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-deployment.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-cainjector namespace: syn-cert-manager spec: @@ -26,8 +26,8 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 spec: containers: - args: @@ -38,17 +38,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-cainjector:v1.8.2 + image: quay.io/jetstack/cert-manager-cainjector:v1.12.0 imagePullPolicy: IfNotPresent - name: cert-manager + name: cert-manager-cainjector resources: requests: cpu: 50m memory: 512Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: cert-manager-cainjector diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-rbac.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-rbac.yaml index 0b53e5e5..2390b37b 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-rbac.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-rbac.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-cainjector namespace: syn-cert-manager rules: @@ -47,6 +47,7 @@ rules: - list - watch - update + - patch - apiGroups: - apiregistration.k8s.io resources: @@ -56,6 +57,7 @@ rules: - list - watch - update + - patch - apiGroups: - apiextensions.k8s.io resources: @@ -65,6 +67,7 @@ rules: - list - watch - update + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -75,8 +78,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-cainjector namespace: syn-cert-manager roleRef: @@ -97,8 +100,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-cainjector:leaderelection namespace: syn-cert-manager rules: @@ -129,8 +132,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-cainjector:leaderelection namespace: syn-cert-manager roleRef: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-serviceaccount.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-serviceaccount.yaml index 1d8d4ad4..0bfe4c2e 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-serviceaccount.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-serviceaccount.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-cainjector namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/crds.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/crds.yaml index 5d61d4b2..5a2782d5 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/crds.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/crds.yaml @@ -6,8 +6,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: certificaterequests.cert-manager.io namespace: syn-cert-manager spec: @@ -140,15 +140,16 @@ spec: inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", - "email protection", "s/mime", "ipsec end system", "ipsec tunnel", - "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", - "netscape sgc"' + description: "KeyUsage specifies valid usage contexts for keys.\ + \ See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12\ + \ \n Valid KeyUsage values are as follows: \"signing\", \"digital\ + \ signature\", \"content commitment\", \"key encipherment\"\ + , \"key agreement\", \"data encipherment\", \"cert sign\", \"\ + crl sign\", \"encipher only\", \"decipher only\", \"any\", \"\ + server auth\", \"client auth\", \"code signing\", \"email protection\"\ + , \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec\ + \ user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\"\ + , \"netscape sgc\"" enum: - signing - digital signature @@ -264,8 +265,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: certificates.cert-manager.io namespace: syn-cert-manager spec: @@ -426,10 +427,11 @@ spec: Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore - file will only be updated upon re-issuance. A file named - `truststore.jks` will also be created in the target Secret - resource, encrypted using the password stored in `passwordSecretRef` - containing the issuing Certificate Authority + file will be updated immediately. If the issuer provided + a CA certificate, a file named `truststore.jks` will also + be created in the target Secret resource, encrypted using + the password stored in `passwordSecretRef` containing + the issuing Certificate Authority type: boolean passwordSecretRef: description: PasswordSecretRef is a reference to a key in @@ -461,11 +463,11 @@ spec: the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The - keystore file will only be updated upon re-issuance. A - file named `truststore.p12` will also be created in the - target Secret resource, encrypted using the password stored - in `passwordSecretRef` containing the issuing Certificate - Authority + keystore file will be updated immediately. If the issuer + provided a CA certificate, a file named `truststore.p12` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority type: boolean passwordSecretRef: description: PasswordSecretRef is a reference to a key in @@ -489,6 +491,17 @@ spec: - passwordSecretRef type: object type: object + literalSubject: + description: LiteralSubject is an LDAP formatted string that represents + the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). + Use this *instead* of the Subject field if you need to ensure + the correct ordering of the RDN sequence, such as when issuing + certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, + https://github.com/cert-manager/cert-manager/issues/4424. This + field is alpha level and is only supported by cert-manager installations + where LiteralCertificateSubject feature gate is enabled on both + cert-manager controller and webhook. + type: string privateKey: description: Options to control private keys used for the Certificate. properties: @@ -636,15 +649,16 @@ spec: for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", - "email protection", "s/mime", "ipsec end system", "ipsec tunnel", - "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", - "netscape sgc"' + description: "KeyUsage specifies valid usage contexts for keys.\ + \ See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12\ + \ \n Valid KeyUsage values are as follows: \"signing\", \"digital\ + \ signature\", \"content commitment\", \"key encipherment\"\ + , \"key agreement\", \"data encipherment\", \"cert sign\", \"\ + crl sign\", \"encipher only\", \"decipher only\", \"any\", \"\ + server auth\", \"client auth\", \"code signing\", \"email protection\"\ + , \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec\ + \ user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\"\ + , \"netscape sgc\"" enum: - signing - digital signature @@ -734,10 +748,12 @@ spec: using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). type: integer lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate - controller of the most recent failure to complete a CertificateRequest - for this Certificate resource. If set, cert-manager will not re-request - another Certificate until 1 hour has elapsed from this time. + description: LastFailureTime is set only if the lastest issuance + for this Certificate failed and contains the time of the failure. + If an issuance has failed, the delay till the next issuance will + be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts + - 1). If the latest issuance has succeeded this field will be + unset. format: date-time type: string nextPrivateKeySecretName: @@ -791,8 +807,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: challenges.acme.cert-manager.io namespace: syn-cert-manager spec: @@ -1212,9 +1228,32 @@ spec: properties: accessKeyID: description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + Cannot be set when SecretAccessKeyID is set. If neither + the Access Key nor Key ID are set, we fall-back to + using env vars, shared credentials file or AWS Instance + metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. + If set, pull the AWS access key ID from a key within + a Kubernetes Secret. Cannot be set when AccessKeyID + is set. If neither the Access Key nor Key ID are set, + we fall-back to using env vars, shared credentials + file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it may + be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the @@ -1232,9 +1271,10 @@ spec: or AWS Instance metadata type: string secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: 'The SecretAccessKey is used for authentication. + If neither the Access Key nor Key ID are set, we fall-back + to using env vars, shared credentials file or AWS + Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' properties: key: description: The key of the entry in the Secret @@ -1308,25 +1348,25 @@ spec: creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: - https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' items: - description: "ParentRef identifies an API object (usually\ - \ a Gateway) that can be considered a parent of\ - \ this resource (usually a route). The only kind\ + description: "ParentReference identifies an API object\ + \ (usually a Gateway) that can be considered a parent\ + \ of this resource (usually a route). The only kind\ \ of parent resource with \"Core\" support is Gateway.\ \ This API may be extended in the future to support\ \ additional kinds of parent resources, such as\ \ HTTPRoute. \n The API object must be valid in\ \ the cluster; the Group and Kind must be registered\ - \ in the cluster for this reference to be valid.\ - \ \n References to objects with invalid Group and\ - \ Kind are not valid, and must be rejected by the\ - \ implementation, with appropriate Conditions set\ - \ on the containing object." + \ in the cluster for this reference to be valid." properties: group: default: gateway.networking.k8s.io description: "Group is the group of the referent.\ + \ When unspecified, \"gateway.networking.k8s.io\"\ + \ is inferred. To set the core API group (such\ + \ as for a \"Service\" kind referent), Group\ + \ must be explicitly set to \"\" (empty string).\ \ \n Support: Core" maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -1334,8 +1374,8 @@ spec: kind: default: Gateway description: "Kind is kind of the referent. \n\ - \ Support: Core (Gateway) Support: Custom (Other\ - \ Resources)" + \ Support: Core (Gateway) \n Support: Implementation-specific\ + \ (Other Resources)" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -1348,19 +1388,64 @@ spec: type: string namespace: description: "Namespace is the namespace of the\ - \ referent. When unspecified (or empty string),\ - \ this refers to the local namespace of the\ - \ Route. \n Support: Core" + \ referent. When unspecified, this refers to\ + \ the local namespace of the Route. \n Note\ + \ that there are specific rules for ParentRefs\ + \ which cross namespace boundaries. Cross-namespace\ + \ references are only valid if they are explicitly\ + \ allowed by something in the namespace they\ + \ are referring to. For example: Gateway has\ + \ the AllowedRoutes field, and ReferenceGrant\ + \ provides a generic way to enable any other\ + \ kind of cross-namespace reference. \n Support:\ + \ Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + port: + description: "Port is the network port this Route\ + \ targets. It can be interpreted differently\ + \ based on the type of parent resource. \n When\ + \ the parent resource is a Gateway, this targets\ + \ all listeners listening on the specified port\ + \ that also support this kind of Route(and select\ + \ this Route). It's not recommended to set `Port`\ + \ unless the networking behaviors specified\ + \ in a Route must apply to a specific port as\ + \ opposed to a listener(s) whose port(s) may\ + \ be changed. When both Port and SectionName\ + \ are specified, the name and port of the selected\ + \ listener must match both specified values.\ + \ \n Implementations MAY choose to support other\ + \ parent resources. Implementations supporting\ + \ other types of parent resources MUST clearly\ + \ document how/if Port is interpreted. \n For\ + \ the purpose of status, an attachment is considered\ + \ successful as long as the parent resource\ + \ accepts it partially. For example, Gateway\ + \ listeners can restrict which Routes can attach\ + \ to them by Route kind, namespace, or hostname.\ + \ If 1 of 2 Gateway listeners accept attachment\ + \ from the referencing Route, the Route MUST\ + \ be considered successfully attached. If no\ + \ Gateway listeners accept attachment from this\ + \ Route, the Route MUST be considered detached\ + \ from the Gateway. \n Support: Extended \n\ + \ " + format: int32 + maximum: 65535 + minimum: 1 + type: integer sectionName: description: "SectionName is the name of a section\ \ within the target resource. In the following\ \ resources, SectionName is interpreted as the\ - \ following: \n * Gateway: Listener Name \n\ - \ Implementations MAY choose to support attaching\ + \ following: \n * Gateway: Listener Name. When\ + \ both Port (experimental) and SectionName are\ + \ specified, the name and port of the selected\ + \ listener must match both specified values.\ + \ \n Implementations MAY choose to support attaching\ \ Routes to other resources. If that is the\ \ case, they MUST clearly document how SectionName\ \ is interpreted. \n When unspecified (empty\ @@ -1398,9 +1483,17 @@ spec: for each Challenge to be completed. properties: class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that use - this challenge solver. Only one of 'class' or 'name' + description: This field configures the annotation `kubernetes.io/ingress.class` + when creating Ingress resources to solve ACME challenges + that use this challenge solver. Only one of `class`, + `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` + on the created Ingress resources used to solve ACME + challenges that use this challenge solver. This is + the recommended way of configuring the ingress class. + Only one of `class`, `name` or `ingressClassName` may be specified. type: string ingressTemplate: @@ -1435,7 +1528,8 @@ spec: in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between - external IPs and ingress resources. + external IPs and ingress resources. Only one of `class`, + `name` or `ingressClassName` may be specified. type: string podTemplate: description: Optional pod template used to configure @@ -1463,10 +1557,9 @@ spec: type: object spec: description: PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. + challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec + to find out currently supported fields. All other + fields will be ignored. properties: affinity: description: If specified, the pod's scheduling @@ -1611,6 +1704,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding @@ -1752,10 +1846,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling @@ -1866,6 +1962,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -1878,10 +1975,7 @@ spec: null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This field - is beta-level and is only - honored when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -1953,6 +2047,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -1963,7 +2058,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -2094,6 +2189,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -2105,10 +2201,7 @@ spec: and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -2175,6 +2268,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -2185,7 +2279,7 @@ spec: by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -2318,6 +2412,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -2330,10 +2425,7 @@ spec: null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This field - is beta-level and is only - honored when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -2405,6 +2497,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -2415,7 +2508,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -2546,6 +2639,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -2557,10 +2651,7 @@ spec: and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -2627,6 +2718,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -2637,7 +2729,7 @@ spec: by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -2661,6 +2753,22 @@ spec: type: array type: object type: object + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + items: + description: LocalObjectReference contains + enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array nodeSelector: additionalProperties: type: string @@ -2858,8 +2966,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: clusterissuers.cert-manager.io namespace: syn-cert-manager spec: @@ -2917,6 +3025,15 @@ spec: description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used + to validate the certificate chain presented by the ACME server. + Mutually exclusive with SkipTLSVerify; prefer using CABundle + to prevent various kinds of security vulnerabilities. If CABundle + and SkipTLSVerify are unset, the system certificate bundle + inside the container is used to validate the TLS connection. + format: byte + type: string disableAccountKeyGeneration: description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new @@ -3023,13 +3140,14 @@ spec: Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will - not have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults - to false. + description: 'INSECURE: Enables or disables validation of the + ACME server TLS certificate. If true, requests to the ACME + server will not have the TLS certificate chain validated. + Mutually exclusive with CABundle; prefer using CABundle to + prevent various kinds of security vulnerabilities. Only enable + this option in development environments. If CABundle and SkipTLSVerify + are unset, the system certificate bundle inside the container + is used to validate the TLS connection. Defaults to false.' type: boolean solvers: description: 'Solvers is a list of challenge solvers that will @@ -3373,10 +3491,33 @@ spec: properties: accessKeyID: description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + Cannot be set when SecretAccessKeyID is set. + If neither the Access Key nor Key ID are set, + we fall-back to using env vars, shared credentials + file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for + authentication. If set, pull the AWS access + key ID from a key within a Kubernetes Secret. + Cannot be set when AccessKeyID is set. If neither + the Access Key nor Key ID are set, we fall-back + to using env vars, shared credentials file or + AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some + instances of this field may be defaulted, + in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an @@ -3395,9 +3536,11 @@ spec: shared credentials file or AWS Instance metadata type: string secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: 'The SecretAccessKey is used for + authentication. If neither the Access Key nor + Key ID are set, we fall-back to using env vars, + shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' properties: key: description: The key of the entry in the Secret @@ -3477,35 +3620,36 @@ spec: cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef - references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' items: - description: "ParentRef identifies an API object\ - \ (usually a Gateway) that can be considered\ - \ a parent of this resource (usually a route).\ - \ The only kind of parent resource with \"\ - Core\" support is Gateway. This API may be\ - \ extended in the future to support additional\ - \ kinds of parent resources, such as HTTPRoute.\ - \ \n The API object must be valid in the cluster;\ - \ the Group and Kind must be registered in\ - \ the cluster for this reference to be valid.\ - \ \n References to objects with invalid Group\ - \ and Kind are not valid, and must be rejected\ - \ by the implementation, with appropriate\ - \ Conditions set on the containing object." + description: "ParentReference identifies an\ + \ API object (usually a Gateway) that can\ + \ be considered a parent of this resource\ + \ (usually a route). The only kind of parent\ + \ resource with \"Core\" support is Gateway.\ + \ This API may be extended in the future to\ + \ support additional kinds of parent resources,\ + \ such as HTTPRoute. \n The API object must\ + \ be valid in the cluster; the Group and Kind\ + \ must be registered in the cluster for this\ + \ reference to be valid." properties: group: default: gateway.networking.k8s.io description: "Group is the group of the\ - \ referent. \n Support: Core" + \ referent. When unspecified, \"gateway.networking.k8s.io\"\ + \ is inferred. To set the core API group\ + \ (such as for a \"Service\" kind referent),\ + \ Group must be explicitly set to \"\"\ + \ (empty string). \n Support: Core" maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: default: Gateway description: "Kind is kind of the referent.