Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add acme.cert-manager.io API group and move Orders & Challenges #2093

Merged
merged 13 commits into from Sep 23, 2019
Merged

Add acme.cert-manager.io API group and move Orders & Challenges #2093

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
e42a603
Move acme API types into acme group
munnerz Sep 20, 2019
5608751
Add internal acme API group
munnerz Sep 20, 2019
406e977
Update test/ packages for new ACME group
munnerz Sep 20, 2019
9fcb66d
Update update-codegen
munnerz Sep 20, 2019
00456a6
Update generated clientsets and informers
munnerz Sep 20, 2019
2868b4a
Update pkg/controllers
munnerz Sep 20, 2019
73460c1
Update pkg/issuer
munnerz Sep 20, 2019
9d64392
Update reference docs generation
munnerz Sep 20, 2019
68cf0c0
Add ACME apigroup to scheme
munnerz Sep 20, 2019
71ccc0e
Update CRD manifests
munnerz Sep 20, 2019
d8d7d8f
Update RBAC rules
munnerz Sep 20, 2019
ac123be
Use acmefuzzers during certmanager group roundtrip tests
munnerz Sep 20, 2019
60636b2
Update vendor
munnerz Sep 21, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions BUILD.bazel
View file
Open in desktop
Expand Up @@ -49,6 +49,7 @@ filegroup(
"//pkg/apis:all-srcs",
"//pkg/client/clientset/versioned:all-srcs",
"//pkg/client/informers/externalversions:all-srcs",
"//pkg/client/listers/acme/v1alpha2:all-srcs",
"//pkg/client/listers/certmanager/v1alpha2:all-srcs",
"//pkg/controller:all-srcs",
"//pkg/feature:all-srcs",
Expand Down
27 changes: 17 additions & 10 deletions deploy/charts/cert-manager/templates/rbac.yaml
View file
Open in desktop
Expand Up @@ -88,17 +88,17 @@ rules:
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update"]
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers", "orders"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates/finalizers"]
verbs: ["update"]
- apiGroups: ["certmanager.k8s.io"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
Expand All @@ -120,19 +120,22 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ template "cert-manager.chart" . }}
rules:
- apiGroups: ["certmanager.k8s.io"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update"]
- apiGroups: ["certmanager.k8s.io"]
resources: ["orders", "clusterissuers", "issuers", "challenges"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
- apiGroups: ["certmanager.k8s.io"]
resources: ["clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["create", "delete"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["certmanager.k8s.io"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders/finalizers"]
verbs: ["update"]
- apiGroups: [""]
Expand All @@ -157,12 +160,16 @@ metadata:
helm.sh/chart: {{ template "cert-manager.chart" . }}
rules:
# Use to update challenge resource status
- apiGroups: ["certmanager.k8s.io"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["get", "list", "watch"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["certmanager.k8s.io"]
resources: ["challenges", "issuers", "clusterissuers"]
resources: ["issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""]
Expand Down Expand Up @@ -190,7 +197,7 @@ rules:
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["certmanager.k8s.io"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
Expand Down