apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: certificates.certmanager.k8s.io spec: additionalPrinterColumns: - JSONPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string - JSONPath: .spec.secretName name: Secret type: string - JSONPath: .spec.issuerRef.name name: Issuer priority: 1 type: string - JSONPath: .status.conditions[?(@.type=="Ready")].message name: Status priority: 1 type: string - JSONPath: .metadata.creationTimestamp description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. name: Age type: date group: certmanager.k8s.io names: kind: Certificate plural: certificates shortNames: - cert - certs scope: Namespaced validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: acme: description: ACME contains configuration specific to ACME Certificates. Notably, this contains details on how the domain names listed on this Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01 providers to DNS names. properties: config: items: properties: domains: description: Domains is the list of domains that this SolverConfig applies to. items: type: string type: array required: - domains type: object type: array required: - config type: object commonName: description: CommonName is a common name to be used on the Certificate type: string dnsNames: description: DNSNames is a list of subject alt names to be used on the Certificate items: type: string type: array duration: description: Certificate default Duration type: string ipAddresses: description: IPAddresses is a list of IP addresses to be used on the Certificate items: type: string type: array isCA: description: IsCA will mark this Certificate as valid for signing. This implies that the 'signing' usage is set type: boolean issuerRef: description: IssuerRef is a reference to the issuer for this certificate. If the 'kind' field is not set, or set to 'Issuer', an Issuer resource with the given name in the same namespace as the Certificate will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the provided name will be used. The 'name' field in this stanza is required at all times. properties: kind: type: string name: type: string required: - name type: object keyAlgorithm: description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is not provided, key size of 256 will be used for "ecdsa" key algorithm and key size of 2048 will be used for "rsa" key algorithm. enum: - rsa - ecdsa type: string keySize: description: KeySize is the key bit size of the corresponding private key for this certificate. If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", and value must be one of (256, 384, 521) when KeyAlgorithm is set to "ecdsa". format: int64 type: integer organization: description: Organization is the organization to be used on the Certificate items: type: string type: array renewBefore: description: Certificate renew before expiration duration type: string secretName: description: SecretName is the name of the secret resource to store this secret in type: string required: - secretName - issuerRef type: object status: properties: conditions: items: properties: lastTransitionTime: description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. format: date-time type: string message: description: Message is a human readable description of the details of the last transition, complementing reason. type: string reason: description: Reason is a brief machine readable explanation for the condition's last transition. type: string status: description: Status of the condition, one of ('True', 'False', 'Unknown'). enum: - "True" - "False" - Unknown type: string type: description: Type of the condition, currently ('Ready'). type: string required: - type - status type: object type: array lastFailureTime: format: date-time type: string notAfter: description: The expiration time of the certificate stored in the secret named by this resource in spec.secretName. format: date-time type: string type: object version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: challenges.certmanager.k8s.io spec: additionalPrinterColumns: - JSONPath: .status.state name: State type: string - JSONPath: .spec.dnsName name: Domain type: string - JSONPath: .status.reason name: Reason priority: 1 type: string - JSONPath: .metadata.creationTimestamp description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. name: Age type: date group: certmanager.k8s.io names: kind: Challenge plural: challenges scope: Namespaced validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: authzURL: description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of. type: string config: description: Config specifies the solver configuration for this challenge. type: object dnsName: description: DNSName is the identifier that this challenge is for, e.g. example.com. type: string issuerRef: description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. properties: kind: type: string name: type: string required: - name type: object key: description: Key is the ACME challenge key for this challenge type: string token: description: Token is the ACME challenge token for this challenge. type: string type: description: Type is the type of ACME challenge this resource represents, e.g. "dns01" or "http01" type: string url: description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. type: string wildcard: description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com' type: boolean required: - authzURL - type - url - dnsName - token - key - wildcard - config - issuerRef type: object status: properties: presented: description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). type: boolean processing: description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. type: boolean reason: description: Reason contains human readable information on why the Challenge is in the current state. type: string state: description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. enum: - "" - valid - ready - pending - processing - invalid - expired - errored type: string required: - processing - presented - reason type: object required: - metadata - spec - status version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: clusterissuers.certmanager.k8s.io spec: group: certmanager.k8s.io names: kind: ClusterIssuer plural: clusterissuers scope: Cluster validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: acme: properties: email: description: Email is the email for this account type: string privateKeySecretRef: description: PrivateKey is the name of a secret containing the private key for this user account. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object server: description: Server is the ACME server URL type: string skipTLSVerify: description: If true, skip verifying the ACME server TLS certificate type: boolean required: - email - server - privateKeySecretRef type: object ca: properties: secretName: description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. type: string required: - secretName type: object selfSigned: type: object vault: properties: auth: description: Vault authentication properties: appRole: description: This Secret contains a AppRole and Secret properties: path: description: Where the authentication path is mounted in Vault. type: string roleId: type: string secretRef: properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object required: - path - roleId - secretRef type: object tokenSecretRef: description: This Secret contains the Vault token key properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object type: object caBundle: description: Base64 encoded CA bundle to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. format: byte type: string path: description: Vault URL path to the certificate role type: string server: description: Server is the vault connection address type: string required: - auth - server - path type: object venafi: properties: cloud: description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. properties: apiTokenSecretRef: description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object url: description: URL is the base URL for Venafi Cloud type: string required: - url - apiTokenSecretRef type: object tpp: description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. properties: caBundle: description: CABundle is a PEM encoded TLS certifiate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. format: byte type: string credentialsRef: description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. properties: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object url: description: URL is the base URL for the Venafi TPP instance type: string required: - url - credentialsRef type: object zone: description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. type: string required: - zone type: object type: object status: properties: acme: properties: uri: description: URI is the unique account identifier, which can also be used to retrieve account details from the CA type: string type: object conditions: items: properties: lastTransitionTime: description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. format: date-time type: string message: description: Message is a human readable description of the details of the last transition, complementing reason. type: string reason: description: Reason is a brief machine readable explanation for the condition's last transition. type: string status: description: Status of the condition, one of ('True', 'False', 'Unknown'). enum: - "True" - "False" - Unknown type: string type: description: Type of the condition, currently ('Ready'). type: string required: - type - status type: object type: array type: object version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: issuers.certmanager.k8s.io spec: group: certmanager.k8s.io names: kind: Issuer plural: issuers scope: Namespaced validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: acme: properties: email: description: Email is the email for this account type: string privateKeySecretRef: description: PrivateKey is the name of a secret containing the private key for this user account. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object server: description: Server is the ACME server URL type: string skipTLSVerify: description: If true, skip verifying the ACME server TLS certificate type: boolean required: - email - server - privateKeySecretRef type: object ca: properties: secretName: description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. type: string required: - secretName type: object selfSigned: type: object vault: properties: auth: description: Vault authentication properties: appRole: description: This Secret contains a AppRole and Secret properties: path: description: Where the authentication path is mounted in Vault. type: string roleId: type: string secretRef: properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object required: - path - roleId - secretRef type: object tokenSecretRef: description: This Secret contains the Vault token key properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object type: object caBundle: description: Base64 encoded CA bundle to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. format: byte type: string path: description: Vault URL path to the certificate role type: string server: description: Server is the vault connection address type: string required: - auth - server - path type: object venafi: properties: cloud: description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. properties: apiTokenSecretRef: description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object url: description: URL is the base URL for Venafi Cloud type: string required: - url - apiTokenSecretRef type: object tpp: description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. properties: caBundle: description: CABundle is a PEM encoded TLS certifiate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. format: byte type: string credentialsRef: description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. properties: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object url: description: URL is the base URL for the Venafi TPP instance type: string required: - url - credentialsRef type: object zone: description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. type: string required: - zone type: object type: object status: properties: acme: properties: uri: description: URI is the unique account identifier, which can also be used to retrieve account details from the CA type: string type: object conditions: items: properties: lastTransitionTime: description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. format: date-time type: string message: description: Message is a human readable description of the details of the last transition, complementing reason. type: string reason: description: Reason is a brief machine readable explanation for the condition's last transition. type: string status: description: Status of the condition, one of ('True', 'False', 'Unknown'). enum: - "True" - "False" - Unknown type: string type: description: Type of the condition, currently ('Ready'). type: string required: - type - status type: object type: array type: object version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: orders.certmanager.k8s.io spec: additionalPrinterColumns: - JSONPath: .status.state name: State type: string - JSONPath: .spec.issuerRef.name name: Issuer priority: 1 type: string - JSONPath: .status.reason name: Reason priority: 1 type: string - JSONPath: .metadata.creationTimestamp description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. name: Age type: date group: certmanager.k8s.io names: kind: Order plural: orders scope: Namespaced validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: commonName: description: CommonName is the common name as specified on the DER encoded CSR. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR. type: string config: description: Config specifies a mapping from DNS identifiers to how those identifiers should be solved when performing ACME challenges. A config entry must exist for each domain listed in DNSNames and CommonName. items: properties: domains: description: Domains is the list of domains that this SolverConfig applies to. items: type: string type: array required: - domains type: object type: array csr: description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. format: byte type: string dnsNames: description: DNSNames is a list of DNS names that should be included as part of the Order validation process. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR. items: type: string type: array issuerRef: description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. properties: kind: type: string name: type: string required: - name type: object required: - csr - issuerRef - config type: object status: properties: certificate: description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. format: byte type: string challenges: description: Challenges is a list of ChallengeSpecs for Challenges that must be created in order to complete this Order. items: properties: authzURL: description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of. type: string config: description: Config specifies the solver configuration for this challenge. type: object dnsName: description: DNSName is the identifier that this challenge is for, e.g. example.com. type: string issuerRef: description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. properties: kind: type: string name: type: string required: - name type: object key: description: Key is the ACME challenge key for this challenge type: string token: description: Token is the ACME challenge token for this challenge. type: string type: description: Type is the type of ACME challenge this resource represents, e.g. "dns01" or "http01" type: string url: description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. type: string wildcard: description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com' type: boolean required: - authzURL - type - url - dnsName - token - key - wildcard - config - issuerRef type: object type: array failureTime: description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. format: date-time type: string finalizeURL: description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. type: string reason: description: Reason optionally