\ - \ \n Support: Core (Gateway) Support:\ - \ Custom (Other Resources)" + \ \n Support: Core (Gateway) \n Support:\ + \ Implementation-specific (Other Resources)" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -3518,20 +3662,70 @@ spec: type: string namespace: description: "Namespace is the namespace\ - \ of the referent. When unspecified (or\ - \ empty string), this refers to the local\ - \ namespace of the Route. \n Support:\ - \ Core" + \ of the referent. When unspecified, this\ + \ refers to the local namespace of the\ + \ Route. \n Note that there are specific\ + \ rules for ParentRefs which cross namespace\ + \ boundaries. Cross-namespace references\ + \ are only valid if they are explicitly\ + \ allowed by something in the namespace\ + \ they are referring to. For example:\ + \ Gateway has the AllowedRoutes field,\ + \ and ReferenceGrant provides a generic\ + \ way to enable any other kind of cross-namespace\ + \ reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + port: + description: "Port is the network port this\ + \ Route targets. It can be interpreted\ + \ differently based on the type of parent\ + \ resource. \n When the parent resource\ + \ is a Gateway, this targets all listeners\ + \ listening on the specified port that\ + \ also support this kind of Route(and\ + \ select this Route). It's not recommended\ + \ to set `Port` unless the networking\ + \ behaviors specified in a Route must\ + \ apply to a specific port as opposed\ + \ to a listener(s) whose port(s) may be\ + \ changed. When both Port and SectionName\ + \ are specified, the name and port of\ + \ the selected listener must match both\ + \ specified values. \n Implementations\ + \ MAY choose to support other parent resources.\ + \ Implementations supporting other types\ + \ of parent resources MUST clearly document\ + \ how/if Port is interpreted. \n For the\ + \ purpose of status, an attachment is\ + \ considered successful as long as the\ + \ parent resource accepts it partially.\ + \ For example, Gateway listeners can restrict\ + \ which Routes can attach to them by Route\ + \ kind, namespace, or hostname. If 1 of\ + \ 2 Gateway listeners accept attachment\ + \ from the referencing Route, the Route\ + \ MUST be considered successfully attached.\ + \ If no Gateway listeners accept attachment\ + \ from this Route, the Route MUST be considered\ + \ detached from the Gateway. \n Support:\ + \ Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer sectionName: description: "SectionName is the name of\ \ a section within the target resource.\ \ In the following resources, SectionName\ \ is interpreted as the following: \n\ - \ * Gateway: Listener Name \n Implementations\ + \ * Gateway: Listener Name. When both\ + \ Port (experimental) and SectionName\ + \ are specified, the name and port of\ + \ the selected listener must match both\ + \ specified values. \n Implementations\ \ MAY choose to support attaching Routes\ \ to other resources. If that is the case,\ \ they MUST clearly document how SectionName\ @@ -3573,10 +3767,19 @@ spec: by cert-manager for each Challenge to be completed. properties: class: - description: The ingress class to use when creating + description: This field configures the annotation + `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. + use this challenge solver. Only one of `class`, + `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` + on the created Ingress resources used to solve + ACME challenges that use this challenge solver. + This is the recommended way of configuring the + ingress class. Only one of `class`, `name` or + `ingressClassName` may be specified. type: string ingressTemplate: description: Optional ingress template used to @@ -3613,7 +3816,8 @@ spec: This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress - resources. + resources. Only one of `class`, `name` or `ingressClassName` + may be specified. type: string podTemplate: description: Optional pod template used to configure @@ -3644,11 +3848,9 @@ spec: type: object spec: description: PodSpec defines overrides for - the HTTP01 challenge solver pod. Only the - 'priorityClassName', 'nodeSelector', 'affinity', - 'serviceAccountName' and 'tolerations' fields - are supported currently. All other fields - will be ignored. + the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec + to find out currently supported fields. + All other fields will be ignored. properties: affinity: description: If specified, the pod's scheduling @@ -3817,6 +4019,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding @@ -3980,10 +4183,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity @@ -4120,6 +4325,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set @@ -4136,11 +4342,7 @@ spec: list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This - field is beta-level - and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -4231,6 +4433,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static @@ -4245,7 +4448,7 @@ spec: null or empty namespaces list and null namespaceSelector means "this pod's - namespace" + namespace". items: type: string type: array @@ -4394,6 +4597,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -4408,10 +4612,6 @@ spec: means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level - and is only honored when - PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -4487,6 +4687,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list @@ -4498,7 +4699,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -4658,6 +4859,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set @@ -4674,11 +4876,7 @@ spec: list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This - field is beta-level - and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -4769,6 +4967,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static @@ -4783,7 +4982,7 @@ spec: null or empty namespaces list and null namespaceSelector means "this pod's - namespace" + namespace". items: type: string type: array @@ -4932,6 +5131,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -4946,10 +5146,6 @@ spec: means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level - and is only honored when - PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -5025,6 +5221,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list @@ -5036,7 +5233,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -5062,6 +5259,23 @@ spec: type: array type: object type: object + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + items: + description: LocalObjectReference contains + enough information to let you locate + the referenced object inside the same + namespace. + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array nodeSelector: additionalProperties: type: string @@ -5317,9 +5531,23 @@ spec: required: - name type: object + serviceAccountRef: + description: A reference to a service account that will + be used to request a bound token (also known as "projected + token"). Compared to using "secretRef", using this + field means that you don't rely on statically bound + tokens. To use this field, you must configure an RBAC + rule to let cert-manager request a token. + properties: + name: + description: Name of the ServiceAccount used to + request a token. + type: string + required: + - name + type: object required: - role - - secretRef type: object tokenSecretRef: description: TokenSecretRef authenticates with Vault by @@ -5339,13 +5567,36 @@ spec: type: object type: object caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to - validate Vault server certificate. Only used if the Server - URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root - certificates are used to validate the TLS connection. + description: Base64-encoded bundle of PEM CAs which will be + used to validate the certificate chain presented by Vault. + Only used if using HTTPS to connect to Vault and ignored for + HTTP connections. Mutually exclusive with CABundleSecretRef. + If neither CABundle nor CABundleSecretRef are defined, the + certificate bundle in the cert-manager controller container + is used to validate the TLS connection. format: byte type: string + caBundleSecretRef: + description: Reference to a Secret containing a bundle of PEM-encoded + CAs to use when verifying the certificate chain presented + by Vault when using HTTPS. Mutually exclusive with CABundle. + If neither CABundle nor CABundleSecretRef are defined, the + certificate bundle in the cert-manager controller container + is used to validate the TLS connection. If no key for the + Secret is specified, cert-manager will default to 'ca.crt'. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object namespace: description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments @@ -5401,12 +5652,11 @@ spec: settings. Only one of TPP or Cloud may be specified. properties: caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. + description: Base64-encoded bundle of PEM CAs which will + be used to validate the certificate chain presented by + the TPP server. Only used if using HTTPS; ignored for + HTTP. If undefined, the certificate bundle in the cert-manager + controller container is used to validate the chain. format: byte type: string credentialsRef: @@ -5446,6 +5696,12 @@ spec: be set if the Issuer is configured to use an ACME server to issue certificates. properties: + lastPrivateKeyHash: + description: LastPrivateKeyHash is a hash of the private key + associated with the latest registered ACME account, in order + to track changes made to registered account associated with + the Issuer + type: string lastRegisteredEmail: description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes @@ -5515,15 +5771,13 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - cert-manager.io/inject-ca-from-secret: syn-cert-manager/cert-manager-webhook-ca labels: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: issuers.cert-manager.io namespace: syn-cert-manager spec: @@ -5580,6 +5834,15 @@ spec: description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used + to validate the certificate chain presented by the ACME server. + Mutually exclusive with SkipTLSVerify; prefer using CABundle + to prevent various kinds of security vulnerabilities. If CABundle + and SkipTLSVerify are unset, the system certificate bundle + inside the container is used to validate the TLS connection. + format: byte + type: string disableAccountKeyGeneration: description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new @@ -5686,13 +5949,14 @@ spec: Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will - not have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults - to false. + description: 'INSECURE: Enables or disables validation of the + ACME server TLS certificate. If true, requests to the ACME + server will not have the TLS certificate chain validated. + Mutually exclusive with CABundle; prefer using CABundle to + prevent various kinds of security vulnerabilities. Only enable + this option in development environments. If CABundle and SkipTLSVerify + are unset, the system certificate bundle inside the container + is used to validate the TLS connection. Defaults to false.' type: boolean solvers: description: 'Solvers is a list of challenge solvers that will @@ -6036,10 +6300,33 @@ spec: properties: accessKeyID: description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + Cannot be set when SecretAccessKeyID is set. + If neither the Access Key nor Key ID are set, + we fall-back to using env vars, shared credentials + file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for + authentication. If set, pull the AWS access + key ID from a key within a Kubernetes Secret. + Cannot be set when AccessKeyID is set. If neither + the Access Key nor Key ID are set, we fall-back + to using env vars, shared credentials file or + AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some + instances of this field may be defaulted, + in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an @@ -6058,9 +6345,11 @@ spec: shared credentials file or AWS Instance metadata type: string secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: 'The SecretAccessKey is used for + authentication. If neither the Access Key nor + Key ID are set, we fall-back to using env vars, + shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' properties: key: description: The key of the entry in the Secret @@ -6140,35 +6429,36 @@ spec: cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef - references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' items: - description: "ParentRef identifies an API object\ - \ (usually a Gateway) that can be considered\ - \ a parent of this resource (usually a route).\ - \ The only kind of parent resource with \"\ - Core\" support is Gateway. This API may be\ - \ extended in the future to support additional\ - \ kinds of parent resources, such as HTTPRoute.\ - \ \n The API object must be valid in the cluster;\ - \ the Group and Kind must be registered in\ - \ the cluster for this reference to be valid.\ - \ \n References to objects with invalid Group\ - \ and Kind are not valid, and must be rejected\ - \ by the implementation, with appropriate\ - \ Conditions set on the containing object." + description: "ParentReference identifies an\ + \ API object (usually a Gateway) that can\ + \ be considered a parent of this resource\ + \ (usually a route). The only kind of parent\ + \ resource with \"Core\" support is Gateway.\ + \ This API may be extended in the future to\ + \ support additional kinds of parent resources,\ + \ such as HTTPRoute. \n The API object must\ + \ be valid in the cluster; the Group and Kind\ + \ must be registered in the cluster for this\ + \ reference to be valid." properties: group: default: gateway.networking.k8s.io description: "Group is the group of the\ - \ referent. \n Support: Core" + \ referent. When unspecified, \"gateway.networking.k8s.io\"\ + \ is inferred. To set the core API group\ + \ (such as for a \"Service\" kind referent),\ + \ Group must be explicitly set to \"\"\ + \ (empty string). \n Support: Core" maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: default: Gateway description: "Kind is kind of the referent.\ - \ \n Support: Core (Gateway) Support:\ - \ Custom (Other Resources)" + \ \n Support: Core (Gateway) \n Support:\ + \ Implementation-specific (Other Resources)" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -6181,20 +6471,70 @@ spec: type: string namespace: description: "Namespace is the namespace\ - \ of the referent. When unspecified (or\ - \ empty string), this refers to the local\ - \ namespace of the Route. \n Support:\ - \ Core" + \ of the referent. When unspecified, this\ + \ refers to the local namespace of the\ + \ Route. \n Note that there are specific\ + \ rules for ParentRefs which cross namespace\ + \ boundaries. Cross-namespace references\ + \ are only valid if they are explicitly\ + \ allowed by something in the namespace\ + \ they are referring to. For example:\ + \ Gateway has the AllowedRoutes field,\ + \ and ReferenceGrant provides a generic\ + \ way to enable any other kind of cross-namespace\ + \ reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + port: + description: "Port is the network port this\ + \ Route targets. It can be interpreted\ + \ differently based on the type of parent\ + \ resource. \n When the parent resource\ + \ is a Gateway, this targets all listeners\ + \ listening on the specified port that\ + \ also support this kind of Route(and\ + \ select this Route). It's not recommended\ + \ to set `Port` unless the networking\ + \ behaviors specified in a Route must\ + \ apply to a specific port as opposed\ + \ to a listener(s) whose port(s) may be\ + \ changed. When both Port and SectionName\ + \ are specified, the name and port of\ + \ the selected listener must match both\ + \ specified values. \n Implementations\ + \ MAY choose to support other parent resources.\ + \ Implementations supporting other types\ + \ of parent resources MUST clearly document\ + \ how/if Port is interpreted. \n For the\ + \ purpose of status, an attachment is\ + \ considered successful as long as the\ + \ parent resource accepts it partially.\ + \ For example, Gateway listeners can restrict\ + \ which Routes can attach to them by Route\ + \ kind, namespace, or hostname. If 1 of\ + \ 2 Gateway listeners accept attachment\ + \ from the referencing Route, the Route\ + \ MUST be considered successfully attached.\ + \ If no Gateway listeners accept attachment\ + \ from this Route, the Route MUST be considered\ + \ detached from the Gateway. \n Support:\ + \ Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer sectionName: description: "SectionName is the name of\ \ a section within the target resource.\ \ In the following resources, SectionName\ \ is interpreted as the following: \n\ - \ * Gateway: Listener Name \n Implementations\ + \ * Gateway: Listener Name. When both\ + \ Port (experimental) and SectionName\ + \ are specified, the name and port of\ + \ the selected listener must match both\ + \ specified values. \n Implementations\ \ MAY choose to support attaching Routes\ \ to other resources. If that is the case,\ \ they MUST clearly document how SectionName\ @@ -6236,10 +6576,19 @@ spec: by cert-manager for each Challenge to be completed. properties: class: - description: The ingress class to use when creating + description: This field configures the annotation + `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. + use this challenge solver. Only one of `class`, + `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` + on the created Ingress resources used to solve + ACME challenges that use this challenge solver. + This is the recommended way of configuring the + ingress class. Only one of `class`, `name` or + `ingressClassName` may be specified. type: string ingressTemplate: description: Optional ingress template used to @@ -6276,7 +6625,8 @@ spec: This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress - resources. + resources. Only one of `class`, `name` or `ingressClassName` + may be specified. type: string podTemplate: description: Optional pod template used to configure @@ -6307,11 +6657,9 @@ spec: type: object spec: description: PodSpec defines overrides for - the HTTP01 challenge solver pod. Only the - 'priorityClassName', 'nodeSelector', 'affinity', - 'serviceAccountName' and 'tolerations' fields - are supported currently. All other fields - will be ignored. + the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec + to find out currently supported fields. + All other fields will be ignored. properties: affinity: description: If specified, the pod's scheduling @@ -6480,6 +6828,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding @@ -6643,10 +6992,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity @@ -6783,6 +7134,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set @@ -6799,11 +7151,7 @@ spec: list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This - field is beta-level - and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -6894,6 +7242,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static @@ -6908,7 +7257,7 @@ spec: null or empty namespaces list and null namespaceSelector means "this pod's - namespace" + namespace". items: type: string type: array @@ -7057,6 +7406,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -7071,10 +7421,6 @@ spec: means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level - and is only honored when - PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -7150,6 +7496,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list @@ -7161,7 +7508,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -7321,6 +7668,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set @@ -7337,11 +7685,7 @@ spec: list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This - field is beta-level - and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -7432,6 +7776,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static @@ -7446,7 +7791,7 @@ spec: null or empty namespaces list and null namespaceSelector means "this pod's - namespace" + namespace". items: type: string type: array @@ -7595,6 +7940,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -7609,10 +7955,6 @@ spec: means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level - and is only honored when - PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -7688,6 +8030,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list @@ -7699,7 +8042,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -7725,6 +8068,23 @@ spec: type: array type: object type: object + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + items: + description: LocalObjectReference contains + enough information to let you locate + the referenced object inside the same + namespace. + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array nodeSelector: additionalProperties: type: string @@ -7980,9 +8340,23 @@ spec: required: - name type: object + serviceAccountRef: + description: A reference to a service account that will + be used to request a bound token (also known as "projected + token"). Compared to using "secretRef", using this + field means that you don't rely on statically bound + tokens. To use this field, you must configure an RBAC + rule to let cert-manager request a token. + properties: + name: + description: Name of the ServiceAccount used to + request a token. + type: string + required: + - name + type: object required: - role - - secretRef type: object tokenSecretRef: description: TokenSecretRef authenticates with Vault by @@ -8002,13 +8376,36 @@ spec: type: object type: object caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to - validate Vault server certificate. Only used if the Server - URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root - certificates are used to validate the TLS connection. + description: Base64-encoded bundle of PEM CAs which will be + used to validate the certificate chain presented by Vault. + Only used if using HTTPS to connect to Vault and ignored for + HTTP connections. Mutually exclusive with CABundleSecretRef. + If neither CABundle nor CABundleSecretRef are defined, the + certificate bundle in the cert-manager controller container + is used to validate the TLS connection. format: byte type: string + caBundleSecretRef: + description: Reference to a Secret containing a bundle of PEM-encoded + CAs to use when verifying the certificate chain presented + by Vault when using HTTPS. Mutually exclusive with CABundle. + If neither CABundle nor CABundleSecretRef are defined, the + certificate bundle in the cert-manager controller container + is used to validate the TLS connection. If no key for the + Secret is specified, cert-manager will default to 'ca.crt'. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object namespace: description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments @@ -8064,12 +8461,11 @@ spec: settings. Only one of TPP or Cloud may be specified. properties: caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. + description: Base64-encoded bundle of PEM CAs which will + be used to validate the certificate chain presented by + the TPP server. Only used if using HTTPS; ignored for + HTTP. If undefined, the certificate bundle in the cert-manager + controller container is used to validate the chain. format: byte type: string credentialsRef: @@ -8109,6 +8505,12 @@ spec: be set if the Issuer is configured to use an ACME server to issue certificates. properties: + lastPrivateKeyHash: + description: LastPrivateKeyHash is a hash of the private key + associated with the latest registered ACME account, in order + to track changes made to registered account associated with + the Issuer + type: string lastRegisteredEmail: description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes @@ -8178,15 +8580,13 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - cert-manager.io/inject-ca-from-secret: syn-cert-manager/cert-manager-webhook-ca labels: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: orders.acme.cert-manager.io namespace: syn-cert-manager spec: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/deployment.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/deployment.yaml index 99d8e6b1..7e5e45bc 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/deployment.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/deployment.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager namespace: syn-cert-manager spec: @@ -26,16 +26,18 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 spec: containers: - args: - --v=2 - --cluster-resource-namespace=$(POD_NAMESPACE) - --leader-election-namespace=syn-cert-manager + - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.12.0 - --dns01-recursive-nameservers="1.1.1.1:53" - --dns01-recursive-nameservers-only + - --max-concurrent-challenges=60 env: - name: POD_NAMESPACE valueFrom: @@ -47,21 +49,29 @@ spec: value: '' - name: NO_PROXY value: '' - image: quay.io/jetstack/cert-manager-controller:v1.8.2 + image: quay.io/jetstack/cert-manager-controller:v1.12.0 imagePullPolicy: IfNotPresent - name: cert-manager + name: cert-manager-controller ports: - containerPort: 9402 name: http-metrics protocol: TCP + - containerPort: 9403 + name: http-healthz + protocol: TCP resources: requests: cpu: 50m memory: 512Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/rbac.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/rbac.yaml index f81fee5f..f9f4582a 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/rbac.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/rbac.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-issuers namespace: syn-cert-manager rules: @@ -56,8 +56,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-clusterissuers namespace: syn-cert-manager rules: @@ -105,8 +105,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-certificates namespace: syn-cert-manager rules: @@ -177,8 +177,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-orders namespace: syn-cert-manager rules: @@ -246,8 +246,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-challenges namespace: syn-cert-manager rules: @@ -354,8 +354,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-ingress-shim namespace: syn-cert-manager rules: @@ -426,8 +426,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 rbac.authorization.k8s.io/aggregate-to-admin: 'true' rbac.authorization.k8s.io/aggregate-to-edit: 'true' rbac.authorization.k8s.io/aggregate-to-view: 'true' @@ -463,8 +463,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 rbac.authorization.k8s.io/aggregate-to-admin: 'true' rbac.authorization.k8s.io/aggregate-to-edit: 'true' name: cert-manager-edit @@ -509,8 +509,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-approve:cert-manager-io namespace: syn-cert-manager rules: @@ -533,8 +533,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-certificatesigningrequests namespace: syn-cert-manager rules: @@ -579,8 +579,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-issuers namespace: syn-cert-manager roleRef: @@ -601,8 +601,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-clusterissuers namespace: syn-cert-manager roleRef: @@ -623,8 +623,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-certificates namespace: syn-cert-manager roleRef: @@ -645,8 +645,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-orders namespace: syn-cert-manager roleRef: @@ -667,8 +667,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-challenges namespace: syn-cert-manager roleRef: @@ -689,8 +689,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-ingress-shim namespace: syn-cert-manager roleRef: @@ -711,8 +711,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-approve:cert-manager-io namespace: syn-cert-manager roleRef: @@ -733,8 +733,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-controller-certificatesigningrequests namespace: syn-cert-manager roleRef: @@ -755,8 +755,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager:leaderelection namespace: syn-cert-manager rules: @@ -786,8 +786,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager:leaderelection namespace: syn-cert-manager roleRef: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/service.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/service.yaml index 0a3d9452..6a415a61 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/service.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/service.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager namespace: syn-cert-manager spec: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/serviceaccount.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/serviceaccount.yaml index 963db503..d5328420 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/serviceaccount.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/serviceaccount.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/servicemonitor.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/servicemonitor.yaml index ba58d1a9..fa701a18 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/servicemonitor.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/servicemonitor.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 prometheus: default name: cert-manager namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-job.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-job.yaml index af6221e4..9787cd1d 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-job.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-job.yaml @@ -11,8 +11,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: startupapicheck - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-startupapicheck namespace: syn-cert-manager spec: @@ -25,20 +25,27 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: startupapicheck - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 spec: containers: - args: - check - api - --wait=1m - image: quay.io/jetstack/cert-manager-ctl:v1.8.2 + image: quay.io/jetstack/cert-manager-ctl:v1.12.0 imagePullPolicy: IfNotPresent - name: cert-manager + name: cert-manager-startupapicheck securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + nodeSelector: + kubernetes.io/os: linux restartPolicy: OnFailure securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: cert-manager-startupapicheck diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-rbac.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-rbac.yaml index 3445d1f0..572aae6b 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-rbac.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-rbac.yaml @@ -11,8 +11,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: startupapicheck - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-startupapicheck:create-cert namespace: syn-cert-manager rules: @@ -36,8 +36,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: startupapicheck - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-startupapicheck:create-cert namespace: syn-cert-manager roleRef: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-serviceaccount.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-serviceaccount.yaml index 877a000c..9fa2fb58 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-serviceaccount.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-serviceaccount.yaml @@ -12,7 +12,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: startupapicheck - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-startupapicheck namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-config.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-config.yaml index 277c5ac7..0c0aaedc 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-config.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-config.yaml @@ -6,6 +6,9 @@ metadata: app: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-webhook namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-deployment.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-deployment.yaml index 6edf5f76..c4167e6d 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-deployment.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-deployment.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-webhook namespace: syn-cert-manager spec: @@ -26,8 +26,8 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 spec: containers: - args: @@ -35,13 +35,15 @@ spec: - --secure-port=10250 - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca - - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.syn-cert-manager,cert-manager-webhook.syn-cert-manager.svc + - --dynamic-serving-dns-names=cert-manager-webhook + - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE) + - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-webhook:v1.8.2 + image: quay.io/jetstack/cert-manager-webhook:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 @@ -53,11 +55,14 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - name: cert-manager + name: cert-manager-webhook ports: - containerPort: 10250 name: https protocol: TCP + - containerPort: 6080 + name: healthcheck + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -74,8 +79,13 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: cert-manager-webhook diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-mutating-webhook.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-mutating-webhook.yaml index 2c1e3a1b..40ea3114 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-mutating-webhook.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-mutating-webhook.yaml @@ -9,8 +9,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-webhook namespace: syn-cert-manager webhooks: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-rbac.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-rbac.yaml index 5a0d901c..846bbda4 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-rbac.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-rbac.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-webhook:subjectaccessreviews namespace: syn-cert-manager rules: @@ -28,8 +28,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-webhook:subjectaccessreviews namespace: syn-cert-manager roleRef: @@ -51,8 +51,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-webhook:dynamic-serving namespace: syn-cert-manager rules: @@ -83,8 +83,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-webhook:dynamic-serving namespace: syn-cert-manager roleRef: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-service.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-service.yaml index 5fc4f8eb..4c49adb3 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-service.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-service.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-webhook namespace: syn-cert-manager spec: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-serviceaccount.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-serviceaccount.yaml index 1faab3cd..2d92655d 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-serviceaccount.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-serviceaccount.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-webhook namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-validating-webhook.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-validating-webhook.yaml index 1198cd4e..7351c9bc 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-validating-webhook.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-validating-webhook.yaml @@ -9,8 +9,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.0 + helm.sh/chart: cert-manager-v1.12.0 name: cert-manager-webhook namespace: syn-cert-manager webhooks: