Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-06 06:58:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/cert-manager] Include Cert Manager (#6271)

Browse Source 
* [bitnami/cert-manager] Include Cert Manager

* Fix Chart.yaml

* Include CRDs

* Modify cert manager chart to include the changes requested

- Modify certManager name to certmanager inside _helpers.tpl
- Modify category from Infrastructure to CertificateAuthority
- Change apiVersion to V2
- Include new keywords suggestion
- Complete values.yaml with values forgotten (modified controller, webhook and cainjector values.yaml sections)
- Modify values.yaml Readmenator correct structure
- Move logLevel and leaderElection namespace to common section
- Change prometheus section to metric
- Include quotes in all the namespaces
- Include Custom https port key for the webhook service
- Allow custom service name in our serviceaccount yamls.
- Move all controller files from template to template/controller

* Modify cert manager chart to include the new round of changes requested

- Remove extra space inside Chart.yaml
- Remove unneeded comments inside values.yaml
- Include replicaCount in each component inside the cert manager (controller, webhook and cainjector).
- Moved RBAC parameters to "Other parameters" section
- Added generic comment to reference Bitnami image
- Remove customStartupProbe, customLivenessProbe and customReadinessProbe in controller and cainjector.
- Set up prometheus port dinamically inside the ServiceMonitor and values.yaml
- Remove yamllint unneeded comments
- Include validateValues function
- Modify the README TIPOs and include new values.yaml changes.

* Commit unneeded global section

* Missing starting space in global comment

* Restore global values

* Modify cert manager chart to include the changes requested

 - Include NOTES.txt
 - Delete '---' lines inside service files
 - Modify service names
 - Include targetPort in ServiceMonitor
 - Set up port number instead of controller label in service monitor to make it works

* [bitnami/cert-manager] Update components versions

Signed-off-by: Bitnami Containers <containers@bitnami.com>

Co-authored-by: Bitnami Containers <containers@bitnami.com>
This commit is contained in:
alvneiayu
2021-05-18 16:48:28 +02:00
committed by GitHub
parent c0544b4be0
commit 35d81616db
26 changed files with 16939 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
bitnami/cert-manager/.helmignore Normal file
View File

@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

6
bitnami/cert-manager/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 1.5.1
digest: sha256:d3e338772e7d4eca307e5eb080525d244a57e2eb26fd6787cb72b2bf5dbe848e
generated: "2021-05-18T12:40:50.795097501Z"

29
bitnami/cert-manager/Chart.yaml Normal file
View File

@@ -0,0 +1,29 @@
annotations:
category: CertificateAuthority
apiVersion: v2
appVersion: 1.3.1
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
tags:
- bitnami-common
version: 1.x.x
description: Cert Manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources.
engine: gotpl
home: https://github.com/jetstack/cert-manager
icon: https://bitnami.com/assets/stacks/cert-manager/img/cert-manager-stack-220x234.png
keywords:
- go
- security
- tls
- certificate
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: cert-manager
sources:
- https://github.com/bitnami/bitnami-docker-cert-manager
- https://github.com/bitnami/bitnami-docker-cert-manager-webhook
- https://github.com/bitnami/bitnami-docker-cainjector
- https://github.com/jetstack/cert-manager
version: 0.1.0

