helm: Add cert-manager as optional dependency
In lieu of relying on zuul-operator to install cert-manager on demand, we can install it using the Helm chart if desired. This will help to reduce the access that zuul-operator requires to function. This change injects the Helm chart equivalent for cert-manager taken from https://charts.jetstack.io/charts/cert-manager-v1.8.2.tgz. The default values that are added to our root values.yaml are intended to produce a congruent result to what our operator-managed template is providing today. Additionally, we specify this as a conditional dependency in the chart specification so as to allow the user to determine if they'd like to install cert-manager (or not). NOTE: This dependency is disabled by default as it might be surprising to the user. Change-Id: Ic2d3e7a1804203cb1673beb7132d2ec3a48b3495
This commit is contained in:
parent
fe6b3777d5
commit
44f7b2f1b8
|
@ -7,3 +7,8 @@ appVersion: "8.0.0"
|
|||
maintainers:
|
||||
- name: michael_kelly
|
||||
email: mkelly@arista.com
|
||||
dependencies:
|
||||
- name: cert-manager
|
||||
version: "1.8.2"
|
||||
repository: "https://charts.jetstack.io/charts"
|
||||
condition: cert-manager.enabled
|
|
@ -0,0 +1,22 @@
|
|||
annotations:
|
||||
artifacthub.io/prerelease: "false"
|
||||
artifacthub.io/signKey: |
|
||||
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
|
||||
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
|
||||
apiVersion: v1
|
||||
appVersion: v1.8.2
|
||||
description: A Helm chart for cert-manager
|
||||
home: https://github.com/cert-manager/cert-manager
|
||||
icon: https://raw.githubusercontent.com/cert-manager/cert-manager/master/logo/logo.png
|
||||
keywords:
|
||||
- cert-manager
|
||||
- kube-lego
|
||||
- letsencrypt
|
||||
- tls
|
||||
maintainers:
|
||||
- email: cert-manager-maintainers@googlegroups.com
|
||||
name: cert-manager-maintainers
|
||||
name: cert-manager
|
||||
sources:
|
||||
- https://github.com/cert-manager/cert-manager
|
||||
version: v1.8.2
|
|
@ -0,0 +1,220 @@
|
|||
# cert-manager
|
||||
|
||||
cert-manager is a Kubernetes addon to automate the management and issuance of
|
||||
TLS certificates from various issuing sources.
|
||||
|
||||
It will ensure certificates are valid and up to date periodically, and attempt
|
||||
to renew certificates at an appropriate time before expiry.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Kubernetes 1.18+
|
||||
|
||||
## Installing the Chart
|
||||
|
||||
Full installation instructions, including details on how to configure extra
|
||||
functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/kubernetes/).
|
||||
|
||||
Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources.
|
||||
This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
|
||||
|
||||
```bash
|
||||
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml
|
||||
```
|
||||
|
||||
To install the chart with the release name `my-release`:
|
||||
|
||||
```console
|
||||
## Add the Jetstack Helm repository
|
||||
$ helm repo add jetstack https://charts.jetstack.io
|
||||
|
||||
## Install the cert-manager helm chart
|
||||
$ helm install my-release --namespace cert-manager --version v1.8.2 jetstack/cert-manager
|
||||
```
|
||||
|
||||
In order to begin issuing certificates, you will need to set up a ClusterIssuer
|
||||
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
|
||||
|
||||
More information on the different types of issuers and how to configure them
|
||||
can be found in [our documentation](https://cert-manager.io/docs/configuration/).
|
||||
|
||||
For information on how to configure cert-manager to automatically provision
|
||||
Certificates for Ingress resources, take a look at the
|
||||
[Securing Ingresses documentation](https://cert-manager.io/docs/usage/ingress/).
|
||||
|
||||
> **Tip**: List all releases using `helm list`
|
||||
|
||||
## Upgrading the Chart
|
||||
|
||||
Special considerations may be required when upgrading the Helm chart, and these
|
||||
are documented in our full [upgrading guide](https://cert-manager.io/docs/installation/upgrading/).
|
||||
|
||||
**Please check here before performing upgrades!**
|
||||
|
||||
## Uninstalling the Chart
|
||||
|
||||
To uninstall/delete the `my-release` deployment:
|
||||
|
||||
```console
|
||||
$ helm delete my-release
|
||||
```
|
||||
|
||||
The command removes all the Kubernetes components associated with the chart and deletes the release.
|
||||
|
||||
If you want to completely uninstall cert-manager from your cluster, you will also need to
|
||||
delete the previously installed CustomResourceDefinition resources:
|
||||
|
||||
```console
|
||||
$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
The following table lists the configurable parameters of the cert-manager chart and their default values.
