From 18db213b89eec90a68006d23121a9f5bfb27b6d5 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Fri, 3 Jul 2020 00:48:34 +0000 Subject: [PATCH 01/11] cert-manager: component image updated to 'bitnami/cert-manager:0.15.2-debian-10-r0' Signed-off-by: Bitnami Containers --- manifests/components/images.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/components/images.json b/manifests/components/images.json index 6568a50dae..08516b6abc 100644 --- a/manifests/components/images.json +++ b/manifests/components/images.json @@ -1,7 +1,7 @@ { "addon-resizer": "k8s.gcr.io/addon-resizer:1.8.7", "alertmanager": "bitnami/alertmanager:0.21.0-debian-10-r4", - "cert-manager": "bitnami/cert-manager:0.14.3-debian-10-r6", + "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r0", "cert-manager-acmesolver": "quay.io/jetstack/cert-manager-acmesolver:v0.14.3", "configmap-reload": "bitnami/configmap-reload:0.3.0-debian-10-r85", "elasticsearch": "bitnami/elasticsearch:7.8.0-debian-10-r1", From 4a60062bdb10987bdb6a39fda5251213470a1a01 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Sat, 4 Jul 2020 00:48:34 +0000 Subject: [PATCH 02/11] cert-manager: component image updated to 'bitnami/cert-manager:0.15.2-debian-10-r1' Signed-off-by: Bitnami Containers --- manifests/components/images.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/components/images.json b/manifests/components/images.json index 08516b6abc..3adc7bd6bb 100644 --- a/manifests/components/images.json +++ b/manifests/components/images.json @@ -1,7 +1,7 @@ { "addon-resizer": "k8s.gcr.io/addon-resizer:1.8.7", "alertmanager": "bitnami/alertmanager:0.21.0-debian-10-r4", - "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r0", + "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r1", "cert-manager-acmesolver": "quay.io/jetstack/cert-manager-acmesolver:v0.14.3", "configmap-reload": "bitnami/configmap-reload:0.3.0-debian-10-r85", "elasticsearch": "bitnami/elasticsearch:7.8.0-debian-10-r1", From 60db1605a37c5542912ac15cf66e6d3129ad44ca Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Sun, 5 Jul 2020 00:48:51 +0000 Subject: [PATCH 03/11] cert-manager: component image updated to 'bitnami/cert-manager:0.15.2-debian-10-r2' Signed-off-by: Bitnami Containers --- manifests/components/images.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/components/images.json b/manifests/components/images.json index 3adc7bd6bb..5023160a07 100644 --- a/manifests/components/images.json +++ b/manifests/components/images.json @@ -1,7 +1,7 @@ { "addon-resizer": "k8s.gcr.io/addon-resizer:1.8.7", "alertmanager": "bitnami/alertmanager:0.21.0-debian-10-r4", - "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r1", + "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r2", "cert-manager-acmesolver": "quay.io/jetstack/cert-manager-acmesolver:v0.14.3", "configmap-reload": "bitnami/configmap-reload:0.3.0-debian-10-r85", "elasticsearch": "bitnami/elasticsearch:7.8.0-debian-10-r1", From eeb123ca83803efdeeb9dbad4e795888d39c3473 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Mon, 6 Jul 2020 00:48:34 +0000 Subject: [PATCH 04/11] cert-manager: component image updated to 'bitnami/cert-manager:0.15.2-debian-10-r3' Signed-off-by: Bitnami Containers --- manifests/components/images.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/components/images.json b/manifests/components/images.json index 5023160a07..adeb0c4d72 100644 --- a/manifests/components/images.json +++ b/manifests/components/images.json @@ -1,7 +1,7 @@ { "addon-resizer": "k8s.gcr.io/addon-resizer:1.8.7", "alertmanager": "bitnami/alertmanager:0.21.0-debian-10-r4", - "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r2", + "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r3", "cert-manager-acmesolver": "quay.io/jetstack/cert-manager-acmesolver:v0.14.3", "configmap-reload": "bitnami/configmap-reload:0.3.0-debian-10-r85", "elasticsearch": "bitnami/elasticsearch:7.8.0-debian-10-r1", From c8d9bf6465d65dfcbe69dd7dbd6e217e4b90afaf Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Tue, 7 Jul 2020 00:49:38 +0000 Subject: [PATCH 05/11] cert-manager: component image updated to 'bitnami/cert-manager:0.15.2-debian-10-r4' Signed-off-by: Bitnami Containers --- manifests/components/images.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/components/images.json b/manifests/components/images.json index adeb0c4d72..e5851b6a24 100644 --- a/manifests/components/images.json +++ b/manifests/components/images.json @@ -1,7 +1,7 @@ { "addon-resizer": "k8s.gcr.io/addon-resizer:1.8.7", "alertmanager": "bitnami/alertmanager:0.21.0-debian-10-r4", - "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r3", + "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r4", "cert-manager-acmesolver": "quay.io/jetstack/cert-manager-acmesolver:v0.14.3", "configmap-reload": "bitnami/configmap-reload:0.3.0-debian-10-r85", "elasticsearch": "bitnami/elasticsearch:7.8.0-debian-10-r1", From 6b924e3a55e8eaed3aacce8f129ac768ada3769c Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Wed, 8 Jul 2020 00:48:52 +0000 Subject: [PATCH 06/11] cert-manager: component image updated to 'bitnami/cert-manager:0.15.2-debian-10-r5' Signed-off-by: Bitnami Containers --- manifests/components/images.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/components/images.json b/manifests/components/images.json index e5851b6a24..21551b79cd 100644 --- a/manifests/components/images.json +++ b/manifests/components/images.json @@ -1,7 +1,7 @@ { "addon-resizer": "k8s.gcr.io/addon-resizer:1.8.7", "alertmanager": "bitnami/alertmanager:0.21.0-debian-10-r4", - "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r4", + "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r5", "cert-manager-acmesolver": "quay.io/jetstack/cert-manager-acmesolver:v0.14.3", "configmap-reload": "bitnami/configmap-reload:0.3.0-debian-10-r85", "elasticsearch": "bitnami/elasticsearch:7.8.0-debian-10-r1", From 1019886f7facbde1aa1164d9c8b0e01939de3972 Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Wed, 8 Jul 2020 10:38:07 +0200 Subject: [PATCH 07/11] Remove deprecated parameter --- manifests/components/cert-manager.jsonnet | 697 +++++++++++----------- 1 file changed, 348 insertions(+), 349 deletions(-) diff --git a/manifests/components/cert-manager.jsonnet b/manifests/components/cert-manager.jsonnet index 62a34997f4..ae9f27287f 100644 --- a/manifests/components/cert-manager.jsonnet +++ b/manifests/components/cert-manager.jsonnet @@ -17,385 +17,384 @@ * limitations under the License. */ -local kube = import "../vendor/github.com/bitnami-labs/kube-libsonnet/kube.libsonnet"; -local kubecfg = import "kubecfg.libsonnet"; -local CERT_MANAGER_IMAGE = (import "images.json")["cert-manager"]; -local CERT_MANAGER_ACMESOLVER_IMAGE = (import "images.json")["cert-manager-acmesolver"]; +local kube = import '../vendor/github.com/bitnami-labs/kube-libsonnet/kube.libsonnet'; +local kubecfg = import 'kubecfg.libsonnet'; +local CERT_MANAGER_IMAGE = (import 'images.json')['cert-manager']; +local CERT_MANAGER_ACMESOLVER_IMAGE = (import 'images.json')['cert-manager-acmesolver']; { - p:: "", - metadata:: { - metadata+: { - namespace: "kubeprod", + p:: '', + metadata:: { + metadata+: { + namespace: 'kubeprod', + }, }, - }, - letsencrypt_contact_email:: error "Letsencrypt contact e-mail is undefined", + letsencrypt_contact_email:: error 'Letsencrypt contact e-mail is undefined', - // Letsencrypt environments - letsencrypt_environments:: { - prod: $.letsencryptProd.metadata.name, - staging: $.letsencryptStaging.metadata.name, - }, - // Letsencrypt environment (defaults to the production one) - letsencrypt_environment:: "prod", + // Letsencrypt environments + letsencrypt_environments:: { + prod: $.letsencryptProd.metadata.name, + staging: $.letsencryptStaging.metadata.name, + }, + // Letsencrypt environment (defaults to the production one) + letsencrypt_environment:: 'prod', - Issuer(name):: kube._Object("cert-manager.io/v1alpha2", "Issuer", name) { - }, + Issuer(name):: kube._Object('cert-manager.io/v1alpha2', 'Issuer', name) { + }, - ClusterIssuer(name):: kube._Object("cert-manager.io/v1alpha2", "ClusterIssuer", name) { - }, + ClusterIssuer(name):: kube._Object('cert-manager.io/v1alpha2', 'ClusterIssuer', name) { + }, - CRDS: kubecfg.parseYaml(importstr "crds/cert-manager.yaml"), + CRDS: kubecfg.parseYaml(importstr 'crds/cert-manager.yaml'), - sa: kube.ServiceAccount($.p + "cert-manager") + $.metadata, + sa: kube.ServiceAccount($.p + 'cert-manager') + $.metadata, - certificatesClusterRole: kube.ClusterRole($.p + "cert-manager-certificates") { - rules: [ - { - apiGroups: ["cert-manager.io"], - resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"], - verbs: ["update"], - }, - { - apiGroups: ["cert-manager.io"], - resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"], - verbs: ["get", "list", "watch"], - }, - // We require these rules to support users with the OwnerReferencesPermissionEnforcement - // admission controller enabled: - // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - { - apiGroups: ["cert-manager.io"], - resources: ["certificates/finalizers", "certificaterequests/finalizers"], - verbs: ["update"], - }, - { - apiGroups: ["acme.cert-manager.io"], - resources: ["orders"], - verbs: ["create", "delete", "get", "list", "watch"], - }, - { - apiGroups: [""], - resources: ["secrets"], - verbs: ["get", "list", "watch", "create", "update", "delete"], - }, - { - apiGroups: [""], - resources: ["events"], - verbs: ["create", "patch"], - }, - ], - }, + certificatesClusterRole: kube.ClusterRole($.p + 'cert-manager-certificates') { + rules: [ + { + apiGroups: ['cert-manager.io'], + resources: ['certificates', 'certificates/status', 'certificaterequests', 'certificaterequests/status'], + verbs: ['update'], + }, + { + apiGroups: ['cert-manager.io'], + resources: ['certificates', 'certificaterequests', 'clusterissuers', 'issuers'], + verbs: ['get', 'list', 'watch'], + }, + // We require these rules to support users with the OwnerReferencesPermissionEnforcement + // admission controller enabled: + // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + { + apiGroups: ['cert-manager.io'], + resources: ['certificates/finalizers', 'certificaterequests/finalizers'], + verbs: ['update'], + }, + { + apiGroups: ['acme.cert-manager.io'], + resources: ['orders'], + verbs: ['create', 'delete', 'get', 'list', 'watch'], + }, + { + apiGroups: [''], + resources: ['secrets'], + verbs: ['get', 'list', 'watch', 'create', 'update', 'delete'], + }, + { + apiGroups: [''], + resources: ['events'], + verbs: ['create', 'patch'], + }, + ], + }, - certificatesClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-certificates") { - roleRef_: $.certificatesClusterRole, - subjects_+: [$.sa], - }, + certificatesClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-certificates') { + roleRef_: $.certificatesClusterRole, + subjects_+: [$.sa], + }, - ingressShimClusterRole: kube.ClusterRole($.p + "cert-manager-ingress-shim") { - rules: [ - { - apiGroups: ["cert-manager.io"], - resources: ["certificates", "certificaterequests"], - verbs: ["create", "update", "delete"], - }, - { - apiGroups: ["cert-manager.io"], - resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: ["extensions"], - resources: ["ingresses"], - verbs: ["get", "list", "watch"], - }, - // We require these rules to support users with the OwnerReferencesPermissionEnforcement - // admission controller enabled: - // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - { - apiGroups: ["extensions"], - resources: ["ingresses/finalizers"], - verbs: ["update"], - }, - { - apiGroups: [""], - resources: ["events"], - verbs: ["create", "patch"], - }, - ], - }, + ingressShimClusterRole: kube.ClusterRole($.p + 'cert-manager-ingress-shim') { + rules: [ + { + apiGroups: ['cert-manager.io'], + resources: ['certificates', 'certificaterequests'], + verbs: ['create', 'update', 'delete'], + }, + { + apiGroups: ['cert-manager.io'], + resources: ['certificates', 'certificaterequests', 'issuers', 'clusterissuers'], + verbs: ['get', 'list', 'watch'], + }, + { + apiGroups: ['extensions'], + resources: ['ingresses'], + verbs: ['get', 'list', 'watch'], + }, + // We require these rules to support users with the OwnerReferencesPermissionEnforcement + // admission controller enabled: + // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + { + apiGroups: ['extensions'], + resources: ['ingresses/finalizers'], + verbs: ['update'], + }, + { + apiGroups: [''], + resources: ['events'], + verbs: ['create', 'patch'], + }, + ], + }, - ingressShimClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-ingress-shim") { - roleRef_: $.ingressShimClusterRole, - subjects_+: [$.sa], - }, + ingressShimClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-ingress-shim') { + roleRef_: $.ingressShimClusterRole, + subjects_+: [$.sa], + }, - challengesClusterRole: kube.ClusterRole($.p + "cert-manager-challenges") { - rules: [ - // Use to update challenge resource status - { - apiGroups: ["acme.cert-manager.io"], - resources: ["challenges", "challenges/status"], - verbs: ["update"], - }, - // Used to watch challenge resources - { - apiGroups: ["acme.cert-manager.io"], - resources: ["challenges"], - verbs: ["get", "list", "watch"], - }, - // Used to watch challenges, issuer and clusterissuer resources - { - apiGroups: ["cert-manager.io"], - resources: ["issuers", "clusterissuers"], - verbs: ["get", "list", "watch"], - }, - // Need to be able to retrieve ACME account private key to complete challenges - { - apiGroups: [""], - resources: ["secrets"], - verbs: ["get", "list", "watch"], - }, - // Used to create events - { - apiGroups: [""], - resources: ["events"], - verbs: ["create", "patch"], - }, - // HTTP01 rules - { - apiGroups: [""], - resources: ["pods", "services"], - verbs: ["get", "list", "watch", "create", "delete"], - }, - { - apiGroups: ["extensions"], - resources: ["ingresses"], - verbs: ["get", "list", "watch", "create", "delete", "update"], - }, - // We require these rules to support users with the OwnerReferencesPermissionEnforcement - // admission controller enabled: - // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - { - apiGroups: ["acme.cert-manager.io"], - resources: ["challenges/finalizers"], - verbs: ["update"], - }, - // DNS01 rules (duplicated above) - { - apiGroups: [""], - resources: ["secrets"], - verbs: ["get", "list", "watch"], - }, - ], - }, + challengesClusterRole: kube.ClusterRole($.p + 'cert-manager-challenges') { + rules: [ + // Use to update challenge resource status + { + apiGroups: ['acme.cert-manager.io'], + resources: ['challenges', 'challenges/status'], + verbs: ['update'], + }, + // Used to watch challenge resources + { + apiGroups: ['acme.cert-manager.io'], + resources: ['challenges'], + verbs: ['get', 'list', 'watch'], + }, + // Used to watch challenges, issuer and clusterissuer resources + { + apiGroups: ['cert-manager.io'], + resources: ['issuers', 'clusterissuers'], + verbs: ['get', 'list', 'watch'], + }, + // Need to be able to retrieve ACME account private key to complete challenges + { + apiGroups: [''], + resources: ['secrets'], + verbs: ['get', 'list', 'watch'], + }, + // Used to create events + { + apiGroups: [''], + resources: ['events'], + verbs: ['create', 'patch'], + }, + // HTTP01 rules + { + apiGroups: [''], + resources: ['pods', 'services'], + verbs: ['get', 'list', 'watch', 'create', 'delete'], + }, + { + apiGroups: ['extensions'], + resources: ['ingresses'], + verbs: ['get', 'list', 'watch', 'create', 'delete', 'update'], + }, + // We require these rules to support users with the OwnerReferencesPermissionEnforcement + // admission controller enabled: + // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + { + apiGroups: ['acme.cert-manager.io'], + resources: ['challenges/finalizers'], + verbs: ['update'], + }, + // DNS01 rules (duplicated above) + { + apiGroups: [''], + resources: ['secrets'], + verbs: ['get', 'list', 'watch'], + }, + ], + }, - challengesClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-challenges") { - roleRef_: $.challengesClusterRole, - subjects_+: [$.sa], - }, + challengesClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-challenges') { + roleRef_: $.challengesClusterRole, + subjects_+: [$.sa], + }, - issuersClusterRole: kube.ClusterRole($.p + "cert-manager-issuers") { - rules: [ - { - apiGroups: ["cert-manager.io"], - resources: ["issuers", "issuers/status"], - verbs: ["update"], - }, - { - apiGroups: ["cert-manager.io"], - resources: ["issuers"], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: [""], - resources: ["secrets"], - verbs: ["get", "list", "watch", "create", "update", "delete"], - }, - { - apiGroups: [""], - resources: ["events"], - verbs: ["create", "patch"], - }, - ], - }, + issuersClusterRole: kube.ClusterRole($.p + 'cert-manager-issuers') { + rules: [ + { + apiGroups: ['cert-manager.io'], + resources: ['issuers', 'issuers/status'], + verbs: ['update'], + }, + { + apiGroups: ['cert-manager.io'], + resources: ['issuers'], + verbs: ['get', 'list', 'watch'], + }, + { + apiGroups: [''], + resources: ['secrets'], + verbs: ['get', 'list', 'watch', 'create', 'update', 'delete'], + }, + { + apiGroups: [''], + resources: ['events'], + verbs: ['create', 'patch'], + }, + ], + }, - issuersClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-issuers") { - roleRef_: $.issuersClusterRole, - subjects_+: [$.sa], - }, + issuersClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-issuers') { + roleRef_: $.issuersClusterRole, + subjects_+: [$.sa], + }, - clusterissuersClusterRole: kube.ClusterRole($.p + "cert-manager-clusterissuers") { - rules: [ - { - apiGroups: ["cert-manager.io"], - resources: ["clusterissuers", "clusterissuers/status"], - verbs: ["update"], - }, - { - apiGroups: ["cert-manager.io"], - resources: ["clusterissuers"], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: [""], - resources: ["secrets"], - verbs: ["get", "list", "watch", "create", "update", "delete"], - }, - { - apiGroups: [""], - resources: ["events"], - verbs: ["create", "patch"], - }, - ], - }, + clusterissuersClusterRole: kube.ClusterRole($.p + 'cert-manager-clusterissuers') { + rules: [ + { + apiGroups: ['cert-manager.io'], + resources: ['clusterissuers', 'clusterissuers/status'], + verbs: ['update'], + }, + { + apiGroups: ['cert-manager.io'], + resources: ['clusterissuers'], + verbs: ['get', 'list', 'watch'], + }, + { + apiGroups: [''], + resources: ['secrets'], + verbs: ['get', 'list', 'watch', 'create', 'update', 'delete'], + }, + { + apiGroups: [''], + resources: ['events'], + verbs: ['create', 'patch'], + }, + ], + }, - clusterissuersClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-clusterissuers") { - roleRef_: $.clusterissuersClusterRole, - subjects_+: [$.sa], - }, + clusterissuersClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-clusterissuers') { + roleRef_: $.clusterissuersClusterRole, + subjects_+: [$.sa], + }, - ordersClusterRole: kube.ClusterRole($.p + "cert-manager-orders") { - rules: [ - { - apiGroups: ["acme.cert-manager.io"], - resources: ["orders", "orders/status"], - verbs: ["update"], - }, - { - apiGroups: ["acme.cert-manager.io"], - resources: ["orders", "challenges"], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: ["cert-manager.io"], - resources: ["clusterissuers", "issuers"], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: ["acme.cert-manager.io"], - resources: ["challenges"], - verbs: ["create", "delete"], - }, - // We require these rules to support users with the OwnerReferencesPermissionEnforcement - // admission controller enabled: - // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - { - apiGroups: ["acme.cert-manager.io"], - resources: ["orders/finalizers"], - verbs: ["update"], - }, - { - apiGroups: [""], - resources: ["secrets"], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: [""], - resources: ["events"], - verbs: ["create", "patch"], - }, - ], - }, + ordersClusterRole: kube.ClusterRole($.p + 'cert-manager-orders') { + rules: [ + { + apiGroups: ['acme.cert-manager.io'], + resources: ['orders', 'orders/status'], + verbs: ['update'], + }, + { + apiGroups: ['acme.cert-manager.io'], + resources: ['orders', 'challenges'], + verbs: ['get', 'list', 'watch'], + }, + { + apiGroups: ['cert-manager.io'], + resources: ['clusterissuers', 'issuers'], + verbs: ['get', 'list', 'watch'], + }, + { + apiGroups: ['acme.cert-manager.io'], + resources: ['challenges'], + verbs: ['create', 'delete'], + }, + // We require these rules to support users with the OwnerReferencesPermissionEnforcement + // admission controller enabled: + // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + { + apiGroups: ['acme.cert-manager.io'], + resources: ['orders/finalizers'], + verbs: ['update'], + }, + { + apiGroups: [''], + resources: ['secrets'], + verbs: ['get', 'list', 'watch'], + }, + { + apiGroups: [''], + resources: ['events'], + verbs: ['create', 'patch'], + }, + ], + }, - ordersClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-orders") { - roleRef_: $.ordersClusterRole, - subjects_+: [$.sa], - }, + ordersClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-orders') { + roleRef_: $.ordersClusterRole, + subjects_+: [$.sa], + }, - editClusterRole: kube.ClusterRole($.p + "cert-manager-edit") { - rules: [ - { - apiGroups: ["cert-manager.io"], - resources: ["certificates", "certificaterequests", "issuers"], - verbs: ["create", "delete", "deletecollection", "patch", "update"], - }, - ], - }, + editClusterRole: kube.ClusterRole($.p + 'cert-manager-edit') { + rules: [ + { + apiGroups: ['cert-manager.io'], + resources: ['certificates', 'certificaterequests', 'issuers'], + verbs: ['create', 'delete', 'deletecollection', 'patch', 'update'], + }, + ], + }, - viewClusterRole: kube.ClusterRole($.p + "cert-manager-view") { - rules: [ - { - apiGroups: ["cert-manager.io"], - resources: ["certificates", "certificaterequests", "issuers"], - verbs: ["get", "list", "watch"], - }, - ], - }, + viewClusterRole: kube.ClusterRole($.p + 'cert-manager-view') { + rules: [ + { + apiGroups: ['cert-manager.io'], + resources: ['certificates', 'certificaterequests', 'issuers'], + verbs: ['get', 'list', 'watch'], + }, + ], + }, - leaderelectionRole: kube.Role($.p + "cert-manager:leaderelection") + $.metadata { - rules: [ - { - apiGroups: [""], - resources: ["configmaps"], - verbs: ["get", "create", "update", "patch"], - }, - ], - }, + leaderelectionRole: kube.Role($.p + 'cert-manager:leaderelection') + $.metadata { + rules: [ + { + apiGroups: [''], + resources: ['configmaps'], + verbs: ['get', 'create', 'update', 'patch'], + }, + ], + }, - leaderelectionRoleBinding: kube.RoleBinding($.p + "cert-manager:leaderelection") + $.metadata { - roleRef_: $.leaderelectionRole, - subjects_+: [$.sa], - }, + leaderelectionRoleBinding: kube.RoleBinding($.p + 'cert-manager:leaderelection') + $.metadata { + roleRef_: $.leaderelectionRole, + subjects_+: [$.sa], + }, - deploy: kube.Deployment($.p + "cert-manager") + $.metadata { - spec+: { - template+: { - metadata+: { - annotations+: { - "prometheus.io/scrape": "true", - "prometheus.io/port": "9402", - "prometheus.io/path": "/metrics", - }, - }, + deploy: kube.Deployment($.p + 'cert-manager') + $.metadata { spec+: { - serviceAccountName: $.sa.metadata.name, - containers_+: { - default: kube.Container("cert-manager") { - image: CERT_MANAGER_IMAGE, - args_+: { - v: "2", - "acme-http01-solver-image": CERT_MANAGER_ACMESOLVER_IMAGE, - "cluster-resource-namespace": "$(POD_NAMESPACE)", - "leader-election-namespace": "$(POD_NAMESPACE)", - "default-issuer-name": $.letsencrypt_environments[$.letsencrypt_environment], - "default-issuer-kind": "ClusterIssuer", - "webhook-namespace": "$(POD_NAMESPACE)", - }, - env_+: { - POD_NAMESPACE: kube.FieldRef("metadata.namespace"), - }, - ports_+: { - prometheus: {containerPort: 9402}, - }, - resources: { - requests: {cpu: "10m", memory: "32Mi"}, - }, - }, - }, + template+: { + metadata+: { + annotations+: { + 'prometheus.io/scrape': 'true', + 'prometheus.io/port': '9402', + 'prometheus.io/path': '/metrics', + }, + }, + spec+: { + serviceAccountName: $.sa.metadata.name, + containers_+: { + default: kube.Container('cert-manager') { + image: CERT_MANAGER_IMAGE, + args_+: { + v: '2', + 'acme-http01-solver-image': CERT_MANAGER_ACMESOLVER_IMAGE, + 'cluster-resource-namespace': '$(POD_NAMESPACE)', + 'leader-election-namespace': '$(POD_NAMESPACE)', + 'default-issuer-name': $.letsencrypt_environments[$.letsencrypt_environment], + 'default-issuer-kind': 'ClusterIssuer', + }, + env_+: { + POD_NAMESPACE: kube.FieldRef('metadata.namespace'), + }, + ports_+: { + prometheus: { containerPort: 9402 }, + }, + resources: { + requests: { cpu: '10m', memory: '32Mi' }, + }, + }, + }, + }, + }, }, - }, }, - }, - letsencryptStaging: $.ClusterIssuer($.p + "letsencrypt-staging") { - local this = self, - spec+: { - acme+: { - server: "https://acme-staging-v02.api.letsencrypt.org/directory", - email: $.letsencrypt_contact_email, - privateKeySecretRef: {name: this.metadata.name}, - solvers: [{http01: {ingress: {class: "nginx"}}}], - }, + letsencryptStaging: $.ClusterIssuer($.p + 'letsencrypt-staging') { + local this = self, + spec+: { + acme+: { + server: 'https://acme-staging-v02.api.letsencrypt.org/directory', + email: $.letsencrypt_contact_email, + privateKeySecretRef: { name: this.metadata.name }, + solvers: [{ http01: { ingress: { class: 'nginx' } } }], + }, + }, }, - }, - letsencryptProd: $.letsencryptStaging { - metadata+: {name: $.p + "letsencrypt-prod"}, - spec+: { - acme+: { - server: "https://acme-v02.api.letsencrypt.org/directory", - }, + letsencryptProd: $.letsencryptStaging { + metadata+: { name: $.p + 'letsencrypt-prod' }, + spec+: { + acme+: { + server: 'https://acme-v02.api.letsencrypt.org/directory', + }, + }, }, - }, } From 7c6b9c67c4da7636e007e34a82d266c98ceb3336 Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Wed, 8 Jul 2020 11:09:22 +0200 Subject: [PATCH 08/11] Apply format --- manifests/components/cert-manager.jsonnet | 696 +++++++++++----------- 1 file changed, 348 insertions(+), 348 deletions(-) diff --git a/manifests/components/cert-manager.jsonnet b/manifests/components/cert-manager.jsonnet index ae9f27287f..b006d6e0c7 100644 --- a/manifests/components/cert-manager.jsonnet +++ b/manifests/components/cert-manager.jsonnet @@ -17,384 +17,384 @@ * limitations under the License. */ -local kube = import '../vendor/github.com/bitnami-labs/kube-libsonnet/kube.libsonnet'; -local kubecfg = import 'kubecfg.libsonnet'; -local CERT_MANAGER_IMAGE = (import 'images.json')['cert-manager']; -local CERT_MANAGER_ACMESOLVER_IMAGE = (import 'images.json')['cert-manager-acmesolver']; +local kube = import "../vendor/github.com/bitnami-labs/kube-libsonnet/kube.libsonnet"; +local kubecfg = import "kubecfg.libsonnet"; +local CERT_MANAGER_IMAGE = (import "images.json")["cert-manager"]; +local CERT_MANAGER_ACMESOLVER_IMAGE = (import "images.json")["cert-manager-acmesolver"]; { - p:: '', - metadata:: { - metadata+: { - namespace: 'kubeprod', - }, + p:: "", + metadata:: { + metadata+: { + namespace: "kubeprod", }, - letsencrypt_contact_email:: error 'Letsencrypt contact e-mail is undefined', + }, + letsencrypt_contact_email:: error "Letsencrypt contact e-mail is undefined", - // Letsencrypt environments - letsencrypt_environments:: { - prod: $.letsencryptProd.metadata.name, - staging: $.letsencryptStaging.metadata.name, - }, - // Letsencrypt environment (defaults to the production one) - letsencrypt_environment:: 'prod', + // Letsencrypt environments + letsencrypt_environments:: { + prod: $.letsencryptProd.metadata.name, + staging: $.letsencryptStaging.metadata.name, + }, + // Letsencrypt environment (defaults to the production one) + letsencrypt_environment:: "prod", - Issuer(name):: kube._Object('cert-manager.io/v1alpha2', 'Issuer', name) { - }, + Issuer(name):: kube._Object("cert-manager.io/v1alpha2", "Issuer", name) { + }, - ClusterIssuer(name):: kube._Object('cert-manager.io/v1alpha2', 'ClusterIssuer', name) { - }, + ClusterIssuer(name):: kube._Object("cert-manager.io/v1alpha2", "ClusterIssuer", name) { + }, - CRDS: kubecfg.parseYaml(importstr 'crds/cert-manager.yaml'), + CRDS: kubecfg.parseYaml(importstr "crds/cert-manager.yaml"), - sa: kube.ServiceAccount($.p + 'cert-manager') + $.metadata, + sa: kube.ServiceAccount($.p + "cert-manager") + $.metadata, - certificatesClusterRole: kube.ClusterRole($.p + 'cert-manager-certificates') { - rules: [ - { - apiGroups: ['cert-manager.io'], - resources: ['certificates', 'certificates/status', 'certificaterequests', 'certificaterequests/status'], - verbs: ['update'], - }, - { - apiGroups: ['cert-manager.io'], - resources: ['certificates', 'certificaterequests', 'clusterissuers', 'issuers'], - verbs: ['get', 'list', 'watch'], - }, - // We require these rules to support users with the OwnerReferencesPermissionEnforcement - // admission controller enabled: - // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - { - apiGroups: ['cert-manager.io'], - resources: ['certificates/finalizers', 'certificaterequests/finalizers'], - verbs: ['update'], - }, - { - apiGroups: ['acme.cert-manager.io'], - resources: ['orders'], - verbs: ['create', 'delete', 'get', 'list', 'watch'], - }, - { - apiGroups: [''], - resources: ['secrets'], - verbs: ['get', 'list', 'watch', 'create', 'update', 'delete'], - }, - { - apiGroups: [''], - resources: ['events'], - verbs: ['create', 'patch'], - }, - ], - }, + certificatesClusterRole: kube.ClusterRole($.p + "cert-manager-certificates") { + rules: [ + { + apiGroups: ["cert-manager.io"], + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"], + verbs: ["update"], + }, + { + apiGroups: ["cert-manager.io"], + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"], + verbs: ["get", "list", "watch"], + }, + // We require these rules to support users with the OwnerReferencesPermissionEnforcement + // admission controller enabled: + // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + { + apiGroups: ["cert-manager.io"], + resources: ["certificates/finalizers", "certificaterequests/finalizers"], + verbs: ["update"], + }, + { + apiGroups: ["acme.cert-manager.io"], + resources: ["orders"], + verbs: ["create", "delete", "get", "list", "watch"], + }, + { + apiGroups: [""], + resources: ["secrets"], + verbs: ["get", "list", "watch", "create", "update", "delete"], + }, + { + apiGroups: [""], + resources: ["events"], + verbs: ["create", "patch"], + }, + ], + }, - certificatesClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-certificates') { - roleRef_: $.certificatesClusterRole, - subjects_+: [$.sa], - }, + certificatesClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-certificates") { + roleRef_: $.certificatesClusterRole, + subjects_+: [$.sa], + }, - ingressShimClusterRole: kube.ClusterRole($.p + 'cert-manager-ingress-shim') { - rules: [ - { - apiGroups: ['cert-manager.io'], - resources: ['certificates', 'certificaterequests'], - verbs: ['create', 'update', 'delete'], - }, - { - apiGroups: ['cert-manager.io'], - resources: ['certificates', 'certificaterequests', 'issuers', 'clusterissuers'], - verbs: ['get', 'list', 'watch'], - }, - { - apiGroups: ['extensions'], - resources: ['ingresses'], - verbs: ['get', 'list', 'watch'], - }, - // We require these rules to support users with the OwnerReferencesPermissionEnforcement - // admission controller enabled: - // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - { - apiGroups: ['extensions'], - resources: ['ingresses/finalizers'], - verbs: ['update'], - }, - { - apiGroups: [''], - resources: ['events'], - verbs: ['create', 'patch'], - }, - ], - }, + ingressShimClusterRole: kube.ClusterRole($.p + "cert-manager-ingress-shim") { + rules: [ + { + apiGroups: ["cert-manager.io"], + resources: ["certificates", "certificaterequests"], + verbs: ["create", "update", "delete"], + }, + { + apiGroups: ["cert-manager.io"], + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"], + verbs: ["get", "list", "watch"], + }, + { + apiGroups: ["extensions"], + resources: ["ingresses"], + verbs: ["get", "list", "watch"], + }, + // We require these rules to support users with the OwnerReferencesPermissionEnforcement + // admission controller enabled: + // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + { + apiGroups: ["extensions"], + resources: ["ingresses/finalizers"], + verbs: ["update"], + }, + { + apiGroups: [""], + resources: ["events"], + verbs: ["create", "patch"], + }, + ], + }, - ingressShimClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-ingress-shim') { - roleRef_: $.ingressShimClusterRole, - subjects_+: [$.sa], - }, + ingressShimClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-ingress-shim") { + roleRef_: $.ingressShimClusterRole, + subjects_+: [$.sa], + }, - challengesClusterRole: kube.ClusterRole($.p + 'cert-manager-challenges') { - rules: [ - // Use to update challenge resource status - { - apiGroups: ['acme.cert-manager.io'], - resources: ['challenges', 'challenges/status'], - verbs: ['update'], - }, - // Used to watch challenge resources - { - apiGroups: ['acme.cert-manager.io'], - resources: ['challenges'], - verbs: ['get', 'list', 'watch'], - }, - // Used to watch challenges, issuer and clusterissuer resources - { - apiGroups: ['cert-manager.io'], - resources: ['issuers', 'clusterissuers'], - verbs: ['get', 'list', 'watch'], - }, - // Need to be able to retrieve ACME account private key to complete challenges - { - apiGroups: [''], - resources: ['secrets'], - verbs: ['get', 'list', 'watch'], - }, - // Used to create events - { - apiGroups: [''], - resources: ['events'], - verbs: ['create', 'patch'], - }, - // HTTP01 rules - { - apiGroups: [''], - resources: ['pods', 'services'], - verbs: ['get', 'list', 'watch', 'create', 'delete'], - }, - { - apiGroups: ['extensions'], - resources: ['ingresses'], - verbs: ['get', 'list', 'watch', 'create', 'delete', 'update'], - }, - // We require these rules to support users with the OwnerReferencesPermissionEnforcement - // admission controller enabled: - // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - { - apiGroups: ['acme.cert-manager.io'], - resources: ['challenges/finalizers'], - verbs: ['update'], - }, - // DNS01 rules (duplicated above) - { - apiGroups: [''], - resources: ['secrets'], - verbs: ['get', 'list', 'watch'], - }, - ], - }, + challengesClusterRole: kube.ClusterRole($.p + "cert-manager-challenges") { + rules: [ + // Use to update challenge resource status + { + apiGroups: ["acme.cert-manager.io"], + resources: ["challenges", "challenges/status"], + verbs: ["update"], + }, + // Used to watch challenge resources + { + apiGroups: ["acme.cert-manager.io"], + resources: ["challenges"], + verbs: ["get", "list", "watch"], + }, + // Used to watch challenges, issuer and clusterissuer resources + { + apiGroups: ["cert-manager.io"], + resources: ["issuers", "clusterissuers"], + verbs: ["get", "list", "watch"], + }, + // Need to be able to retrieve ACME account private key to complete challenges + { + apiGroups: [""], + resources: ["secrets"], + verbs: ["get", "list", "watch"], + }, + // Used to create events + { + apiGroups: [""], + resources: ["events"], + verbs: ["create", "patch"], + }, + // HTTP01 rules + { + apiGroups: [""], + resources: ["pods", "services"], + verbs: ["get", "list", "watch", "create", "delete"], + }, + { + apiGroups: ["extensions"], + resources: ["ingresses"], + verbs: ["get", "list", "watch", "create", "delete", "update"], + }, + // We require these rules to support users with the OwnerReferencesPermissionEnforcement + // admission controller enabled: + // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + { + apiGroups: ["acme.cert-manager.io"], + resources: ["challenges/finalizers"], + verbs: ["update"], + }, + // DNS01 rules (duplicated above) + { + apiGroups: [""], + resources: ["secrets"], + verbs: ["get", "list", "watch"], + }, + ], + }, - challengesClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-challenges') { - roleRef_: $.challengesClusterRole, - subjects_+: [$.sa], - }, + challengesClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-challenges") { + roleRef_: $.challengesClusterRole, + subjects_+: [$.sa], + }, - issuersClusterRole: kube.ClusterRole($.p + 'cert-manager-issuers') { - rules: [ - { - apiGroups: ['cert-manager.io'], - resources: ['issuers', 'issuers/status'], - verbs: ['update'], - }, - { - apiGroups: ['cert-manager.io'], - resources: ['issuers'], - verbs: ['get', 'list', 'watch'], - }, - { - apiGroups: [''], - resources: ['secrets'], - verbs: ['get', 'list', 'watch', 'create', 'update', 'delete'], - }, - { - apiGroups: [''], - resources: ['events'], - verbs: ['create', 'patch'], - }, - ], - }, + issuersClusterRole: kube.ClusterRole($.p + "cert-manager-issuers") { + rules: [ + { + apiGroups: ["cert-manager.io"], + resources: ["issuers", "issuers/status"], + verbs: ["update"], + }, + { + apiGroups: ["cert-manager.io"], + resources: ["issuers"], + verbs: ["get", "list", "watch"], + }, + { + apiGroups: [""], + resources: ["secrets"], + verbs: ["get", "list", "watch", "create", "update", "delete"], + }, + { + apiGroups: [""], + resources: ["events"], + verbs: ["create", "patch"], + }, + ], + }, - issuersClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-issuers') { - roleRef_: $.issuersClusterRole, - subjects_+: [$.sa], - }, + issuersClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-issuers") { + roleRef_: $.issuersClusterRole, + subjects_+: [$.sa], + }, - clusterissuersClusterRole: kube.ClusterRole($.p + 'cert-manager-clusterissuers') { - rules: [ - { - apiGroups: ['cert-manager.io'], - resources: ['clusterissuers', 'clusterissuers/status'], - verbs: ['update'], - }, - { - apiGroups: ['cert-manager.io'], - resources: ['clusterissuers'], - verbs: ['get', 'list', 'watch'], - }, - { - apiGroups: [''], - resources: ['secrets'], - verbs: ['get', 'list', 'watch', 'create', 'update', 'delete'], - }, - { - apiGroups: [''], - resources: ['events'], - verbs: ['create', 'patch'], - }, - ], - }, + clusterissuersClusterRole: kube.ClusterRole($.p + "cert-manager-clusterissuers") { + rules: [ + { + apiGroups: ["cert-manager.io"], + resources: ["clusterissuers", "clusterissuers/status"], + verbs: ["update"], + }, + { + apiGroups: ["cert-manager.io"], + resources: ["clusterissuers"], + verbs: ["get", "list", "watch"], + }, + { + apiGroups: [""], + resources: ["secrets"], + verbs: ["get", "list", "watch", "create", "update", "delete"], + }, + { + apiGroups: [""], + resources: ["events"], + verbs: ["create", "patch"], + }, + ], + }, - clusterissuersClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-clusterissuers') { - roleRef_: $.clusterissuersClusterRole, - subjects_+: [$.sa], - }, + clusterissuersClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-clusterissuers") { + roleRef_: $.clusterissuersClusterRole, + subjects_+: [$.sa], + }, - ordersClusterRole: kube.ClusterRole($.p + 'cert-manager-orders') { - rules: [ - { - apiGroups: ['acme.cert-manager.io'], - resources: ['orders', 'orders/status'], - verbs: ['update'], - }, - { - apiGroups: ['acme.cert-manager.io'], - resources: ['orders', 'challenges'], - verbs: ['get', 'list', 'watch'], - }, - { - apiGroups: ['cert-manager.io'], - resources: ['clusterissuers', 'issuers'], - verbs: ['get', 'list', 'watch'], - }, - { - apiGroups: ['acme.cert-manager.io'], - resources: ['challenges'], - verbs: ['create', 'delete'], - }, - // We require these rules to support users with the OwnerReferencesPermissionEnforcement - // admission controller enabled: - // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - { - apiGroups: ['acme.cert-manager.io'], - resources: ['orders/finalizers'], - verbs: ['update'], - }, - { - apiGroups: [''], - resources: ['secrets'], - verbs: ['get', 'list', 'watch'], - }, - { - apiGroups: [''], - resources: ['events'], - verbs: ['create', 'patch'], - }, - ], - }, + ordersClusterRole: kube.ClusterRole($.p + "cert-manager-orders") { + rules: [ + { + apiGroups: ["acme.cert-manager.io"], + resources: ["orders", "orders/status"], + verbs: ["update"], + }, + { + apiGroups: ["acme.cert-manager.io"], + resources: ["orders", "challenges"], + verbs: ["get", "list", "watch"], + }, + { + apiGroups: ["cert-manager.io"], + resources: ["clusterissuers", "issuers"], + verbs: ["get", "list", "watch"], + }, + { + apiGroups: ["acme.cert-manager.io"], + resources: ["challenges"], + verbs: ["create", "delete"], + }, + // We require these rules to support users with the OwnerReferencesPermissionEnforcement + // admission controller enabled: + // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + { + apiGroups: ["acme.cert-manager.io"], + resources: ["orders/finalizers"], + verbs: ["update"], + }, + { + apiGroups: [""], + resources: ["secrets"], + verbs: ["get", "list", "watch"], + }, + { + apiGroups: [""], + resources: ["events"], + verbs: ["create", "patch"], + }, + ], + }, - ordersClusterRoleBinding: kube.ClusterRoleBinding($.p + 'cert-manager-orders') { - roleRef_: $.ordersClusterRole, - subjects_+: [$.sa], - }, + ordersClusterRoleBinding: kube.ClusterRoleBinding($.p + "cert-manager-orders") { + roleRef_: $.ordersClusterRole, + subjects_+: [$.sa], + }, - editClusterRole: kube.ClusterRole($.p + 'cert-manager-edit') { - rules: [ - { - apiGroups: ['cert-manager.io'], - resources: ['certificates', 'certificaterequests', 'issuers'], - verbs: ['create', 'delete', 'deletecollection', 'patch', 'update'], - }, - ], - }, + editClusterRole: kube.ClusterRole($.p + "cert-manager-edit") { + rules: [ + { + apiGroups: ["cert-manager.io"], + resources: ["certificates", "certificaterequests", "issuers"], + verbs: ["create", "delete", "deletecollection", "patch", "update"], + }, + ], + }, - viewClusterRole: kube.ClusterRole($.p + 'cert-manager-view') { - rules: [ - { - apiGroups: ['cert-manager.io'], - resources: ['certificates', 'certificaterequests', 'issuers'], - verbs: ['get', 'list', 'watch'], - }, - ], - }, + viewClusterRole: kube.ClusterRole($.p + "cert-manager-view") { + rules: [ + { + apiGroups: ["cert-manager.io"], + resources: ["certificates", "certificaterequests", "issuers"], + verbs: ["get", "list", "watch"], + }, + ], + }, - leaderelectionRole: kube.Role($.p + 'cert-manager:leaderelection') + $.metadata { - rules: [ - { - apiGroups: [''], - resources: ['configmaps'], - verbs: ['get', 'create', 'update', 'patch'], - }, - ], - }, + leaderelectionRole: kube.Role($.p + "cert-manager:leaderelection") + $.metadata { + rules: [ + { + apiGroups: [""], + resources: ["configmaps"], + verbs: ["get", "create", "update", "patch"], + }, + ], + }, - leaderelectionRoleBinding: kube.RoleBinding($.p + 'cert-manager:leaderelection') + $.metadata { - roleRef_: $.leaderelectionRole, - subjects_+: [$.sa], - }, + leaderelectionRoleBinding: kube.RoleBinding($.p + "cert-manager:leaderelection") + $.metadata { + roleRef_: $.leaderelectionRole, + subjects_+: [$.sa], + }, - deploy: kube.Deployment($.p + 'cert-manager') + $.metadata { + deploy: kube.Deployment($.p + "cert-manager") + $.metadata { + spec+: { + template+: { + metadata+: { + annotations+: { + "prometheus.io/scrape": "true", + "prometheus.io/port": "9402", + "prometheus.io/path": "/metrics", + }, + }, spec+: { - template+: { - metadata+: { - annotations+: { - 'prometheus.io/scrape': 'true', - 'prometheus.io/port': '9402', - 'prometheus.io/path': '/metrics', - }, - }, - spec+: { - serviceAccountName: $.sa.metadata.name, - containers_+: { - default: kube.Container('cert-manager') { - image: CERT_MANAGER_IMAGE, - args_+: { - v: '2', - 'acme-http01-solver-image': CERT_MANAGER_ACMESOLVER_IMAGE, - 'cluster-resource-namespace': '$(POD_NAMESPACE)', - 'leader-election-namespace': '$(POD_NAMESPACE)', - 'default-issuer-name': $.letsencrypt_environments[$.letsencrypt_environment], - 'default-issuer-kind': 'ClusterIssuer', - }, - env_+: { - POD_NAMESPACE: kube.FieldRef('metadata.namespace'), - }, - ports_+: { - prometheus: { containerPort: 9402 }, - }, - resources: { - requests: { cpu: '10m', memory: '32Mi' }, - }, - }, - }, - }, - }, + serviceAccountName: $.sa.metadata.name, + containers_+: { + default: kube.Container("cert-manager") { + image: CERT_MANAGER_IMAGE, + args_+: { + v: "2", + "acme-http01-solver-image": CERT_MANAGER_ACMESOLVER_IMAGE, + "cluster-resource-namespace": "$(POD_NAMESPACE)", + "leader-election-namespace": "$(POD_NAMESPACE)", + "default-issuer-name": $.letsencrypt_environments[$.letsencrypt_environment], + "default-issuer-kind": "ClusterIssuer", + }, + env_+: { + POD_NAMESPACE: kube.FieldRef("metadata.namespace"), + }, + ports_+: { + prometheus: {containerPort: 9402}, + }, + resources: { + requests: {cpu: "10m", memory: "32Mi"}, + }, + }, + }, }, + }, }, + }, - letsencryptStaging: $.ClusterIssuer($.p + 'letsencrypt-staging') { - local this = self, - spec+: { - acme+: { - server: 'https://acme-staging-v02.api.letsencrypt.org/directory', - email: $.letsencrypt_contact_email, - privateKeySecretRef: { name: this.metadata.name }, - solvers: [{ http01: { ingress: { class: 'nginx' } } }], - }, - }, + letsencryptStaging: $.ClusterIssuer($.p + "letsencrypt-staging") { + local this = self, + spec+: { + acme+: { + server: "https://acme-staging-v02.api.letsencrypt.org/directory", + email: $.letsencrypt_contact_email, + privateKeySecretRef: {name: this.metadata.name}, + solvers: [{http01: {ingress: {class: "nginx"}}}], + }, }, + }, - letsencryptProd: $.letsencryptStaging { - metadata+: { name: $.p + 'letsencrypt-prod' }, - spec+: { - acme+: { - server: 'https://acme-v02.api.letsencrypt.org/directory', - }, - }, + letsencryptProd: $.letsencryptStaging { + metadata+: {name: $.p + "letsencrypt-prod"}, + spec+: { + acme+: { + server: "https://acme-v02.api.letsencrypt.org/directory", + }, }, + }, } From c2b8cb74f96477216658edc66cde90a1e4e4332b Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Thu, 9 Jul 2020 00:48:54 +0000 Subject: [PATCH 09/11] cert-manager: component image updated to 'bitnami/cert-manager:0.15.2-debian-10-r6' Signed-off-by: Bitnami Containers --- manifests/components/images.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/components/images.json b/manifests/components/images.json index 21551b79cd..e2f135883f 100644 --- a/manifests/components/images.json +++ b/manifests/components/images.json @@ -1,7 +1,7 @@ { "addon-resizer": "k8s.gcr.io/addon-resizer:1.8.7", "alertmanager": "bitnami/alertmanager:0.21.0-debian-10-r4", - "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r5", + "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r6", "cert-manager-acmesolver": "quay.io/jetstack/cert-manager-acmesolver:v0.14.3", "configmap-reload": "bitnami/configmap-reload:0.3.0-debian-10-r85", "elasticsearch": "bitnami/elasticsearch:7.8.0-debian-10-r1", From 86ea2783ae9f77c044e1ba7f03b8806cb9a1e83c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Thu, 9 Jul 2020 10:46:45 +0200 Subject: [PATCH 10/11] Update images.json --- manifests/components/images.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/components/images.json b/manifests/components/images.json index e2f135883f..4425bd2baf 100644 --- a/manifests/components/images.json +++ b/manifests/components/images.json @@ -2,7 +2,7 @@ "addon-resizer": "k8s.gcr.io/addon-resizer:1.8.7", "alertmanager": "bitnami/alertmanager:0.21.0-debian-10-r4", "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r6", - "cert-manager-acmesolver": "quay.io/jetstack/cert-manager-acmesolver:v0.14.3", + "cert-manager-acmesolver": "quay.io/jetstack/cert-manager-acmesolver:v0.15.2", "configmap-reload": "bitnami/configmap-reload:0.3.0-debian-10-r85", "elasticsearch": "bitnami/elasticsearch:7.8.0-debian-10-r1", "elasticsearch-curator": "bitnami/elasticsearch-curator:5.8.1-debian-10-r85", From d838ccacd0c76cbcb2730b54c39a8aaecb7fc7eb Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Fri, 10 Jul 2020 00:48:56 +0000 Subject: [PATCH 11/11] cert-manager: component image updated to 'bitnami/cert-manager:0.15.2-debian-10-r7' Signed-off-by: Bitnami Containers --- manifests/components/images.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/components/images.json b/manifests/components/images.json index 4425bd2baf..a5174ce753 100644 --- a/manifests/components/images.json +++ b/manifests/components/images.json @@ -1,7 +1,7 @@ { "addon-resizer": "k8s.gcr.io/addon-resizer:1.8.7", "alertmanager": "bitnami/alertmanager:0.21.0-debian-10-r4", - "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r6", + "cert-manager": "bitnami/cert-manager:0.15.2-debian-10-r7", "cert-manager-acmesolver": "quay.io/jetstack/cert-manager-acmesolver:v0.15.2", "configmap-reload": "bitnami/configmap-reload:0.3.0-debian-10-r85", "elasticsearch": "bitnami/elasticsearch:7.8.0-debian-10-r1",