337
bitnami/cert-manager/README.md Normal file
View File

@@ -0,0 +1,337 @@
# Cert Manager
[cert-manager](https://cert-manager.io/) is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Lets Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.
## TL;DR
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/cert-manager
```
## Introduction
Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.
This chart bootstraps a [cert-manager](https://cert-manager.io/) Deployment in a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
## Prerequisites
- Kubernetes 1.12+
- Helm 3.1.0
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/cert-manager
```
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` helm release:
```console
$ helm uninstall my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
### Global parameters
| Name | Description | Value |
| ------------------------- | ----------------------------------------------- | ----------- |
| `global.imageRegistry` | Global Docker image registry | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `undefined` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `nil` |
### Common parameters
| Name | Description | Value |
| -------------------------- | -------------------------------------------------- | ------------- |
| `kubeVersion` | Override Kubernetes version | `nil` |
| `nameOverride` | String to partially override common.names.fullname | `nil` |
| `fullnameOverride` | String to fully override common.names.fullname | `nil` |
| `commonLabels` | Labels to add to all deployed objects | `undefined` |
| `commonAnnotations` | Annotations to add to all deployed objects | `undefined` |
| `extraDeploy` | Array of extra objects to deploy with the release | `undefined` |
| `logLevel` | Set up cert manager log level | `2` |
| `leaderElection.namespace` | Namespace which leaderElection works. | `kube-system` |
| `installCRDs` | Flag to install Cert Manager CRDs | `false` |
| `replicaCount` | Number of Cert Manager replicas | `1` |
### Controller deployment parameters
| Name | Description | Value |
| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | ---------------------- |
| `controller.replicaCount` | Number of Controller replicas | `1` |
| `controller.image.registry` | Controller image registry | `docker.io` |
| `controller.image.repository` | Controller image repository | `bitnami/cert-manager` |
| `controller.image.tag` | Controller image tag (immutabe tags are recommended) | `1.3.1-debian-10-r10` |
| `controller.image.pullPolicy` | Controller image pull policy | `IfNotPresent` |
| `controller.image.pullSecrets` | Controller image pull secrets | `undefined` |
| `controller.image.debug` | Controller image debug mode | `false` |
| `controller.acmesolver.image.registry` | Controller image registry | `docker.io` |
| `controller.acmesolver.image.repository` | Controller image repository | `bitnami/acme-solver` |
| `controller.acmesolver.image.tag` | Controller image tag (immutabe tags are recommended) | `1.3.1-debian-10-r10` |
| `controller.acmesolver.image.pullPolicy` | Controller image pull policy | `IfNotPresent` |
| `controller.acmesolver.image.pullSecrets` | Controller image pull secrets | `undefined` |
| `controller.acmesolver.image.debug` | Controller image debug mode | `false` |
| `controller.resources.limits` | The resources limits for the Controller container | `undefined` |
| `controller.resources.requests` | The requested resources for the Controller container | `undefined` |
| `controller.podSecurityContext.enabled` | Enabled Controller pods' Security Context | `true` |
| `controller.podSecurityContext.fsGroup` | Set Controller pod's Security Context fsGroup | `1001` |
| `controller.containerSecurityContext.enabled` | Enabled Controller containers' Security Context | `true` |
| `controller.containerSecurityContext.runAsUser` | Set Controller container's Security Context runAsUser | `1001` |
| `controller.containerSecurityContext.runAsNonRoot` | Set Controller container's Security Context runAsNonRoot | `true` |
| `controller.podAffinityPreset` | Pod affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `controller.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `controller.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `controller.nodeAffinityPreset.key` | Node label key to match. Ignored if `controller.affinity` is set | `""` |
| `controller.nodeAffinityPreset.values` | Node label values to match. Ignored if `controller.affinity` is set | `undefined` |
| `controller.affinity` | Affinity for Cert Manager Controller | `undefined` |
| `controller.nodeSelector` | Node labels for pod assignment | `undefined` |
| `controller.containerPort` | Controller container port | `9402` |
| `controller.command` | Override Controller default command | `undefined` |
| `controller.args` | Override Controller default args | `undefined` |
| `controller.priorityClassName` | Controller pod priority class name | `nil` |
| `controller.hostAliases` | Custom host aliases for Controller pods | `undefined` |
| `controller.tolerations` | Tolerations for pod assignment | `undefined` |
| `controller.podLabels` | Extra labels for Controller pods | `undefined` |
| `controller.podAnnotations` | Annotations for Controller pods | `undefined` |
| `controller.lifecycleHooks` | Add lifecycle hooks to the Controller deployment | `undefined` |
| `controller.updateStrategy.type` | Controller deployment update strategy | `RollingUpdate` |
| `controller.updateStrategy.rollingUpdate` | Controller deployment rolling update configuration parameters | `undefined` |
| `controller.extraEnvVars` | Add extra environment variables to the Controller container | `undefined` |
| `controller.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `nil` |
| `controller.extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `nil` |
| `controller.extraVolumes` | Optionally specify extra list of additional volumes for Controller pods | `undefined` |
| `controller.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Controller container(s) | `undefined` |
| `controller.initContainers` | Add additional init containers to the Controller pods | `undefined` |
| `controller.sidecars` | Add additional sidecar containers to the Controller pod | `undefined` |
| `controller.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `controller.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `controller.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `undefined` |
### Webhook deployment parameters
| Name | Description | Value |
| ----------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------ |
| `webhook.replicaCount` | Number of Webhook replicas | `1` |
| `webhook.image.registry` | Webhook image registry | `docker.io` |
| `webhook.image.repository` | Webhook image repository | `bitnami/cert-manager-webhook` |
| `webhook.image.tag` | Webhook image tag (immutabe tags are recommended) | `1.3.1-debian-10-r2` |
| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
| `webhook.image.pullSecrets` | Webhook image pull secrets | `undefined` |
| `webhook.image.debug` | Webhook image debug mode | `false` |
| `webhook.resources.limits` | The resources limits for the Webhook container | `undefined` |
| `webhook.resources.requests` | The requested resources for the Webhook container | `undefined` |
| `webhook.podSecurityContext.enabled` | Enabled Webhook pods' Security Context | `true` |
| `webhook.podSecurityContext.fsGroup` | Set Webhook pod's Security Context fsGroup | `1001` |
| `webhook.containerSecurityContext.enabled` | Enabled Webhook containers' Security Context | `true` |
| `webhook.containerSecurityContext.runAsUser` | Set Webhook container's Security Context runAsUser | `1001` |
| `webhook.containerSecurityContext.runAsNonRoot` | Set Webhook container's Security Context runAsNonRoot | `true` |
| `webhook.podAffinityPreset` | Pod affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `webhook.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `webhook.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `webhook.nodeAffinityPreset.key` | Node label key to match. Ignored if `webhook.affinity` is set | `""` |
| `webhook.nodeAffinityPreset.values` | Node label values to match. Ignored if `webhook.affinity` is set | `undefined` |
| `webhook.affinity` | Affinity for Cert Manager Webhook | `undefined` |
| `webhook.nodeSelector` | Node labels for pod assignment | `undefined` |
| `webhook.containerPort` | Webhook container port | `10250` |
| `webhook.httpsPort` | Webhook container port | `443` |
| `webhook.command` | Override Webhook default command | `undefined` |
| `webhook.args` | Override Webhook default args | `undefined` |
| `webhook.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `webhook.livenessProbe.path` | Path for livenessProbe | `/livez` |
| `webhook.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` |
| `webhook.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `webhook.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `webhook.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `webhook.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `webhook.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `webhook.readinessProbe.path` | Path for readinessProbe | `/healthz` |
| `webhook.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `webhook.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `webhook.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `webhook.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `webhook.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `webhook.customStartupProbe` | Override default startup probe | `undefined` |
| `webhook.customLivenessProbe` | Override default liveness probe | `undefined` |
| `webhook.customReadinessProbe` | Override default readiness probe | `undefined` |
| `webhook.priorityClassName` | Webhook pod priority class name | `nil` |
| `webhook.hostAliases` | Custom host aliases for Webhook pods | `undefined` |
| `webhook.tolerations` | Tolerations for pod assignment | `undefined` |
| `webhook.podLabels` | Extra labels for Webhook pods | `undefined` |
| `webhook.podAnnotations` | Annotations for Webhook pods | `undefined` |
| `webhook.lifecycleHooks` | Add lifecycle hooks to the Webhook deployment | `undefined` |
| `webhook.updateStrategy.type` | Webhook deployment update strategy | `RollingUpdate` |
| `webhook.updateStrategy.rollingUpdate` | Controller deployment rolling update configuration parameters | `undefined` |
| `webhook.extraEnvVars` | Add extra environment variables to the Webhook container | `undefined` |
| `webhook.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `nil` |
| `webhook.extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `nil` |
| `webhook.extraVolumes` | Optionally specify extra list of additional volumes for Webhook pods | `undefined` |
| `webhook.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Webhook container(s) | `undefined` |
| `webhook.initContainers` | Add additional init containers to the Webhook pods | `undefined` |
| `webhook.sidecars` | Add additional sidecar containers to the Webhook pod | `undefined` |
| `webhook.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `webhook.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `webhook.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `undefined` |
### CAInjector deployment parameters
| Name | Description | Value |
| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | -------------------- |
| `cainjector.replicaCount` | Number of CAInjector replicas | `1` |
| `cainjector.image.registry` | CAInjector image registry | `docker.io` |
| `cainjector.image.repository` | CAInjector image repository | `bitnami/cainjector` |
| `cainjector.image.tag` | CAInjector image tag (immutabe tags are recommended) | `1.3.1-debian-10-r2` |
| `cainjector.image.pullPolicy` | CAInjector image pull policy | `IfNotPresent` |
| `cainjector.image.pullSecrets` | CAInjector image pull secrets | `undefined` |
| `cainjector.image.debug` | CAInjector image debug mode | `false` |
| `cainjector.resources.limits` | The resources limits for the CAInjector container | `undefined` |
| `cainjector.resources.requests` | The requested resources for the CAInjector container | `undefined` |
| `cainjector.podSecurityContext.enabled` | Enabled CAInjector pods' Security Context | `true` |
| `cainjector.podSecurityContext.fsGroup` | Set CAInjector pod's Security Context fsGroup | `1001` |
| `cainjector.containerSecurityContext.enabled` | Enabled CAInjector containers' Security Context | `true` |
| `cainjector.containerSecurityContext.runAsUser` | Set CAInjector container's Security Context runAsUser | `1001` |
| `cainjector.containerSecurityContext.runAsNonRoot` | Set CAInjector container's Security Context runAsNonRoot | `true` |
| `cainjector.podAffinityPreset` | Pod affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `cainjector.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `cainjector.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `cainjector.nodeAffinityPreset.key` | Node label key to match. Ignored if `cainjector.affinity` is set | `""` |
| `cainjector.nodeAffinityPreset.values` | Node label values to match. Ignored if `cainjector.affinity` is set | `undefined` |
| `cainjector.affinity` | Affinity for Cert Manager CAInjector | `undefined` |
| `cainjector.nodeSelector` | Node labels for pod assignment | `undefined` |
| `cainjector.command` | Override CAInjector default command | `undefined` |
| `cainjector.args` | Override CAInjector default args | `undefined` |
| `cainjector.priorityClassName` | CAInjector pod priority class name | `nil` |
| `cainjector.hostAliases` | Custom host aliases for CAInjector pods | `undefined` |
| `cainjector.tolerations` | Tolerations for pod assignment | `undefined` |
| `cainjector.podLabels` | Extra labels for CAInjector pods | `undefined` |
| `cainjector.podAnnotations` | Annotations for CAInjector pods | `undefined` |
| `cainjector.lifecycleHooks` | Add lifecycle hooks to the CAInjector deployment | `undefined` |
| `cainjector.updateStrategy.type` | Controller deployment update strategy | `RollingUpdate` |
| `cainjector.updateStrategy.rollingUpdate` | Controller deployment rolling update configuration parameters | `undefined` |
| `cainjector.extraEnvVars` | Add extra environment variables to the CAInjector container | `undefined` |
| `cainjector.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `nil` |
| `cainjector.extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `nil` |
| `cainjector.extraVolumes` | Optionally specify extra list of additional volumes for CAInjector pods | `undefined` |
| `cainjector.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for CAInjector container(s) | `undefined` |
| `cainjector.initContainers` | Add additional init containers to the CAInjector pods | `undefined` |
| `cainjector.sidecars` | Add additional sidecar containers to the CAInjector pod | `undefined` |
| `cainjector.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `cainjector.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `cainjector.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `undefined` |
### Metrics Parameters
| Name | Description | Value |
| ----------------------------------------- | ------------------------------------------------------------------------------------------------ | ----------- |
| `metrics.enabled` | Start metrics | `true` |
| `metrics.podAnnotations` | Annotations for Cert Manager exporter pods | `{}` |
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` |
| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `nil` |
| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `60s` |
| `metrics.serviceMonitor.path` | The path which the ServiceMonitor will monitor | `/metrics` |
| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `30s` |
| `metrics.serviceMonitor.targetPort` | The port in which the ServiceMonitor will monitor | `9402` |
| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `undefined` |
### Other Parameters
| Name | Description | Value |
| ------------- | -------------------------------------------------- | ------ |
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
$ helm install my-release bitnami/cert-manager \
--set installCRDs=true
```
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```console
$ helm install my-release -f values.yaml bitnami/cert-manager
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Adding extra environment variables
In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property.
```yaml
extraEnvVars:
- name: LOG_LEVEL
value: DEBUG
```
Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values.
### Sidecars and Init Containers
If you have a need for additional containers to run within the same pod as the Cert Manager app (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
```yaml
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
Similarly, you can add extra init containers using the `initContainers` parameter.
```yaml
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
### Deploying extra resources
There are cases where you may want to deploy extra objects, such a ConfigMap containing your app's configuration or some extra deployment with a micro service used by your app. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter.
### Setting Pod's affinity
This chart allows you to set your custom affinity using the `controller.affinity`, `cainjector.affinity` or `webhook.affinity` parameters. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, you can make use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `controller.podAffinityPreset`, `cainjector.podAffinityPreset`, `webhook.podAffinityPreset`, `controller.podAntiAffinityPreset`, `cainjector.podAntiAffinityPreset`, `webhook.podAntiAffinityPreset`, `controller.nodeAffinityPreset`, `cainjector.nodeAffinityPreset` or `webhook.nodeAffinityPreset` parameters.
## Troubleshooting
Find more information about how to deal with common errors related to Bitnamis Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).

9
bitnami/cert-manager/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,9 @@
** Please be patient while the chart is being deployed **
In other to begin using certificates, you will need to set up Issuer or ClustersIssuer resources.
https://cert-manager.io/docs/configuration/
To configure a new ingress to automatically provision certificates, you will find some information in the following link:
https://cert-manager.io/docs/usage/ingress/

161
bitnami/cert-manager/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,161 @@
{{/*
Return the proper certmanager.image name
*/}}
{{- define "certmanager.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.controller.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper certmanager.image name
*/}}
{{- define "certmanager.acmesolver.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.controller.acmesolver.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "certmanager.volumePermissions.image" -}}
{{- include "common.images.image" ( dict "imageRoot" .Values.volumePermissions.image "global" .Values.global ) -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "certmanager.imagePullSecrets" -}}
{{ include "common.images.pullSecrets" (dict "images" (list .Values.controller.image) "global" .Values.global) }}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "certmanager.controller.fullname" -}}
{{- printf "%s-controller" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Returns the proper service account name depending if an explicit service account name is set
in the values file. If the name is not set it will default to either common.names.fullname if controller.serviceAccount.create
is true or default otherwise.
*/}}
{{- define "certmanager.controller.serviceAccountName" -}}
{{- if .Values.controller.serviceAccount.create -}}
{{- if (empty .Values.controller.serviceAccount.name) -}}
{{- printf "%s-controller" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ default "default" .Values.controller.serviceAccount.name }}
{{- end -}}
{{- else -}}
{{ default "default" .Values.controller.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the proper certmanager.webhook image name
*/}}
{{- define "certmanager.webhook.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.webhook.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "certmanager.webhook.imagePullSecrets" -}}
{{ include "common.images.pullSecrets" (dict "images" (list .Values.webhook.image) "global" .Values.global) }}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "certmanager.webhook.fullname" -}}
{{- printf "%s-webhook" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Returns the proper service account name depending if an explicit service account name is set
in the values file. If the name is not set it will default to either common.names.fullname if webhook.serviceAccount.create
is true or default otherwise.
*/}}
{{- define "certmanager.webhook.serviceAccountName" -}}
{{- if .Values.webhook.serviceAccount.create -}}
{{- if (empty .Values.webhook.serviceAccount.name) -}}
{{- printf "%s-webhook" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ default "default" .Values.webhook.serviceAccount.name }}
{{- end -}}
{{- else -}}
{{ default "default" .Values.webhook.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the proper cainjector image name
*/}}
{{- define "certmanager.cainjector.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.cainjector.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "certmanager.cainjector.imagePullSecrets" -}}
{{ include "common.images.pullSecrets" (dict "images" (list .Values.cainjector.image) "global" .Values.global) }}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "certmanager.cainjector.fullname" -}}
{{- printf "%s-cainjector" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Returns the proper service account name depending if an explicit service account name is set
in the values file. If the name is not set it will default to either common.names.fullname if webhook.serviceAccount.create
is true or default otherwise.
*/}}
{{- define "certmanager.cainjector.serviceAccountName" -}}
{{- if .Values.cainjector.serviceAccount.create -}}
{{- if (empty .Values.cainjector.serviceAccount.name) -}}
{{- printf "%s-cainjector" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ default "default" .Values.cainjector.serviceAccount.name }}
{{- end -}}
{{- else -}}
{{ default "default" .Values.cainjector.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- define "certmanager.webhook.caRef" -}}
{{ .Release.Namespace }}/{{ template "certmanager.webhook.fullname" . }}-ca
{{- end -}}
{{/*
Compile all warnings into a single message.
*/}}
{{- define "certmanager.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "certmanager.validateValues.setCRD" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message -}}
{{- end -}}
{{- end -}}
{{/* Validate values of Cert Manager - CRD */}}
{{- define "certmanager.validateValues.setCRD" -}}
{{- if not .Values.installCRDs -}}
cert-manager: CRDs
You will use cert manager without installing CRDs.
If you want to include our CRD resources, please install the cert manager using the crd flags (--set .Values.installCRDs=true).
{{- end -}}
{{- end -}}

118
bitnami/cert-manager/templates/cainjector/deployment.yaml Normal file
View File

@@ -0,0 +1,118 @@
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "certmanager.cainjector.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: cainjector
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: cainjector
{{- if .Values.cainjector.updateStrategy }}
strategy: {{- toYaml .Values.cainjector.updateStrategy | nindent 4 }}
{{- end }}
replicas: {{ .Values.cainjector.replicaCount }}
template:
metadata:
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: cainjector
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.cainjector.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.cainjector.podLabels "context" $) | nindent 8 }}
{{- end }}
annotations:
{{- if .Values.cainjector.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.cainjector.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "certmanager.cainjector.imagePullSecrets" . | nindent 6 }}
{{- if .Values.cainjector.podSecurityContext.enabled }}
securityContext: {{- omit .Values.cainjector.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.cainjector.priorityClassName }}
priorityClassName: {{ .Values.cainjector.priorityClassName | quote }}
{{- end }}
{{- if .Values.cainjector.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.cainjector.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.cainjector.podAffinityPreset "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.cainjector.podAntiAffinityPreset "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.cainjector.nodeAffinityPreset.type "key" .Values.cainjector.nodeAffinityPreset.key "values" .Values.cainjector.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.cainjector.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.cainjector.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.cainjector.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.cainjector.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.cainjector.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.cainjector.hostAliases "context" $) | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.cainjector.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.cainjector.initContainers "context" $) | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "certmanager.cainjector.serviceAccountName" . }}
containers:
- name: {{ include "certmanager.cainjector.fullname" . }}
image: {{ template "certmanager.cainjector.image" . }}
imagePullPolicy: {{ .Values.cainjector.image.pullPolicy | quote }}
{{- if .Values.cainjector.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.cainjector.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.cainjector.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.cainjector.args "context" $) | nindent 12 }}
{{- else }}
args:
- --v={{ .Values.logLevel }}
- --leader-election-namespace={{ .Values.leaderElection.namespace }}
{{- end }}
{{- if .Values.cainjector.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.cainjector.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.cainjector.image.debug | quote }}
{{- if .Values.cainjector.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.cainjector.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
{{- if .Values.cainjector.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.cainjector.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.cainjector.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.cainjector.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.cainjector.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.cainjector.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.cainjector.resources }}
resources: {{- toYaml .Values.cainjector.resources | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.cainjector.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.cainjector.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.cainjector.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.cainjector.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.cainjector.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.cainjector.extraVolumes "context" $) | nindent 8 }}
{{- end }}

102
bitnami/cert-manager/templates/cainjector/rbac.yaml Normal file
View File

@@ -0,0 +1,102 @@
{{- if .Values.rbac.create }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: Role
metadata:
name: {{ printf "%s-leader-election" (include "certmanager.cainjector.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ .Values.leaderElection.namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: cainjector
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: RoleBinding
metadata:
name: {{ printf "%s-leader-election" (include "certmanager.cainjector.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ .Values.leaderElection.namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: cainjector
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ printf "%s-leader-election" (include "certmanager.cainjector.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- kind: ServiceAccount
name: {{ template "certmanager.cainjector.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ include "certmanager.cainjector.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: cainjector
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["auditregistration.k8s.io"]
resources: ["auditsinks"]
verbs: ["get", "list", "watch", "update"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ include "certmanager.cainjector.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: cainjector
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "certmanager.cainjector.fullname" . }}
subjects:
- name: {{ template "certmanager.cainjector.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
kind: ServiceAccount
{{- end -}}

14
bitnami/cert-manager/templates/cainjector/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if .Values.cainjector.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/component: cainjector
{{- include "common.labels.standard" . | nindent 4 }}
name: {{ template "certmanager.cainjector.serviceAccountName" . }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

126
bitnami/cert-manager/templates/controller/deployment.yaml Normal file
View File

@@ -0,0 +1,126 @@
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "certmanager.controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
{{- if .Values.controller.updateStrategy }}
strategy: {{- toYaml .Values.controller.updateStrategy | nindent 4 }}
{{- end }}
replicas: {{ .Values.controller.replicaCount }}
template:
metadata:
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.controller.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.controller.podLabels "context" $) | nindent 8 }}
{{- end }}
annotations:
{{- if .Values.controller.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.controller.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled (not .Values.metrics.serviceMonitor.enabled) }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "certmanager.imagePullSecrets" . | nindent 6 }}
{{- if .Values.controller.podSecurityContext.enabled }}
securityContext: {{- omit .Values.controller.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName | quote }}
{{- end }}
{{- if .Values.controller.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.controller.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controller.podAffinityPreset "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controller.podAntiAffinityPreset "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.controller.nodeAffinityPreset.type "key" .Values.controller.nodeAffinityPreset.key "values" .Values.controller.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.controller.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.controller.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.controller.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.controller.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.controller.hostAliases "context" $) | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.controller.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.controller.initContainers "context" $) | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "certmanager.controller.serviceAccountName" . }}
containers:
- name: {{ include "certmanager.controller.fullname" . }}
image: {{ template "certmanager.image" . }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy | quote }}
{{- if .Values.controller.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.controller.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.controller.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.controller.args "context" $) | nindent 12 }}
{{- else }}
args:
- --v={{ .Values.logLevel }}
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace={{ .Values.leaderElection.namespace }}
- --acme-http01-solver-image={{ template "certmanager.acmesolver.image" . }}
{{- end }}
{{- if .Values.controller.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.controller.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.controller.image.debug | quote }}
{{- if .Values.controller.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
{{- if .Values.controller.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.controller.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.controller.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.controller.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
ports:
- protocol: TCP
containerPort: {{ .Values.controller.containerPort }}
{{- if .Values.controller.resources }}
resources: {{- toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.controller.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.controller.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.controller.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.controller.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumes "context" $) | nindent 8 }}
{{- end }}

451
bitnami/cert-manager/templates/controller/rbac.yaml Normal file
View File

@@ -0,0 +1,451 @@
{{- if .Values.rbac.create }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: Role
metadata:
name: {{ printf "%s-leader-election" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ .Values.leaderElection.namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: RoleBinding
metadata:
name: {{ printf "%s-leader-election" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ .Values.leaderElection.namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ printf "%s-leader-election" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ template "certmanager.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-controller-issuers" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-controller-clusterissuers" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-controller-certificates" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-controller-orders" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["create", "delete"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-controller-challenges" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["get", "list", "watch"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Used to create events
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# HTTP01 rules
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["route.openshift.io"]
resources: ["routes/custom-host"]
verbs: ["create"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-controller-ingress-shim" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-controller-issuers" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-controller-issuers" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- kind: ServiceAccount
name: {{ template "certmanager.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-controller-clusterissuers" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-controller-clusterissuers" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- kind: ServiceAccount
name: {{ template "certmanager.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-controller-certificates" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-controller-certificates" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- kind: ServiceAccount
name: {{ template "certmanager.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-controller-orders" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-controller-orders" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- kind: ServiceAccount
name: {{ template "certmanager.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-controller-challenges" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-controller-challenges" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- kind: ServiceAccount
name: {{ template "certmanager.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-controller-ingress-shim" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-controller-ingress-shim" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- kind: ServiceAccount
name: {{ template "certmanager.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-view" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["get", "list", "watch"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-edit" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-controller-approve" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: cert-manager
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["signers"]
verbs: ["approve"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-controller-approve" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: cert-manager
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-controller-approve" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace | quote }}
name: {{ template "certmanager.controller.serviceAccountName" . }}
{{- end -}}

18
bitnami/cert-manager/templates/controller/service.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "certmanager.controller.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: controller
spec:
type: ClusterIP
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: controller
ports:
- name: controller
port: {{ .Values.controller.containerPort }}
protocol: TCP
targetPort: {{ .Values.metrics.serviceMonitor.targetPort }}
{{- end }}

14
bitnami/cert-manager/templates/controller/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if .Values.controller.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/component: controller
{{- include "common.labels.standard" . | nindent 4 }}
name: {{ template "certmanager.controller.serviceAccountName" . }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

40
bitnami/cert-manager/templates/controller/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "certmanager.controller.fullname" . }}
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace | quote }}
{{- else }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ template "certmanager.controller.fullname" . }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
endpoints:
- targetPort: {{ .Values.metrics.serviceMonitor.targetPort }}
{{- if .Values.metrics.serviceMonitor.path }}
path: {{ .Values.metrics.serviceMonitor.path }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- end }}

720
bitnami/cert-manager/templates/crds/crd-certificaterequests.yaml Normal file
View File

@@ -0,0 +1,720 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: certificaterequests.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: '{{ template "certmanager.webhook.caRef" . }}'
labels: {{- include "common.labels.standard" . | nindent 4 }}
spec:
group: cert-manager.io
names:
kind: CertificateRequest
listKind: CertificateRequestList
plural: certificaterequests
shortNames:
- cr
- crs
singular: certificaterequest
categories:
- cert-manager
scope: Namespaced
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
namespace: '{{ .Release.Namespace }}'
name: '{{ template "certmanager.webhook.fullname" . }}'
path: /convert
versions:
- name: v1alpha2
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Approved")].status
name: Approved
type: string
- jsonPath: .status.conditions[?(@.type=="Denied")].status
name: Denied
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
type: string
- jsonPath: .spec.username
name: Requestor
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- csr
- issuerRef
properties:
csr:
description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
type: string
format: byte
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
type: string
extra:
description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: object
additionalProperties:
type: array
items:
type: string
groups:
description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: array
items:
type: string
x-kubernetes-list-type: atomic
isCA:
description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
uid:
description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
usages:
description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
username:
description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
status:
description: Status of the CertificateRequest. This is set and managed automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of (`True`, `False`, `Unknown`).
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
served: true
storage: false
- name: v1alpha3
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Approved")].status
name: Approved
type: string
- jsonPath: .status.conditions[?(@.type=="Denied")].status
name: Denied
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
type: string
- jsonPath: .spec.username
name: Requestor
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- csr
- issuerRef
properties:
csr:
description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
type: string
format: byte
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
type: string
extra:
description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: object
additionalProperties:
type: array
items:
type: string
groups:
description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: array
items:
type: string
x-kubernetes-list-type: atomic
isCA:
description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
uid:
description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
usages:
description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
username:
description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
status:
description: Status of the CertificateRequest. This is set and managed automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of (`True`, `False`, `Unknown`).
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
served: true
storage: false
- name: v1beta1
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Approved")].status
name: Approved
type: string
- jsonPath: .status.conditions[?(@.type=="Denied")].status
name: Denied
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
type: string
- jsonPath: .spec.username
name: Requestor
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- issuerRef
- request
properties:
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
type: string
extra:
description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: object
additionalProperties:
type: array
items:
type: string
groups:
description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: array
items:
type: string
x-kubernetes-list-type: atomic
isCA:
description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
type: string
format: byte
uid:
description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
usages:
description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
username:
description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
status:
description: Status of the CertificateRequest. This is set and managed automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of (`True`, `False`, `Unknown`).
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
served: true
storage: false
- name: v1
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Approved")].status
name: Approved
type: string
- jsonPath: .status.conditions[?(@.type=="Denied")].status
name: Denied
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
type: string
- jsonPath: .spec.username
name: Requestor
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- issuerRef
- request
properties:
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
type: string
extra:
description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: object
additionalProperties:
type: array
items:
type: string
groups:
description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: array
items:
type: string
x-kubernetes-list-type: atomic
isCA:
description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
type: string
format: byte
uid:
description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
usages:
description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
type: string
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
username:
description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
type: string
status:
description: Status of the CertificateRequest. This is set and managed automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of (`True`, `False`, `Unknown`).
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end -}}

1256
bitnami/cert-manager/templates/crds/crd-certificates.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

3340
bitnami/cert-manager/templates/crds/crd-challenges.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

4193
bitnami/cert-manager/templates/crds/crd-clusterissuers.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

4193
bitnami/cert-manager/templates/crds/crd-issuers.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

668
bitnami/cert-manager/templates/crds/crd-orders.yaml Normal file
View File

@@ -0,0 +1,668 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: orders.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: '{{ template "certmanager.webhook.caRef" . }}'
labels: {{- include "common.labels.standard" . | nindent 4 }}
spec:
group: acme.cert-manager.io
names:
kind: Order
listKind: OrderList
plural: orders
singular: order
categories:
- cert-manager
- cert-manager-acme
scope: Namespaced
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
namespace: '{{ .Release.Namespace }}'
name: '{{ template "certmanager.webhook.fullname" . }}'
path: /convert
versions:
- name: v1alpha2
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- csr
- issuerRef
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
type: string
format: byte
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
type: string
type:
description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be completed
type: string
wildcard:
description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
type: string
served: true
storage: false
- name: v1alpha3
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- csr
- issuerRef
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
type: string
format: byte
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
type: string
type:
description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be completed
type: string
wildcard:
description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
type: string
served: true
storage: false
- name: v1beta1
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- issuerRef
- request
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
type: string
format: byte
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
type: string
type:
description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be completed
type: string
wildcard:
description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
type: string
served: true
storage: false
- name: v1
subresources:
status: {}
additionalPrinterColumns:
- jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- jsonPath: .status.reason
name: Reason
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
schema:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
type: object
required:
- metadata
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- issuerRef
- request
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
duration:
description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
type: array
items:
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
type: string
format: byte
status:
type: object
properties:
authorizations:
description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
type: array
items:
description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
type: object
required:
- url
properties:
challenges:
description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
type: array
items:
description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
type: object
required:
- token
- type
- url
properties:
token:
description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
type: string
type:
description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
type: string
url:
description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
type: string
identifier:
description: Identifier is the DNS name to be validated as part of this authorization
type: string
initialState:
description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL is the URL of the Authorization that must be completed
type: string
wildcard:
description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
certificate:
description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
type: string
format: byte
failureTime:
description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
url:
description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end -}}

4
bitnami/cert-manager/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

155
bitnami/cert-manager/templates/webhook/deployment.yaml Normal file
View File

@@ -0,0 +1,155 @@
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "certmanager.webhook.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: webhook
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: webhook
{{- if .Values.webhook.updateStrategy }}
strategy: {{- toYaml .Values.webhook.updateStrategy | nindent 4 }}
{{- end }}
replicas: {{ .Values.webhook.replicaCount }}
template:
metadata:
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: webhook
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.webhook.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.webhook.podLabels "context" $) | nindent 8 }}
{{- end }}
annotations:
{{- if .Values.webhook.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.webhook.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "certmanager.webhook.imagePullSecrets" . | nindent 6 }}
{{- if .Values.webhook.podSecurityContext.enabled }}
securityContext: {{- omit .Values.webhook.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.webhook.priorityClassName }}
priorityClassName: {{ .Values.webhook.priorityClassName | quote }}
{{- end }}
{{- if .Values.webhook.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.webhook.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.webhook.podAffinityPreset "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.webhook.podAntiAffinityPreset "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.webhook.nodeAffinityPreset.type "key" .Values.webhook.nodeAffinityPreset.key "values" .Values.webhook.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.webhook.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.webhook.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.webhook.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.webhook.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.webhook.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.webhook.hostAliases "context" $) | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.webhook.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.webhook.initContainers "context" $) | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "certmanager.webhook.serviceAccountName" . }}
containers:
- name: {{ include "certmanager.webhook.fullname" . }}
image: {{ template "certmanager.webhook.image" . }}
imagePullPolicy: {{ .Values.webhook.image.pullPolicy | quote }}
{{- if .Values.webhook.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.webhook.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.webhook.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.webhook.args "context" $) | nindent 12 }}
{{- else }}
args:
- --v={{ .Values.logLevel }}
- --secure-port={{ .Values.webhook.containerPort }}
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name={{ template "certmanager.webhook.fullname" . }}-ca
- --dynamic-serving-dns-names={{ template "certmanager.webhook.fullname" . }},{{ template "certmanager.webhook.fullname" . }}.{{ .Release.Namespace }},{{ template "certmanager.webhook.fullname" . }}.{{ .Release.Namespace }}.svc
{{- end }}
{{- if .Values.webhook.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.webhook.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.webhook.image.debug | quote }}
{{- if .Values.webhook.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.webhook.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
{{- if .Values.webhook.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.webhook.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.webhook.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.webhook.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.webhook.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.webhook.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
ports:
- name: https
containerPort: {{ .Values.webhook.containerPort }}
{{- if .Values.webhook.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.webhook.customStartupProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.webhook.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: {{ .Values.webhook.livenessProbe.path }}
scheme: HTTP
port: 6080
initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
{{- else if .Values.webhook.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.webhook.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.webhook.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: {{ .Values.webhook.readinessProbe.path }}
port: 6080
scheme: HTTP
initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
{{- else if .Values.webhook.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.webhook.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.webhook.resources }}
resources: {{- toYaml .Values.webhook.resources | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.webhook.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.webhook.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.webhook.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.webhook.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.webhook.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.webhook.extraVolumes "context" $) | nindent 8 }}
{{- end }}

87
bitnami/cert-manager/templates/webhook/rbac.yaml Normal file
View File

@@ -0,0 +1,87 @@
{{- if .Values.rbac.create }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: Role
metadata:
name: {{ printf "%s-dynamic-serving" (include "certmanager.webhook.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: webhook
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames:
- '{{ template "certmanager.webhook.fullname" . }}-ca'
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: RoleBinding
metadata:
name: {{ printf "%s-dynamic-serving" (include "certmanager.webhook.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: webhook
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ printf "%s-dynamic-serving" (include "certmanager.webhook.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ template "certmanager.webhook.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-subjectaccessreviews" (include "certmanager.webhook.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: webhook
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-subjectaccessreviews" (include "certmanager.webhook.fullname" .) | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: webhook
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-subjectaccessreviews" (include "certmanager.webhook.fullname" .) | trunc 63 | trimSuffix "-" }}
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ template "certmanager.webhook.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end -}}

17
bitnami/cert-manager/templates/webhook/service.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "certmanager.webhook.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: webhook
spec:
type: ClusterIP
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: webhook
ports:
- name: https
port: {{ .Values.webhook.httpsPort }}
targetPort: {{ .Values.webhook.containerPort }}
{{- end }}

14
bitnami/cert-manager/templates/webhook/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if .Values.webhook.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
labels:
app.kubernetes.io/component: webhook
{{- include "common.labels.standard" . | nindent 4 }}
name: {{ template "certmanager.webhook.serviceAccountName" . }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

846
bitnami/cert-manager/values.yaml Normal file
View File

@@ -0,0 +1,846 @@
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
## @section Global parameters
## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
##
global:
imageRegistry:
imagePullSecrets: []
storageClass:
## @section Common parameters
## @param kubeVersion Override Kubernetes version
##
kubeVersion:
## @param nameOverride String to partially override common.names.fullname
##
nameOverride:
## @param fullnameOverride String to fully override common.names.fullname
##
fullnameOverride:
## @param commonLabels Labels to add to all deployed objects
##
commonLabels: {}
## @param commonAnnotations Annotations to add to all deployed objects
##
commonAnnotations: {}
## @param extraDeploy Array of extra objects to deploy with the release
##
extraDeploy: []
## @param logLevel Set up cert manager log level
##
logLevel: 2
## Cert Manager leader Election
leaderElection:
## @param leaderElection.namespace Namespace which leaderElection works.
##
namespace: "kube-system"
## @param installCRDs Flag to install Cert Manager CRDs
##
installCRDs: false
## @param replicaCount Number of Cert Manager replicas
##
replicaCount: 1
## @section Controller deployment parameters
## Controller deployment parameters
##
controller:
## @param controller.replicaCount Number of Controller replicas
##
replicaCount: 1
## Bitnami Cert Manager image
## ref: https://hub.docker.com/r/bitnami/cert-manager/tags/
##
image:
## @param controller.image.registry Controller image registry
##
registry: docker.io
## @param controller.image.repository Controller image repository
##
repository: bitnami/cert-manager
## @param controller.image.tag Controller image tag (immutabe tags are recommended)
##
tag: 1.3.1-debian-10-r31
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
## @param controller.image.pullPolicy Controller image pull policy
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## E.g:
## pullSecrets:
## - myRegistryKeySecretName
## @param controller.image.pullSecrets Controller image pull secrets
##
pullSecrets: []
## Set to true if you would like to see extra information on logs
##
## @param controller.image.debug Controller image debug mode
debug: false
acmesolver:
image:
## @param controller.acmesolver.image.registry Controller image registry
##
registry: docker.io
## @param controller.acmesolver.image.repository Controller image repository
##
repository: bitnami/acmesolver
## @param controller.acmesolver.image.tag Controller image tag (immutabe tags are recommended)
##
tag: 1.3.1-debian-10-r30
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
## @param controller.acmesolver.image.pullPolicy Controller image pull policy
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## E.g:
## pullSecrets:
## - myRegistryKeySecretName
## @param controller.acmesolver.image.pullSecrets Controller image pull secrets
##
pullSecrets: []
## Set to true if you would like to see extra information on logs
##
## @param controller.acmesolver.image.debug Controller image debug mode
debug: false
## Controller containers' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
## @param controller.resources.limits The resources limits for the Controller container
##
limits: {}
## @param controller.resources.requests The requested resources for the Controller container
##
requests: {}
## controller pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param controller.podSecurityContext.enabled Enabled Controller pods' Security Context
## @param controller.podSecurityContext.fsGroup Set Controller pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroup: 1001
## controller containers' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param controller.containerSecurityContext.enabled Enabled Controller containers' Security Context
## @param controller.containerSecurityContext.runAsUser Set Controller container's Security Context runAsUser
## @param controller.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot
##
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## @param controller.podAffinityPreset Pod affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard`
##
podAffinityPreset: ""
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## @param controller.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard`
##
podAntiAffinityPreset: soft
## Node affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
##
nodeAffinityPreset:
## @param controller.nodeAffinityPreset.type Node affinity preset type. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard`
##
type: ""
## @param controller.nodeAffinityPreset.key Node label key to match. Ignored if `controller.affinity` is set
##
key: ""
## @param controller.nodeAffinityPreset.values Node label values to match. Ignored if `controller.affinity` is set
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param controller.affinity Affinity for Cert Manager Controller
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## NOTE: `controller.podAffinityPreset`, `controller.podAntiAffinityPreset`, and `controller.nodeAffinityPreset` will be ignored when it's set
##
affinity: {}
## ref: https://kubernetes.io/docs/user-guide/node-selection/
## @param controller.nodeSelector Node labels for pod assignment
##
nodeSelector: {}
## Controller Container port
## @param controller.containerPort Controller container port
##
containerPort: 9402
## @param controller.command Override Controller default command
##
command: []
## @param controller.args Override Controller default args
##
args: []
## @param controller.priorityClassName Controller pod priority class name
##
priorityClassName:
## @param controller.hostAliases Custom host aliases for Controller pods
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
## @param controller.tolerations Tolerations for pod assignment
##
tolerations: []
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
## @param controller.podLabels Extra labels for Controller pods
##
podLabels: {}
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
## @param controller.podAnnotations Annotations for Controller pods
##
podAnnotations: {}
## @param controller.lifecycleHooks Add lifecycle hooks to the Controller deployment
##
lifecycleHooks: {}
updateStrategy:
## @param controller.updateStrategy.type Controller deployment update strategy
type: RollingUpdate
## @param controller.updateStrategy.rollingUpdate Controller deployment rolling update configuration parameters
rollingUpdate: {}
## @param controller.extraEnvVars Add extra environment variables to the Controller container
## E.g:
## extraEnvVars:
## - name: FOO
## value: "bar"
##
extraEnvVars: []
## @param controller.extraEnvVarsCM Name of existing ConfigMap containing extra env vars
##
extraEnvVarsCM:
## @param controller.extraEnvVarsSecret Name of existing Secret containing extra env vars
##
extraEnvVarsSecret:
## @param controller.extraVolumes Optionally specify extra list of additional volumes for Controller pods
##
extraVolumes: []
## @param controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for Controller container(s)
##
extraVolumeMounts: []
## @param controller.initContainers Add additional init containers to the Controller pods
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
## E.g:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
initContainers: {}
## @param controller.sidecars Add additional sidecar containers to the Controller pod
## E.g:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: {}
## ServiceAccount configuration
##
serviceAccount:
## @param controller.serviceAccount.create Specifies whether a ServiceAccount should be created
##
create: true
## @param controller.serviceAccount.name The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the common.names.fullname template
##
name: ""
## @param controller.serviceAccount.annotations Additional custom annotations for the ServiceAccount
##
annotations: {}
## @section Webhook deployment parameters
## Webhook deployment parameters
##
webhook:
## @param webhook.replicaCount Number of Webhook replicas
##
replicaCount: 1
## Bitnami Cert Manager Webhook image
## ref: https://hub.docker.com/r/bitnami/cert-manager-webhook/tags/
##
image:
## @param webhook.image.registry Webhook image registry
##
registry: docker.io
## @param webhook.image.repository Webhook image repository
##
repository: bitnami/cert-manager-webhook
## @param webhook.image.tag Webhook image tag (immutabe tags are recommended)
##
tag: 1.3.1-debian-10-r23
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
## @param webhook.image.pullPolicy Webhook image pull policy
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## E.g:
## pullSecrets:
## - myRegistryKeySecretName
## @param webhook.image.pullSecrets Webhook image pull secrets
##
pullSecrets: []
## Set to true if you would like to see extra information on logs
##
## @param webhook.image.debug Webhook image debug mode
debug: false
## Webhook containers' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
## @param webhook.resources.limits The resources limits for the Webhook container
##
limits: {}
## @param webhook.resources.requests The requested resources for the Webhook container
##
requests: {}
## webhook pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param webhook.podSecurityContext.enabled Enabled Webhook pods' Security Context
## @param webhook.podSecurityContext.fsGroup Set Webhook pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroup: 1001
## webhook containers' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param webhook.containerSecurityContext.enabled Enabled Webhook containers' Security Context
## @param webhook.containerSecurityContext.runAsUser Set Webhook container's Security Context runAsUser
## @param webhook.containerSecurityContext.runAsNonRoot Set Webhook container's Security Context runAsNonRoot
##
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## @param webhook.podAffinityPreset Pod affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard`
##
podAffinityPreset: ""
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## @param webhook.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard`
##
podAntiAffinityPreset: soft
## Node affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
##
nodeAffinityPreset:
## @param webhook.nodeAffinityPreset.type Node affinity preset type. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard`
##
type: ""
## @param webhook.nodeAffinityPreset.key Node label key to match. Ignored if `webhook.affinity` is set
##
key: ""
## @param webhook.nodeAffinityPreset.values Node label values to match. Ignored if `webhook.affinity` is set
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param webhook.affinity Affinity for Cert Manager Webhook
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## NOTE: `webhook.podAffinityPreset`, `webhook.podAntiAffinityPreset`, and `webhook.nodeAffinityPreset` will be ignored when it's set
##
affinity: {}
## ref: https://kubernetes.io/docs/user-guide/node-selection/
## @param webhook.nodeSelector Node labels for pod assignment
##
nodeSelector: {}
## Webhook Container port
## @param webhook.containerPort Webhook container port
##
containerPort: 10250
## Webhook https port
## @param webhook.httpsPort Webhook container port
##
httpsPort: 443
## @param webhook.command Override Webhook default command
##
command: []
## @param webhook.args Override Webhook default args
##
args: []
## @param webhook.livenessProbe.enabled Enable livenessProbe
## @param webhook.livenessProbe.path Path for livenessProbe
## @param webhook.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param webhook.livenessProbe.periodSeconds Period seconds for livenessProbe
## @param webhook.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
## @param webhook.livenessProbe.failureThreshold Failure threshold for livenessProbe
## @param webhook.livenessProbe.successThreshold Success threshold for livenessProbe
##
livenessProbe:
enabled: true
path: /livez
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
## @param webhook.readinessProbe.enabled Enable readinessProbe
## @param webhook.readinessProbe.path Path for readinessProbe
## @param webhook.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
## @param webhook.readinessProbe.periodSeconds Period seconds for readinessProbe
## @param webhook.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
## @param webhook.readinessProbe.failureThreshold Failure threshold for readinessProbe
## @param webhook.readinessProbe.successThreshold Success threshold for readinessProbe
##
readinessProbe:
enabled: true
path: /healthz
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
## Custom Startup probes for webhook
## @param webhook.customStartupProbe Override default startup probe
##
customStartupProbe: {}
## Custom Liveness probes for webhook
## @param webhook.customLivenessProbe Override default liveness probe
##
customLivenessProbe: {}
## Custom Rediness probes webhook
## @param webhook.customReadinessProbe Override default readiness probe
##
customReadinessProbe: {}
## @param webhook.priorityClassName Webhook pod priority class name
##
priorityClassName:
## @param webhook.hostAliases Custom host aliases for Webhook pods
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
## @param webhook.tolerations Tolerations for pod assignment
##
tolerations: []
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
## @param webhook.podLabels Extra labels for Webhook pods
##
podLabels: {}
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
## @param webhook.podAnnotations Annotations for Webhook pods
##
podAnnotations: {}
## @param webhook.lifecycleHooks Add lifecycle hooks to the Webhook deployment
##
lifecycleHooks: {}
updateStrategy:
## @param webhook.updateStrategy.type Webhook deployment update strategy
type: RollingUpdate
## @param webhook.updateStrategy.rollingUpdate Controller deployment rolling update configuration parameters
rollingUpdate: {}
## @param webhook.extraEnvVars Add extra environment variables to the Webhook container
## E.g:
## extraEnvVars:
## - name: FOO
## value: "bar"
##
extraEnvVars: []
## @param webhook.extraEnvVarsCM Name of existing ConfigMap containing extra env vars
##
extraEnvVarsCM:
## @param webhook.extraEnvVarsSecret Name of existing Secret containing extra env vars
##
extraEnvVarsSecret:
## @param webhook.extraVolumes Optionally specify extra list of additional volumes for Webhook pods
##
extraVolumes: []
## @param webhook.extraVolumeMounts Optionally specify extra list of additional volumeMounts for Webhook container(s)
##
extraVolumeMounts: []
## @param webhook.initContainers Add additional init containers to the Webhook pods
## E.g:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
initContainers: {}
## @param webhook.sidecars Add additional sidecar containers to the Webhook pod
## E.g:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: {}
## ServiceAccount configuration
##
serviceAccount:
## @param webhook.serviceAccount.create Specifies whether a ServiceAccount should be created
##
create: true
## @param webhook.serviceAccount.name The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the common.names.fullname template
##
name: ""
## @param webhook.serviceAccount.annotations Additional custom annotations for the ServiceAccount
##
annotations: {}
## @section CAInjector deployment parameters
## CAInjector deployment parameters
##
cainjector:
## @param cainjector.replicaCount Number of CAInjector replicas
##
replicaCount: 1
## Bitnami CAInjector image
## ref: https://hub.docker.com/r/bitnami/cainjector/tags/
##
image:
## @param cainjector.image.registry CAInjector image registry
##
registry: docker.io
## @param cainjector.image.repository CAInjector image repository
##
repository: bitnami/cainjector
## @param cainjector.image.tag CAInjector image tag (immutabe tags are recommended)
##
tag: 1.3.1-debian-10-r24
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
## @param cainjector.image.pullPolicy CAInjector image pull policy
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## E.g:
## pullSecrets:
## - myRegistryKeySecretName
## @param cainjector.image.pullSecrets CAInjector image pull secrets
##
pullSecrets: []
## Set to true if you would like to see extra information on logs
##
## @param cainjector.image.debug CAInjector image debug mode
debug: false
## CAInjector containers' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
## @param cainjector.resources.limits The resources limits for the CAInjector container
##
limits: {}
## @param cainjector.resources.requests The requested resources for the CAInjector container
##
requests: {}
## cainjector pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param cainjector.podSecurityContext.enabled Enabled CAInjector pods' Security Context
## @param cainjector.podSecurityContext.fsGroup Set CAInjector pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroup: 1001
## cainjector containers' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param cainjector.containerSecurityContext.enabled Enabled CAInjector containers' Security Context
## @param cainjector.containerSecurityContext.runAsUser Set CAInjector container's Security Context runAsUser
## @param cainjector.containerSecurityContext.runAsNonRoot Set CAInjector container's Security Context runAsNonRoot
##
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## @param cainjector.podAffinityPreset Pod affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard`
##
podAffinityPreset: ""
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## @param cainjector.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard`
##
podAntiAffinityPreset: soft
## Node affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
##
nodeAffinityPreset:
## @param cainjector.nodeAffinityPreset.type Node affinity preset type. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard`
##
type: ""
## @param cainjector.nodeAffinityPreset.key Node label key to match. Ignored if `cainjector.affinity` is set
##
key: ""
## @param cainjector.nodeAffinityPreset.values Node label values to match. Ignored if `cainjector.affinity` is set
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param cainjector.affinity Affinity for Cert Manager CAInjector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## NOTE: `cainjector.podAffinityPreset`, `cainjector.podAntiAffinityPreset`, and `cainjector.nodeAffinityPreset` will be ignored when it's set
##
affinity: {}
## ref: https://kubernetes.io/docs/user-guide/node-selection/
## @param cainjector.nodeSelector Node labels for pod assignment
##
nodeSelector: {}
## @param cainjector.command Override CAInjector default command
##
command: []
## @param cainjector.args Override CAInjector default args
##
args: []
## @param cainjector.priorityClassName CAInjector pod priority class name
##
priorityClassName:
## @param cainjector.hostAliases Custom host aliases for CAInjector pods
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
## @param cainjector.tolerations Tolerations for pod assignment
##
tolerations: []
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
## @param cainjector.podLabels Extra labels for CAInjector pods
##
podLabels: {}
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
## @param cainjector.podAnnotations Annotations for CAInjector pods
##
podAnnotations: {}
## @param cainjector.lifecycleHooks Add lifecycle hooks to the CAInjector deployment
##
lifecycleHooks: {}
updateStrategy:
## @param cainjector.updateStrategy.type Controller deployment update strategy
type: RollingUpdate
## @param cainjector.updateStrategy.rollingUpdate Controller deployment rolling update configuration parameters
rollingUpdate: {}
## @param cainjector.extraEnvVars Add extra environment variables to the CAInjector container
## E.g:
## extraEnvVars:
## - name: FOO
## value: "bar"
##
extraEnvVars: []
## @param cainjector.extraEnvVarsCM Name of existing ConfigMap containing extra env vars
##
extraEnvVarsCM:
## @param cainjector.extraEnvVarsSecret Name of existing Secret containing extra env vars
##
extraEnvVarsSecret:
## @param cainjector.extraVolumes Optionally specify extra list of additional volumes for CAInjector pods
##
extraVolumes: []
## @param cainjector.extraVolumeMounts Optionally specify extra list of additional volumeMounts for CAInjector container(s)
##
extraVolumeMounts: []
## @param cainjector.initContainers Add additional init containers to the CAInjector pods
## E.g:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
initContainers: {}
## @param cainjector.sidecars Add additional sidecar containers to the CAInjector pod
## E.g:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: {}
## ServiceAccount configuration
##
serviceAccount:
## @param cainjector.serviceAccount.create Specifies whether a ServiceAccount should be created
##
create: true
## @param cainjector.serviceAccount.name The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the common.names.fullname template
##
name: ""
## @param cainjector.serviceAccount.annotations Additional custom annotations for the ServiceAccount
##
annotations: {}
## @section Metrics Parameters
metrics:
## @param metrics.enabled Start metrics
##
enabled: true
## Prometheus Service Monitor
## ref: https://github.com/coreos/prometheus-operator
## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
## @param metrics.podAnnotations [object] Annotations for Cert Manager exporter pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.controller.containerPort }}"
serviceMonitor:
## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator
##
enabled: false
## @param metrics.serviceMonitor.namespace The namespace in which the ServiceMonitor will be created
##
namespace:
## @param metrics.serviceMonitor.interval The interval at which metrics should be scraped
##
interval: 60s
## @param metrics.serviceMonitor.path The path which the ServiceMonitor will monitor
##
path: /metrics
## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended
##
scrapeTimeout: 30s
## @param metrics.serviceMonitor.targetPort The port in which the ServiceMonitor will monitor
##
targetPort: 9402
## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus
##
additionalLabels: {}
## @section Other Parameters
## RBAC configuration
##
rbac:
## @param rbac.create Specifies whether RBAC resources should be created
##
create: true