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| --------- | ----------- | ------- |
|
||||
| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
|
||||
| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
|
||||
| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` |
|
||||
| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` |
|
||||
| `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` |
|
||||
| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` |
|
||||
| `global.leaderElection.leaseDuration` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate | |
|
||||
| `global.leaderElection.renewDeadline` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration | |
|
||||
| `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | |
|
||||
| `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` |
|
||||
| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
|
||||
| `image.tag` | Image tag | `v1.8.2` |
|
||||
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
||||
| `replicaCount` | Number of cert-manager replicas | `1` |
|
||||
| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod |
|
||||
| `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `<component>.extraArgs` | `` |
|
||||
| `extraArgs` | Optional flags for cert-manager | `[]` |
|
||||
| `extraEnv` | Optional environment variables for cert-manager | `[]` |
|
||||
| `serviceAccount.create` | If `true`, create a new service account | `true` |
|
||||
| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | |
|
||||
| `serviceAccount.annotations` | Annotations to add to the service account | |
|
||||
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` |
|
||||
| `volumes` | Optional volumes for cert-manager | `[]` |
|
||||
| `volumeMounts` | Optional volume mounts for cert-manager | `[]` |
|
||||
| `resources` | CPU/memory resource requests/limits | `{}` |
|
||||
| `securityContext` | Optional security context. The yaml block should adhere to the [SecurityContext spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core) | `{}` |
|
||||
| `securityContext.enabled` | Deprecated (use `securityContext`) - Enable security context | `false` |
|
||||
| `containerSecurityContext` | Security context to be set on the controller component container | `{}` |
|
||||
| `nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `affinity` | Node affinity for pod assignment | `{}` |
|
||||
| `tolerations` | Node tolerations for pod assignment | `[]` |
|
||||
| `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | |
|
||||
| `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | |
|
||||
| `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | |
|
||||
| `prometheus.enabled` | Enable Prometheus monitoring | `true` |
|
||||
| `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` |
|
||||
| `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) |
|
||||
| `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` |
|
||||
| `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` |
|
||||
| `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` |
|
||||
| `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` |
|
||||
| `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | |
|
||||
| `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` |
|
||||
| `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example. | `false` |
|
||||
| `podAnnotations` | Annotations to add to the cert-manager pod | `{}` |
|
||||
| `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` |
|
||||
| `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | |
|
||||
| `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | |
|
||||
| `podLabels` | Labels to add to the cert-manager pod | `{}` |
|
||||
| `serviceLabels` | Labels to add to the cert-manager controller service | `{}` |
|
||||
| `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` |
|
||||
| `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | |
|
||||
| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | |
|
||||
| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | |
|
||||
| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` |
|
||||
| `webhook.timeoutSeconds` | Seconds the API server should wait the webhook to respond before treating the call as a failure. | `10` |
|
||||
| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` |
|
||||
| `webhook.podLabels` | Labels to add to the cert-manager webhook pod | `{}` |
|
||||
| `webhook.serviceLabels` | Labels to add to the cert-manager webhook service | `{}` |
|
||||
| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` |
|
||||
| `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` |
|
||||
| `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` |
|
||||
| `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` |
|
||||
| `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` |
|
||||
| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` |
|
||||
| `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` |
|
||||
| `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | |
|
||||
| `webhook.serviceAccount.annotations` | Annotations to add to the service account for the webhook component | |
|
||||
| `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | |
|
||||
| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` |
|
||||
| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` |
|
||||
| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` |
|
||||
| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` |
|
||||
| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` |
|
||||
| `webhook.image.tag` | Webhook image tag | `v1.8.2` |
|
||||
| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
|
||||
| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` |
|
||||
| `webhook.securityContext` | Security context for webhook pod assignment | `{}` |
|
||||
| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | `{}` |
|
||||
| `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` |
|
||||
| `webhook.serviceType` | The type of the `Service`. | `ClusterIP` |
|
||||
| `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). | |
|
||||
| `webhook.url.host` | The host to use to reach the webhook, instead of using internal cluster DNS for the service. | |
|
||||
| `webhook.livenessProbe.failureThreshold` | The liveness probe failure threshold | `3` |
|
||||
| `webhook.livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `60` |
|
||||
| `webhook.livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` |
|
||||
| `webhook.livenessProbe.successThreshold` | The liveness probe success threshold | `1` |
|
||||
| `webhook.livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `1` |
|
||||
| `webhook.readinessProbe.failureThreshold` | The readiness probe failure threshold | `3` |
|
||||
| `webhook.readinessProbe.initialDelaySeconds` | The readiness probe initial delay (in seconds) | `5` |
|
||||
| `webhook.readinessProbe.periodSeconds` | The readiness probe period (in seconds) | `5` |
|
||||
| `webhook.readinessProbe.successThreshold` | The readiness probe success threshold | `1` |
|
||||
| `webhook.readinessProbe.timeoutSeconds` | The readiness probe timeout (in seconds) | `1` |
|
||||
| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` |
|
||||
| `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` |
|
||||
| `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` |
|
||||
| `cainjector.podLabels` | Labels to add to the cert-manager cainjector pod | `{}` |
|
||||
| `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` |
|
||||
| `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` |
|
||||
| `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` |
|
||||
| `cainjector.serviceAccount.name` | Service account for the cainjector component to be used. If not set and `cainjector.serviceAccount.create` is `true`, a name is generated using the fullname template | |
|
||||
| `cainjector.serviceAccount.annotations` | Annotations to add to the service account for the cainjector component | |
|
||||
| `cainjector.serviceAccount.automountServiceAccountToken` | Automount API credentials for the cainjector Service Account | `true` |
|
||||
| `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` |
|
||||
| `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` |
|
||||
| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` |
|
||||
| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` |
|
||||
| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` |
|
||||
| `cainjector.image.tag` | cainjector image tag | `v1.8.2` |
|
||||
| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` |
|
||||
| `cainjector.securityContext` | Security context for cainjector pod assignment | `{}` |
|
||||
| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | `{}` |
|
||||
| `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` |
|
||||
| `startupapicheck.securityContext` | Pod Security Context to be set on the startupapicheck component Pod | `{}` |
|
||||
| `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` |
|
||||
| `startupapicheck.backoffLimit` | Job backoffLimit | `4` |
|
||||
| `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` |
|
||||
| `startupapicheck.podAnnotations` | Optional additional annotations to add to the startupapicheck Pods | `{}` |
|
||||
| `startupapicheck.extraArgs` | Optional additional arguments for startupapicheck | `[]` |
|
||||
| `startupapicheck.resources` | CPU/memory resource requests/limits for the startupapicheck pod | `{}` |
|
||||
| `startupapicheck.nodeSelector` | Node labels for startupapicheck pod assignment | `{}` |
|
||||
| `startupapicheck.affinity` | Node affinity for startupapicheck pod assignment | `{}` |
|
||||
| `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` |
|
||||
| `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` |
|
||||
| `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` |
|
||||
| `startupapicheck.image.tag` | startupapicheck image tag | `v1.8.2` |
|
||||
| `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` |
|
||||
| `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` |
|
||||
| `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | |
|
||||
| `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | |
|
||||
| `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` |
|
||||
|
||||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
|
||||
|
||||
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
|
||||
|
||||
```console
|
||||
$ helm install my-release -f values.yaml .
|
||||
```
|
||||
> **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml)
|
||||
|
||||
## Contributing
|
||||
|
||||
This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager).
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,15 @@
|
|||
cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
|
||||
|
||||
In order to begin issuing certificates, you will need to set up a ClusterIssuer
|
||||
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
|
||||
|
||||
More information on the different types of issuers and how to configure them
|
||||
can be found in our documentation:
|
||||
|
||||
https://cert-manager.io/docs/configuration/
|
||||
|
||||
For information on how to configure cert-manager to automatically provision
|
||||
Certificates for Ingress resources, take a look at the `ingress-shim`
|
||||
documentation:
|
||||
|
||||
https://cert-manager.io/docs/usage/ingress/
|
|
@ -0,0 +1,159 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "cert-manager.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "cert-manager.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "cert-manager.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Webhook templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'webhook' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "webhook.name" -}}
|
||||
{{- printf "webhook" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "webhook.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}}
|
||||
{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "webhook.caRef" -}}
|
||||
{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "webhook.serviceAccountName" -}}
|
||||
{{- if .Values.webhook.serviceAccount.create -}}
|
||||
{{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.webhook.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
cainjector templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "cainjector.name" -}}
|
||||
{{- printf "cainjector" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "cainjector.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
|
||||
{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "cainjector.serviceAccountName" -}}
|
||||
{{- if .Values.cainjector.serviceAccount.create -}}
|
||||
{{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.cainjector.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
startupapicheck templates
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain
|
||||
compatibility with the v0.9 deployment selector.
|
||||
*/}}
|
||||
{{- define "startupapicheck.name" -}}
|
||||
{{- printf "startupapicheck" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "startupapicheck.fullname" -}}
|
||||
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
|
||||
{{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "startupapicheck.serviceAccountName" -}}
|
||||
{{- if .Values.startupapicheck.serviceAccount.create -}}
|
||||
{{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.startupapicheck.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "chartName" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Labels that should be added on each resource
|
||||
*/}}
|
||||
{{- define "labels" -}}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- if eq (default "helm" .Values.creator) "helm" }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
helm.sh/chart: {{ include "chartName" . }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,102 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.cainjector.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.cainjector.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- with .Values.cainjector.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.cainjector.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
{{- with .Values.cainjector.image }}
|
||||
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
|
||||
args:
|
||||
{{- if .Values.global.logLevel }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.leaderElection }}
|
||||
- --leader-election-namespace={{ .namespace }}
|
||||
{{- if .leaseDuration }}
|
||||
- --leader-election-lease-duration={{ .leaseDuration }}
|
||||
{{- end }}
|
||||
{{- if .renewDeadline }}
|
||||
- --leader-election-renew-deadline={{ .renewDeadline }}
|
||||
{{- end }}
|
||||
{{- if .retryPeriod }}
|
||||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.cainjector.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "cainjector.fullname" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,22 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cainjector.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,51 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,103 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["get", "create", "update", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["apiregistration.k8s.io"]
|
||||
resources: ["apiservices"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cainjector.fullname" . }}
|
||||
subjects:
|
||||
- name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
# leader election rules
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cainjector.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
# Used for leader election by the controller
|
||||
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
|
||||
# see cmd/cainjector/start.go#L113
|
||||
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||
# see cmd/cainjector/start.go#L137
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cainjector.fullname" . }}:leaderelection
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,27 @@
|
|||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.cainjector.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- with .Values.cainjector.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.cainjector.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,170 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- with .Values.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }}
|
||||
{{- if not .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- end }}
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/scrape: 'true'
|
||||
prometheus.io/port: '9402'
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- $enabledDefined := gt (len (keys (pick .Values.securityContext "enabled"))) 0 }}
|
||||
{{- $legacyEnabledExplicitlyOff := and $enabledDefined (not .Values.securityContext.enabled) }}
|
||||
{{- if and .Values.securityContext (not $legacyEnabledExplicitlyOff) }}
|
||||
securityContext:
|
||||
{{- if .Values.securityContext.enabled }}
|
||||
{{/* support legacy securityContext.enabled and its two parameters */}}
|
||||
fsGroup: {{ default 1001 .Values.securityContext.fsGroup }}
|
||||
runAsUser: {{ default 1001 .Values.securityContext.runAsUser }}
|
||||
{{- else }}
|
||||
{{/* this is the way forward: support an arbitrary yaml block */}}
|
||||
{{- toYaml .Values.securityContext | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.volumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
{{- with .Values.image }}
|
||||
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
args:
|
||||
{{- if .Values.global.logLevel }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.clusterResourceNamespace }}
|
||||
- --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
|
||||
{{- else }}
|
||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||
{{- end }}
|
||||
{{- with .Values.global.leaderElection }}
|
||||
- --leader-election-namespace={{ .namespace }}
|
||||
{{- if .leaseDuration }}
|
||||
- --leader-election-lease-duration={{ .leaseDuration }}
|
||||
{{- end }}
|
||||
{{- if .renewDeadline }}
|
||||
- --leader-election-renew-deadline={{ .renewDeadline }}
|
||||
{{- end }}
|
||||
{{- if .retryPeriod }}
|
||||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.ingressShim }}
|
||||
{{- if .defaultIssuerName }}
|
||||
- --default-issuer-name={{ .defaultIssuerName }}
|
||||
{{- end }}
|
||||
{{- if .defaultIssuerKind }}
|
||||
- --default-issuer-kind={{ .defaultIssuerKind }}
|
||||
{{- end }}
|
||||
{{- if .defaultIssuerGroup }}
|
||||
- --default-issuer-group={{ .defaultIssuerGroup }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.featureGates }}
|
||||
- --feature-gates={{ .Values.featureGates }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
{{- with .Values.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.http_proxy }}
|
||||
- name: HTTP_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.https_proxy }}
|
||||
- name: HTTPS_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.no_proxy }}
|
||||
- name: NO_PROXY
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.podDnsPolicy }}
|
||||
dnsPolicy: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.podDnsConfig }}
|
||||
dnsConfig:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "cert-manager.fullname" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
|
@ -0,0 +1,49 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
|
@ -0,0 +1,545 @@
|
|||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-controller"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}:leaderelection
|
||||
namespace: {{ .Values.global.leaderElection.namespace }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
||||
---
|
||||
|
||||
# Issuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "issuers/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# ClusterIssuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "clusterissuers/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Certificates controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders"]
|
||||
verbs: ["create", "delete", "get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Orders controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "orders/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["create", "delete"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# Challenges controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
# Use to update challenge resource status
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "challenges/status"]
|
||||
verbs: ["update", "patch"]
|
||||
# Used to watch challenge resources
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to watch challenges, issuer and clusterissuer resources
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Need to be able to retrieve ACME account private key to complete challenges
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to create events
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
# HTTP01 rules
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "services"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
- apiGroups: [ "gateway.networking.k8s.io" ]
|
||||
resources: [ "httproutes" ]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
# We require the ability to specify a custom hostname when we are creating
|
||||
# new ingress resources.
|
||||
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
||||
- apiGroups: ["route.openshift.io"]
|
||||
resources: ["routes/custom-host"]
|
||||
verbs: ["create"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges/finalizers"]
|
||||
verbs: ["update"]
|
||||
# DNS01 rules (duplicated above)
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
---
|
||||
|
||||
# ingress-shim controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests"]
|
||||
verbs: ["create", "update", "delete"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways", "httproutes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-view
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-edit
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/status"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
|
||||
---
|
||||
|
||||
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["signers"]
|
||||
verbs: ["approve"]
|
||||
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
||||
# Permission to:
|
||||
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["signers"]
|
||||
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
||||
verbs: ["sign"]
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
kind: ServiceAccount
|
||||
{{- end }}
|
|
@ -0,0 +1,31 @@
|
|||
{{- if .Values.prometheus.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- with .Values.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9402
|
||||
name: tcp-prometheus-servicemonitor
|
||||
targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- end }}
|
|
@ -0,0 +1,25 @@
|
|||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,39 @@
|
|||
{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||
namespace: {{ .Values.prometheus.servicemonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
|
||||
{{- with .Values.prometheus.servicemonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: {{ template "cert-manager.fullname" . }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
endpoints:
|
||||
- targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||
path: {{ .Values.prometheus.servicemonitor.path }}
|
||||
interval: {{ .Values.prometheus.servicemonitor.interval }}
|
||||
scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
|
||||
honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
|
||||
{{- end }}
|
|
@ -0,0 +1,77 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "startupapicheck.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.jobAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.startupapicheck.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
{{- with .Values.startupapicheck.image }}
|
||||
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
|
||||
args:
|
||||
- check
|
||||
- api
|
||||
- --wait={{ .Values.startupapicheck.timeout }}
|
||||
{{- with .Values.startupapicheck.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,24 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "startupapicheck.fullname" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,26 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "startupapicheck.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,51 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,48 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
# create certificate role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "startupapicheck.fullname" . }}:create-cert
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,27 @@
|
|||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.startupapicheck.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- with .Values.startupapicheck.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,24 @@
|
|||
{{- if .Values.webhook.config -}}
|
||||
{{- if not .Values.webhook.config.apiVersion -}}
|
||||
{{- fail "webhook.config.apiVersion must be set" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if not .Values.webhook.config.kind -}}
|
||||
{{- fail "webhook.config.kind must be set" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
data:
|
||||
{{- if .Values.webhook.config }}
|
||||
config.yaml: |
|
||||
{{ .Values.webhook.config | toYaml | nindent 4 }}
|
||||
{{- end }}
|
|
@ -0,0 +1,153 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.webhook.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- with .Values.webhook.strategy }}
|
||||
strategy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- with .Values.webhook.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "webhook.serviceAccountName" . }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
hostNetwork: true
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
{{- with .Values.webhook.image }}
|
||||
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
|
||||
args:
|
||||
{{- if .Values.global.logLevel }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- $config := default .Values.webhook.config "" }}
|
||||
{{ if not $config.securePort -}}
|
||||
- --secure-port={{ .Values.webhook.securePort }}
|
||||
{{- end }}
|
||||
{{- $tlsConfig := default $config.tlsConfig "" }}
|
||||
{{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
|
||||
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
||||
- --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }}.svc{{ if .Values.webhook.url.host }},{{ .Values.webhook.url.host }}{{ end }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https
|
||||
protocol: TCP
|
||||
{{- if $config.securePort }}
|
||||
containerPort: {{ $config.securePort }}
|
||||
{{- else if .Values.webhook.securePort }}
|
||||
containerPort: {{ .Values.webhook.securePort }}
|
||||
{{- else }}
|
||||
containerPort: 6443
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /livez
|
||||
{{- if $config.healthzPort }}
|
||||
port: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
port: 6080
|
||||
{{- end }}
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
{{- if $config.healthzPort }}
|
||||
port: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
port: 6080
|
||||
{{- end }}
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
|
||||
{{- with .Values.webhook.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.webhook.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,46 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca"
|
||||
{{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
- "acme.cert-manager.io"
|
||||
apiVersions:
|
||||
- "v1"
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- "*/*"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
|
||||
failurePolicy: Fail
|
||||
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
{{- if .Values.webhook.url.host }}
|
||||
url: https://{{ .Values.webhook.url.host }}/mutate
|
||||
{{- else }}
|
||||
service:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
path: /mutate
|
||||
{{- end }}
|
|
@ -0,0 +1,18 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- {{ template "webhook.fullname" . }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "webhook.fullname" . }}-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
|
@ -0,0 +1,54 @@
|
|||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowedCapabilities: [] # default set of capabilities are implicitly allowed
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: {{ .Values.webhook.hostNetwork }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
hostPorts:
|
||||
- max: {{ .Values.webhook.securePort }}
|
||||
min: {{ .Values.webhook.securePort }}
|
||||
{{- end }}
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end }}
|
|
@ -0,0 +1,83 @@
|
|||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames:
|
||||
- '{{ template "webhook.fullname" . }}-ca'
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
# It's not possible to grant CREATE permission on a single resourceName.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
|
@ -0,0 +1,32 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- with .Values.webhook.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.webhook.serviceType }}
|
||||
{{- with .Values.webhook.loadBalancerIP }}
|
||||
loadBalancerIP: {{ . }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: "https"
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
|
@ -0,0 +1,25 @@
|
|||
{{- if .Values.webhook.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- with .Values.webhook.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.webhook.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,55 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca"
|
||||
{{- with .Values.webhook.validatingWebhookConfigurationAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
namespaceSelector:
|
||||
matchExpressions:
|
||||
- key: "cert-manager.io/disable-validation"
|
||||
operator: "NotIn"
|
||||
values:
|
||||
- "true"
|
||||
- key: "name"
|
||||
operator: "NotIn"
|
||||
values:
|
||||
- {{ .Release.Namespace }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
- "acme.cert-manager.io"
|
||||
apiVersions:
|
||||
- "v1"
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- "*/*"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
|
||||
failurePolicy: Fail
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
{{- if .Values.webhook.url.host }}
|
||||
url: https://{{ .Values.webhook.url.host }}/validate
|
||||
{{- else }}
|
||||
service:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
path: /validate
|
||||
{{- end }}
|
|
@ -0,0 +1,543 @@
|
|||
# Default values for cert-manager.
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
||||
global:
|
||||
## Reference to one or more secrets to be used when pulling images
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
||||
##
|
||||
imagePullSecrets: []
|
||||
# - name: "image-pull-secret"
|
||||
|
||||
# Optional priority class to be used for the cert-manager pods
|
||||
priorityClassName: ""
|
||||
rbac:
|
||||
create: true
|
||||
# Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
|
||||
aggregateClusterRoles: true
|
||||
|
||||
podSecurityPolicy:
|
||||
enabled: false
|
||||
useAppArmor: true
|
||||
|
||||
# Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
|
||||
logLevel: 2
|
||||
|
||||
leaderElection:
|
||||
# Override the namespace used to store the ConfigMap for leader election
|
||||
namespace: "kube-system"
|
||||
|
||||
# The duration that non-leader candidates will wait after observing a
|
||||
# leadership renewal until attempting to acquire leadership of a led but
|
||||
# unrenewed leader slot. This is effectively the maximum duration that a
|
||||
# leader can be stopped before it is replaced by another candidate.
|
||||
# leaseDuration: 60s
|
||||
|
||||
# The interval between attempts by the acting master to renew a leadership
|
||||
# slot before it stops leading. This must be less than or equal to the
|
||||
# lease duration.
|
||||
# renewDeadline: 40s
|
||||
|
||||
# The duration the clients should wait between attempting acquisition and
|
||||
# renewal of a leadership.
|
||||
# retryPeriod: 15s
|
||||
|
||||
installCRDs: false
|
||||
|
||||
replicaCount: 1
|
||||
|
||||
strategy: {}
|
||||
# type: RollingUpdate
|
||||
# rollingUpdate:
|
||||
# maxSurge: 0
|
||||
# maxUnavailable: 1
|
||||
|
||||
# Comma separated list of feature gates that should be enabled on the
|
||||
# controller pod.
|
||||
featureGates: ""
|
||||
|
||||
image:
|
||||
repository: quay.io/jetstack/cert-manager-controller
|
||||
# You can manage a registry with
|
||||
# registry: quay.io
|
||||
# repository: jetstack/cert-manager-controller
|
||||
|
||||
# Override the image tag to deploy by setting this variable.
|
||||
# If no value is set, the chart's appVersion will be used.
|
||||
# tag: canary
|
||||
|
||||
# Setting a digest will override any tag
|
||||
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
|
||||
# resources. By default, the same namespace as cert-manager is deployed within is
|
||||
# used. This namespace will not be automatically created by the Helm chart.
|
||||
clusterResourceNamespace: ""
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a service account should be created
|
||||
create: true
|
||||
# The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
# name: ""
|
||||
# Optional additional annotations to add to the controller's ServiceAccount
|
||||
# annotations: {}
|
||||
# Automount API credentials for a Service Account.
|
||||
# Optional additional labels to add to the controller's ServiceAccount
|
||||
# labels: {}
|
||||
automountServiceAccountToken: true
|
||||
|
||||
# Additional command line flags to pass to cert-manager controller binary.
|
||||
# To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help
|
||||
extraArgs: []
|
||||
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
|
||||
# - --enable-certificate-owner-ref=true
|
||||
# Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver
|
||||
# - --controllers=*,-certificaterequests-approver
|
||||
|
||||
extraEnv: []
|
||||
# - name: SOME_VAR
|
||||
# value: 'some value'
|
||||
|
||||
resources: {}
|
||||
# requests:
|
||||
# cpu: 10m
|
||||
# memory: 32Mi
|
||||
|
||||
# Pod Security Context
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
# legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported
|
||||
# securityContext:
|
||||
# enabled: false
|
||||
# fsGroup: 1001
|
||||
# runAsUser: 1001
|
||||
# to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters
|
||||
# you want to set, e.g.
|
||||
# securityContext:
|
||||
# fsGroup: 1000
|
||||
# runAsUser: 1000
|
||||
# runAsNonRoot: true
|
||||
|
||||
# Container Security Context to be set on the controller component container
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
|
||||
|
||||
volumes: []
|
||||
|
||||
volumeMounts: []
|
||||
|
||||
# Optional additional annotations to add to the controller Deployment
|
||||
# deploymentAnnotations: {}
|
||||
|
||||
# Optional additional annotations to add to the controller Pods
|
||||
# podAnnotations: {}
|
||||
|
||||
podLabels: {}
|
||||
|
||||
# Optional annotations to add to the controller Service
|
||||
# serviceAnnotations: {}
|
||||
|
||||
# Optional additional labels to add to the controller Service
|
||||
# serviceLabels: {}
|
||||
|
||||
# Optional DNS settings, useful if you have a public and private DNS zone for
|
||||
# the same domain on Route 53. What follows is an example of ensuring
|
||||
# cert-manager can access an ingress or DNS TXT records at all times.
|
||||
# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
|
||||
# the cluster to work.
|
||||
# podDnsPolicy: "None"
|
||||
# podDnsConfig:
|
||||
# nameservers:
|
||||
# - "1.1.1.1"
|
||||
# - "8.8.8.8"
|
||||
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
ingressShim: {}
|
||||
# defaultIssuerName: ""
|
||||
# defaultIssuerKind: ""
|
||||
# defaultIssuerGroup: ""
|
||||
|
||||
prometheus:
|
||||
enabled: true
|
||||
servicemonitor:
|
||||
enabled: false
|
||||
prometheusInstance: default
|
||||
targetPort: 9402
|
||||
path: /metrics
|
||||
interval: 60s
|
||||
scrapeTimeout: 30s
|
||||
labels: {}
|
||||
honorLabels: false
|
||||
|
||||
# Use these variables to configure the HTTP_PROXY environment variables
|
||||
# http_proxy: "http://proxy:8080"
|
||||
# https_proxy: "https://proxy:8080"
|
||||
# no_proxy: 127.0.0.1,localhost
|
||||
|
||||
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
|
||||
# for example:
|
||||
# affinity:
|
||||
# nodeAffinity:
|
||||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||||
# nodeSelectorTerms:
|
||||
# - matchExpressions:
|
||||
# - key: foo.bar.com/role
|
||||
# operator: In
|
||||
# values:
|
||||
# - master
|
||||
affinity: {}
|
||||
|
||||
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
|
||||
# for example:
|
||||
# tolerations:
|
||||
# - key: foo.bar.com/role
|
||||
# operator: Equal
|
||||
# value: master
|
||||
# effect: NoSchedule
|
||||
tolerations: []
|
||||
|
||||
webhook:
|
||||
replicaCount: 1
|
||||
timeoutSeconds: 10
|
||||
|
||||
# Used to configure options for the webhook pod.
|
||||
# This allows setting options that'd usually be provided via flags.
|
||||
# An APIVersion and Kind must be specified in your values.yaml file.
|
||||
# Flags will override options that are set here.
|
||||
config:
|
||||
# apiVersion: webhook.config.cert-manager.io/v1alpha1
|
||||
# kind: WebhookConfiguration
|
||||
|
||||
# The port that the webhook should listen on for requests.
|
||||
# In GKE private clusters, by default kubernetes apiservers are allowed to
|
||||
# talk to the cluster nodes only on 443 and 10250. so configuring
|
||||
# securePort: 10250, will work out of the box without needing to add firewall
|
||||
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
|
||||
# This should be uncommented and set as a default by the chart once we graduate
|
||||
# the apiVersion of WebhookConfiguration past v1alpha1.
|
||||
# securePort: 10250
|
||||
|
||||
strategy: {}
|
||||
# type: RollingUpdate
|
||||
# rollingUpdate:
|
||||
# maxSurge: 0
|
||||
# maxUnavailable: 1
|
||||
|
||||
# Pod Security Context to be set on the webhook component Pod
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
||||
# Container Security Context to be set on the webhook component container
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
|
||||
# Optional additional annotations to add to the webhook Deployment
|
||||
# deploymentAnnotations: {}
|
||||
|
||||
# Optional additional annotations to add to the webhook Pods
|
||||
# podAnnotations: {}
|
||||
|
||||
# Optional additional annotations to add to the webhook Service
|
||||
# serviceAnnotations: {}
|
||||
|
||||
# Optional additional annotations to add to the webhook MutatingWebhookConfiguration
|
||||
# mutatingWebhookConfigurationAnnotations: {}
|
||||
|
||||
# Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
|
||||
# validatingWebhookConfigurationAnnotations: {}
|
||||
|
||||
# Additional command line flags to pass to cert-manager webhook binary.
|
||||
# To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help
|
||||
extraArgs: []
|
||||
# Path to a file containing a WebhookConfiguration object used to configure the webhook
|
||||
# - --config=<path-to-config-file>
|
||||
|
||||
resources: {}
|
||||
# requests:
|
||||
# cpu: 10m
|
||||
# memory: 32Mi
|
||||
|
||||
## Liveness and readiness probe values
|
||||
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
|
||||
##
|
||||
livenessProbe:
|
||||
failureThreshold: 3
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
readinessProbe:
|
||||
failureThreshold: 3
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
affinity: {}
|
||||
|
||||
tolerations: []
|
||||
|
||||
# Optional additional labels to add to the Webhook Pods
|
||||
podLabels: {}
|
||||
|
||||
# Optional additional labels to add to the Webhook Service
|
||||
serviceLabels: {}
|
||||
|
||||
image:
|
||||
repository: quay.io/jetstack/cert-manager-webhook
|
||||
# You can manage a registry with
|
||||
# registry: quay.io
|
||||
# repository: jetstack/cert-manager-webhook
|
||||
|
||||
# Override the image tag to deploy by setting this variable.
|
||||
# If no value is set, the chart's appVersion will be used.
|
||||
# tag: canary
|
||||
|
||||
# Setting a digest will override any tag
|
||||
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
||||
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a service account should be created
|
||||
create: true
|
||||
# The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
# name: ""
|
||||
# Optional additional annotations to add to the controller's ServiceAccount
|
||||
# annotations: {}
|
||||
# Optional additional labels to add to the webhook's ServiceAccount
|
||||
# labels: {}
|
||||
# Automount API credentials for a Service Account.
|
||||
automountServiceAccountToken: true
|
||||
|
||||
# The port that the webhook should listen on for requests.
|
||||
# In GKE private clusters, by default kubernetes apiservers are allowed to
|
||||
# talk to the cluster nodes only on 443 and 10250. so configuring
|
||||
# securePort: 10250, will work out of the box without needing to add firewall
|
||||
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
|
||||
securePort: 10250
|
||||
|
||||
# Specifies if the webhook should be started in hostNetwork mode.
|
||||
#
|
||||
# Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
|
||||
# CNI (such as calico), because control-plane managed by AWS cannot communicate
|
||||
# with pods' IP CIDR and admission webhooks are not working
|
||||
#
|
||||
# Since the default port for the webhook conflicts with kubelet on the host
|
||||
# network, `webhook.securePort` should be changed to an available port if
|
||||
# running in hostNetwork mode.
|
||||
hostNetwork: false
|
||||
|
||||
# Specifies how the service should be handled. Useful if you want to expose the
|
||||
# webhook to outside of the cluster. In some cases, the control plane cannot
|
||||
# reach internal services.
|
||||
serviceType: ClusterIP
|
||||
# loadBalancerIP:
|
||||
|
||||
# Overrides the mutating webhook and validating webhook so they reach the webhook
|
||||
# service using the `url` field instead of a service.
|
||||
url: {}
|
||||
# host:
|
||||
|
||||
cainjector:
|
||||
enabled: true
|
||||
replicaCount: 1
|
||||
|
||||
strategy: {}
|
||||
# type: RollingUpdate
|
||||
# rollingUpdate:
|
||||
# maxSurge: 0
|
||||
# maxUnavailable: 1
|
||||
|
||||
# Pod Security Context to be set on the cainjector component Pod
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
||||
# Container Security Context to be set on the cainjector component container
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
|
||||
|
||||
# Optional additional annotations to add to the cainjector Deployment
|
||||
# deploymentAnnotations: {}
|
||||
|
||||
# Optional additional annotations to add to the cainjector Pods
|
||||
# podAnnotations: {}
|
||||
|
||||
# Additional command line flags to pass to cert-manager cainjector binary.
|
||||
# To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help
|
||||
extraArgs: []
|
||||
# Enable profiling for cainjector
|
||||
# - --enable-profiling=true
|
||||
|
||||
resources: {}
|
||||
# requests:
|
||||
# cpu: 10m
|
||||
# memory: 32Mi
|
||||
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
affinity: {}
|
||||
|
||||
tolerations: []
|
||||
|
||||
# Optional additional labels to add to the CA Injector Pods
|
||||
podLabels: {}
|
||||
|
||||
image:
|
||||
repository: quay.io/jetstack/cert-manager-cainjector
|
||||
# You can manage a registry with
|
||||
# registry: quay.io
|
||||
# repository: jetstack/cert-manager-cainjector
|
||||
|
||||
# Override the image tag to deploy by setting this variable.
|
||||
# If no value is set, the chart's appVersion will be used.
|
||||
# tag: canary
|
||||
|
||||
# Setting a digest will override any tag
|
||||
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
||||
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a service account should be created
|
||||
create: true
|
||||
# The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
# name: ""
|
||||
# Optional additional annotations to add to the controller's ServiceAccount
|
||||
# annotations: {}
|
||||
# Automount API credentials for a Service Account.
|
||||
# Optional additional labels to add to the cainjector's ServiceAccount
|
||||
# labels: {}
|
||||
automountServiceAccountToken: true
|
||||
|
||||
# This startupapicheck is a Helm post-install hook that waits for the webhook
|
||||
# endpoints to become available.
|
||||
# The check is implemented using a Kubernetes Job- if you are injecting mesh
|
||||
# sidecar proxies into cert-manager pods, you probably want to ensure that they
|
||||
# are not injected into this Job's pod. Otherwise the installation may time out
|
||||
# due to the Job never being completed because the sidecar proxy does not exit.
|
||||
# See https://github.com/cert-manager/cert-manager/pull/4414 for context.
|
||||
startupapicheck:
|
||||
enabled: true
|
||||
|
||||
# Pod Security Context to be set on the startupapicheck component Pod
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
||||
# Container Security Context to be set on the controller component container
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
|
||||
# Timeout for 'kubectl check api' command
|
||||
timeout: 1m
|
||||
|
||||
# Job backoffLimit
|
||||
backoffLimit: 4
|
||||
|
||||
# Optional additional annotations to add to the startupapicheck Job
|
||||
jobAnnotations:
|
||||
helm.sh/hook: post-install
|
||||
helm.sh/hook-weight: "1"
|
||||
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
||||
|
||||
# Optional additional annotations to add to the startupapicheck Pods
|
||||
# podAnnotations: {}
|
||||
|
||||
# Additional command line flags to pass to startupapicheck binary.
|
||||
# To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help
|
||||
extraArgs: []
|
||||
|
||||
resources: {}
|
||||
# requests:
|
||||
# cpu: 10m
|
||||
# memory: 32Mi
|
||||
|
||||
nodeSelector: {}
|
||||
|
||||
affinity: {}
|
||||
|
||||
tolerations: []
|
||||
|
||||
# Optional additional labels to add to the startupapicheck Pods
|
||||
podLabels: {}
|
||||
|
||||
image:
|
||||
repository: quay.io/jetstack/cert-manager-ctl
|
||||
# You can manage a registry with
|
||||
# registry: quay.io
|
||||
# repository: jetstack/cert-manager-ctl
|
||||
|
||||
# Override the image tag to deploy by setting this variable.
|
||||
# If no value is set, the chart's appVersion will be used.
|
||||
# tag: canary
|
||||
|
||||
# Setting a digest will override any tag
|
||||
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
||||
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
rbac:
|
||||
# annotations for the startup API Check job RBAC and PSP resources
|
||||
annotations:
|
||||
helm.sh/hook: post-install
|
||||
helm.sh/hook-weight: "-5"
|
||||
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a service account should be created
|
||||
create: true
|
||||
|
||||
# The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
# name: ""
|
||||
|
||||
# Optional additional annotations to add to the Job's ServiceAccount
|
||||
annotations:
|
||||
helm.sh/hook: post-install
|
||||
helm.sh/hook-weight: "-5"
|
||||
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
||||
|
||||
# Automount API credentials for a Service Account.
|
||||
automountServiceAccountToken: true
|
||||
|
||||
# Optional additional labels to add to the startupapicheck's ServiceAccount
|
||||
# labels: {}
|
|
@ -49,3 +49,20 @@ nodeSelector: {}
|
|||
tolerations: []
|
||||
|
||||
affinity: {}
|
||||
|
||||
cert-manager:
|
||||
enabled: false
|
||||
|
||||
serviceAccount:
|
||||
name: "cert-manager"
|
||||
|
||||
cainjector:
|
||||
serviceAccount:
|
||||
name: "cert-manager-cainjector"
|
||||
|
||||
webhook:
|
||||
serviceAccount:
|
||||
name: "cert-manager-webhook"
|
||||
|
||||
startupapicheck:
|
||||
enabled: false
|
||||
|
|
Loading…
Reference in New Issue