provides more information about a why the order is in the current state. type: string state: description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' enum: - "" - valid - ready - pending - processing - invalid - expired - errored type: string url: description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. type: string type: object required: - metadata - spec - status version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: v1 kind: Namespace metadata: name: cert-manager labels: certmanager.k8s.io/disable-validation: "true" --- --- # Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: cert-manager-cainjector namespace: "cert-manager" labels: app: cainjector chart: cainjector-v0.7.2 release: cert-manager heritage: Tiller --- # Source: cert-manager/charts/webhook/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: cert-manager-webhook namespace: "cert-manager" labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller --- # Source: cert-manager/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: cert-manager namespace: "cert-manager" labels: app: cert-manager chart: cert-manager-v0.7.2 release: cert-manager heritage: Tiller --- # Source: cert-manager/charts/cainjector/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: cert-manager-cainjector labels: app: cainjector chart: cainjector-v0.7.2 release: cert-manager heritage: Tiller rules: - apiGroups: ["certmanager.k8s.io"] resources: ["certificates"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "events"] verbs: ["*"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["*"] - apiGroups: ["apiregistration.k8s.io"] resources: ["apiservices"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: cert-manager-cainjector labels: app: cainjector chart: cainjector-v0.7.2 release: cert-manager heritage: Tiller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-cainjector subjects: - name: cert-manager-cainjector namespace: "cert-manager" kind: ServiceAccount --- # Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: cert-manager labels: app: cert-manager chart: cert-manager-v0.7.2 release: cert-manager heritage: Tiller rules: - apiGroups: ["certmanager.k8s.io"] resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"] verbs: ["*"] - apiGroups: [""] resources: ["configmaps", "secrets", "events", "services", "pods"] verbs: ["*"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: cert-manager labels: app: cert-manager chart: cert-manager-v0.7.2 release: cert-manager heritage: Tiller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager subjects: - name: cert-manager namespace: "cert-manager" kind: ServiceAccount --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-view labels: app: cert-manager chart: cert-manager-v0.7.2 release: cert-manager heritage: Tiller rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: ["certmanager.k8s.io"] resources: ["certificates", "issuers"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-edit labels: app: cert-manager chart: cert-manager-v0.7.2 release: cert-manager heritage: Tiller rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: ["certmanager.k8s.io"] resources: ["certificates", "issuers"] verbs: ["create", "delete", "deletecollection", "patch", "update"] --- # Source: cert-manager/charts/webhook/templates/rbac.yaml ### Webhook ### --- # apiserver gets the auth-delegator role to delegate auth decisions to # the core apiserver apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: cert-manager-webhook:auth-delegator labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - apiGroup: "" kind: ServiceAccount name: cert-manager-webhook namespace: cert-manager --- # apiserver gets the ability to read authentication. This allows it to # read the specific configmap that has the requestheader-* entries to # api agg apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: cert-manager-webhook:webhook-authentication-reader namespace: kube-system labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - apiGroup: "" kind: ServiceAccount name: cert-manager-webhook namespace: cert-manager --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-webhook:webhook-requester labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller rules: - apiGroups: - admission.certmanager.k8s.io resources: - certificates - issuers - clusterissuers verbs: - create --- # Source: cert-manager/charts/webhook/templates/service.yaml apiVersion: v1 kind: Service metadata: name: cert-manager-webhook namespace: "cert-manager" labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller spec: type: ClusterIP ports: - name: https port: 443 targetPort: 6443 selector: app: webhook release: cert-manager --- # Source: cert-manager/charts/cainjector/templates/deployment.yaml apiVersion: apps/v1beta1 kind: Deployment metadata: name: cert-manager-cainjector namespace: "cert-manager" labels: app: cainjector chart: cainjector-v0.7.2 release: cert-manager heritage: Tiller spec: replicas: 1 selector: matchLabels: app: cainjector release: cert-manager template: metadata: labels: app: cainjector release: cert-manager annotations: spec: serviceAccountName: cert-manager-cainjector containers: - name: cainjector image: "quay.io/jetstack/cert-manager-cainjector:v0.7.2" imagePullPolicy: IfNotPresent args: - --leader-election-namespace=$(POD_NAMESPACE) env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace resources: {} --- # Source: cert-manager/charts/webhook/templates/deployment.yaml apiVersion: apps/v1beta1 kind: Deployment metadata: name: cert-manager-webhook namespace: "cert-manager" labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller spec: replicas: 1 selector: matchLabels: app: webhook release: cert-manager template: metadata: labels: app: webhook release: cert-manager annotations: spec: serviceAccountName: cert-manager-webhook containers: - name: webhook image: "quay.io/jetstack/cert-manager-webhook:v0.7.2" imagePullPolicy: IfNotPresent args: - --v=12 - --secure-port=6443 - --tls-cert-file=/certs/tls.crt - --tls-private-key-file=/certs/tls.key env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace resources: {} volumeMounts: - name: certs mountPath: /certs volumes: - name: certs secret: secretName: cert-manager-webhook-webhook-tls --- # Source: cert-manager/templates/deployment.yaml apiVersion: apps/v1beta1 kind: Deployment metadata: name: cert-manager namespace: "cert-manager" labels: app: cert-manager chart: cert-manager-v0.7.2 release: cert-manager heritage: Tiller spec: replicas: 1 selector: matchLabels: app: cert-manager release: cert-manager template: metadata: labels: app: cert-manager release: cert-manager annotations: prometheus.io/path: "/metrics" prometheus.io/scrape: 'true' prometheus.io/port: '9402' spec: serviceAccountName: cert-manager containers: - name: cert-manager image: "quay.io/jetstack/cert-manager-controller:v0.7.2" imagePullPolicy: IfNotPresent args: - --cluster-resource-namespace=$(POD_NAMESPACE) - --leader-election-namespace=$(POD_NAMESPACE) ports: - containerPort: 9402 env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace resources: requests: cpu: 10m memory: 32Mi --- # Source: cert-manager/charts/webhook/templates/apiservice.yaml apiVersion: apiregistration.k8s.io/v1beta1 kind: APIService metadata: name: v1beta1.admission.certmanager.k8s.io labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller annotations: certmanager.k8s.io/inject-ca-from: "cert-manager/cert-manager-webhook-webhook-tls" spec: group: admission.certmanager.k8s.io groupPriorityMinimum: 1000 versionPriority: 15 service: name: cert-manager-webhook namespace: "cert-manager" version: v1beta1 --- # Source: cert-manager/charts/webhook/templates/pki.yaml --- # Create a selfsigned Issuer, in order to create a root CA certificate for # signing webhook serving certificates apiVersion: certmanager.k8s.io/v1alpha1 kind: Issuer metadata: name: cert-manager-webhook-selfsign namespace: "cert-manager" labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller spec: selfSigned: {} --- # Generate a CA Certificate used to sign certificates for the webhook apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: cert-manager-webhook-ca namespace: "cert-manager" labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller spec: secretName: cert-manager-webhook-ca duration: 43800h # 5y issuerRef: name: cert-manager-webhook-selfsign commonName: "ca.webhook.cert-manager" isCA: true --- # Create an Issuer that uses the above generated CA certificate to issue certs apiVersion: certmanager.k8s.io/v1alpha1 kind: Issuer metadata: name: cert-manager-webhook-ca namespace: "cert-manager" labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller spec: ca: secretName: cert-manager-webhook-ca --- # Finally, generate a serving certificate for the webhook to use apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: cert-manager-webhook-webhook-tls namespace: "cert-manager" labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller spec: secretName: cert-manager-webhook-webhook-tls duration: 8760h # 1y issuerRef: name: cert-manager-webhook-ca dnsNames: - cert-manager-webhook - cert-manager-webhook.cert-manager - cert-manager-webhook.cert-manager.svc --- # Source: cert-manager/charts/webhook/templates/validating-webhook.yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: cert-manager-webhook labels: app: webhook chart: webhook-v0.7.2 release: cert-manager heritage: Tiller annotations: certmanager.k8s.io/inject-apiserver-ca: "true" webhooks: - name: certificates.admission.certmanager.k8s.io namespaceSelector: matchExpressions: - key: "certmanager.k8s.io/disable-validation" operator: "NotIn" values: - "true" - key: "name" operator: "NotIn" values: - cert-manager rules: - apiGroups: - "certmanager.k8s.io" apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - certificates failurePolicy: Fail clientConfig: service: name: kubernetes namespace: default path: /apis/admission.certmanager.k8s.io/v1beta1/certificates - name: issuers.admission.certmanager.k8s.io namespaceSelector: matchExpressions: - key: "certmanager.k8s.io/disable-validation" operator: "NotIn" values: - "true" - key: "name" operator: "NotIn" values: - cert-manager rules: - apiGroups: - "certmanager.k8s.io" apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - issuers failurePolicy: Fail clientConfig: service: name: kubernetes namespace: default path: /apis/admission.certmanager.k8s.io/v1beta1/issuers - name: clusterissuers.admission.certmanager.k8s.io namespaceSelector: matchExpressions: - key: "certmanager.k8s.io/disable-validation" operator: "NotIn" values: - "true" - key: "name" operator: "NotIn" values: - cert-manager rules: - apiGroups: - "certmanager.k8s.io" apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - clusterissuers failurePolicy: Fail clientConfig: service: name: kubernetes namespace: default path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers