weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Move deployment generation values.yaml to deploy/manifests and don't generate without-rbac variants of manifests

Browse Source 
Signed-off-by: James Munnelly <james@munnelly.eu>
This commit is contained in:
James Munnelly 2018-12-04 16:25:33 +00:00
parent dfa1a92366
commit 4283138a81
9 changed files with 46 additions and 765 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
deploy/manifests/with-rbac-webhook.yaml → deploy/manifests/cert-manager-webhook.yaml
View File

@ -3,7 +3,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: webhook
name: cert-manager
namespace: "cert-manager"
labels:
app: webhook
@ -20,7 +20,7 @@ metadata:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: webhook:auth-delegator
name: cert-manager:auth-delegator
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
@ -33,7 +33,7 @@ roleRef:
subjects:
- apiGroup: ""
kind: ServiceAccount
name: webhook
name: cert-manager
namespace: cert-manager
---
@ -44,7 +44,7 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: webhook:webhook-authentication-reader
name: cert-manager:webhook-authentication-reader
namespace: kube-system
labels:
app: webhook
@ -58,7 +58,7 @@ roleRef:
subjects:
- apiGroup: ""
kind: ServiceAccount
name: webhook
name: cert-manager
namespace: cert-manager
---
@ -66,7 +66,7 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: webhook:webhook-requester
name: cert-manager:webhook-requester
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
@ -87,7 +87,7 @@ rules:
apiVersion: v1
kind: Service
metadata:
name: webhook
name: cert-manager
namespace: "cert-manager"
labels:
app: webhook
@ -109,7 +109,7 @@ spec:
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: webhook
name: cert-manager
namespace: "cert-manager"
labels:
app: webhook
@ -129,7 +129,7 @@ spec:
release: webhook
annotations:
spec:
serviceAccountName: webhook
serviceAccountName: cert-manager
containers:
- name: webhook
image: "quay.io/jetstack/cert-manager-webhook:canary"
@ -156,7 +156,7 @@ spec:
volumes:
- name: certs
secret:
secretName: webhook-webhook-tls
secretName: cert-manager-webhook-tls
---
# Source: webhook/templates/ca-sync.yaml
@ -167,7 +167,7 @@ spec:
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: webhook-ca-sync
name: cert-manager-ca-sync
namespace: "cert-manager"
labels:
app: webhook
@ -183,7 +183,7 @@ spec:
labels:
app: ca-helper
spec:
serviceAccountName: webhook-ca-sync
serviceAccountName: cert-manager-ca-sync
restartPolicy: OnFailure
containers:
- name: ca-helper
@ -204,12 +204,12 @@ spec:
volumes:
- name: config
configMap:
name: webhook-ca-sync
name: cert-manager-ca-sync
---
apiVersion: batch/v1
kind: Job
metadata:
name: webhook-ca-sync
name: cert-manager-ca-sync
namespace: "cert-manager"
labels:
app: webhook
@ -222,7 +222,7 @@ spec:
labels:
app: ca-helper
spec:
serviceAccountName: webhook-ca-sync
serviceAccountName: cert-manager-ca-sync
restartPolicy: OnFailure
containers:
- name: ca-helper
@ -243,12 +243,12 @@ spec:
volumes:
- name: config
configMap:
name: webhook-ca-sync
name: cert-manager-ca-sync
---
apiVersion: v1
kind: ConfigMap
metadata:
name: webhook-ca-sync
name: cert-manager-ca-sync
namespace: "cert-manager"
labels:
app: webhook
@ -262,7 +262,7 @@ data:
{
"name": "v1beta1.admission.certmanager.k8s.io",
"secret": {
"name": "webhook-ca",
"name": "cert-manager-ca",
"namespace": "cert-manager",
"key": "tls.crt"
}
@ -270,7 +270,7 @@ data:
],
"validatingWebhookConfigurations": [
{
"name": "webhook",
"name": "cert-manager",
"file": {
"path": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
}
@ -281,7 +281,7 @@ data:
apiVersion: v1
kind: ServiceAccount
metadata:
name: webhook-ca-sync
name: cert-manager-ca-sync
namespace: "cert-manager"
labels:
app: webhook
@ -292,7 +292,7 @@ metadata:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: webhook-ca-sync
name: cert-manager-ca-sync
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
@ -303,12 +303,12 @@ rules:
resources: ["secrets"]
verbs: ["get"]
resourceNames:
- webhook-ca
- cert-manager-ca
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "update"]
resourceNames:
- webhook
- cert-manager
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "update"]
@ -318,7 +318,7 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: webhook-ca-sync
name: cert-manager-ca-sync
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
@ -327,9 +327,9 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: webhook-ca-sync
name: cert-manager-ca-sync
subjects:
- name: webhook-ca-sync
- name: cert-manager-ca-sync
namespace: cert-manager
kind: ServiceAccount
@ -349,7 +349,7 @@ spec:
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: webhook
name: cert-manager
namespace: "cert-manager"
version: v1beta1
@ -361,7 +361,7 @@ spec:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: webhook-selfsign
name: cert-manager-selfsign
namespace: "cert-manager"
labels:
app: webhook
@ -377,7 +377,7 @@ spec:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: webhook-ca
name: cert-manager-ca
namespace: "cert-manager"
labels:
app: webhook
@ -385,9 +385,9 @@ metadata:
release: webhook
heritage: Tiller
spec:
secretName: webhook-ca
secretName: cert-manager-ca
issuerRef:
name: webhook-selfsign
name: cert-manager-selfsign
commonName: "ca.webhook.cert-manager"
isCA: true
@ -397,7 +397,7 @@ spec:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: webhook-ca
name: cert-manager-ca
namespace: "cert-manager"
labels:
app: webhook
@ -406,7 +406,7 @@ metadata:
heritage: Tiller
spec:
ca:
secretName: webhook-ca
secretName: cert-manager-ca
---
@ -414,7 +414,7 @@ spec:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: webhook-webhook-tls
name: cert-manager-webhook-tls
namespace: "cert-manager"
labels:
app: webhook
@ -422,20 +422,20 @@ metadata:
release: webhook
heritage: Tiller
spec:
secretName: webhook-webhook-tls
secretName: cert-manager-webhook-tls
issuerRef:
name: webhook-ca
name: cert-manager-ca
dnsNames:
- webhook
- webhook.cert-manager
- webhook.cert-manager.svc
- cert-manager
- cert-manager.cert-manager
- cert-manager.cert-manager.svc
---
# Source: webhook/templates/validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: webhook
name: cert-manager
labels:
app: webhook
chart: webhook-v0.6.0-dev.3

0
deploy/manifests/with-rbac.yaml → deploy/manifests/cert-manager.yaml
View File

2
hack/deploy/rbac-values.yaml → deploy/manifests/helm-values.yaml
View File

@ -1,3 +1,5 @@
fullnameOverride: cert-manager
resources:
requests:
cpu: 10m

526
deploy/manifests/without-rbac-webhook.yaml
View File

@ -1,526 +0,0 @@
---
# Source: webhook/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: webhook
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
---
# Source: webhook/templates/rbac.yaml
### Webhook ###
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: webhook:auth-delegator
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: webhook
namespace: cert-manager
---
# apiserver gets the ability to read authentication. This allows it to
# read the specific configmap that has the requestheader-* entries to
# api agg
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: webhook:webhook-authentication-reader
namespace: kube-system
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: webhook
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: webhook:webhook-requester
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
rules:
- apiGroups:
- admission.certmanager.k8s.io
resources:
- certificates
- issuers
- clusterissuers
verbs:
- create
---
# Source: webhook/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: webhook
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
spec:
type: ClusterIP
ports:
- name: https
port: 443
targetPort: 6443
selector:
app: webhook
release: webhook
---
# Source: webhook/templates/deployment.yaml
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: webhook
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
spec:
replicas: 1
selector:
matchLabels:
app: webhook
release: webhook
template:
metadata:
labels:
app: webhook
release: webhook
annotations:
spec:
serviceAccountName: webhook
containers:
- name: webhook
image: "quay.io/jetstack/cert-manager-webhook:canary"
imagePullPolicy: Always
args:
- --v=12
- --secure-port=6443
- --tls-cert-file=/certs/tls.crt
- --tls-private-key-file=/certs/tls.key
- --disable-admission-plugins=NamespaceLifecycle,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,Initializers
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
requests:
cpu: 10m
memory: 32Mi
volumeMounts:
- name: certs
mountPath: /certs
volumes:
- name: certs
secret:
secretName: webhook-webhook-tls
---
# Source: webhook/templates/ca-sync.yaml
## This file contains a CronJob that runs every 24h to automatically update the
## caBundle set on the APIService and ValidatingWebhookConfiguration resource.
## This allows us to store the CA bundle in a Secret resource which is
## generated by cert-manager's 'selfsigned' Issuer.
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: webhook-ca-sync
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
spec:
schedule: "* * */24 * *"
jobTemplate:
spec:
template:
metadata:
labels:
app: ca-helper
spec:
serviceAccountName: webhook-ca-sync
restartPolicy: OnFailure
containers:
- name: ca-helper
image: quay.io/munnerz/apiextensions-ca-helper:v0.1.0
imagePullPolicy: IfNotPresent
args:
- -config=/config/config
volumeMounts:
- name: config
mountPath: /config
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
volumes:
- name: config
configMap:
name: webhook-ca-sync
---
apiVersion: batch/v1
kind: Job
metadata:
name: webhook-ca-sync
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
spec:
template:
metadata:
labels:
app: ca-helper
spec:
serviceAccountName: webhook-ca-sync
restartPolicy: OnFailure
containers:
- name: ca-helper
image: quay.io/munnerz/apiextensions-ca-helper:v0.1.0
imagePullPolicy: IfNotPresent
args:
- -config=/config/config
volumeMounts:
- name: config
mountPath: /config
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
volumes:
- name: config
configMap:
name: webhook-ca-sync
---
apiVersion: v1
kind: ConfigMap
metadata:
name: webhook-ca-sync
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
data:
config: |-
{
"apiServices": [
{
"name": "v1beta1.admission.certmanager.k8s.io",
"secret": {
"name": "webhook-ca",
"namespace": "cert-manager",
"key": "tls.crt"
}
}
],
"validatingWebhookConfigurations": [
{
"name": "webhook",
"file": {
"path": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
}
}
]
}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: webhook-ca-sync
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: webhook-ca-sync
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
- webhook-ca
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "update"]
resourceNames:
- webhook
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "update"]
resourceNames:
- v1beta1.admission.certmanager.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: webhook-ca-sync
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: webhook-ca-sync
subjects:
- name: webhook-ca-sync
namespace: cert-manager
kind: ServiceAccount
---
# Source: webhook/templates/apiservice.yaml
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1beta1.admission.certmanager.k8s.io
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
spec:
group: admission.certmanager.k8s.io
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: webhook
namespace: "cert-manager"
version: v1beta1
---
# Source: webhook/templates/pki.yaml
---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: webhook-selfsign
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
spec:
selfsigned: {}
---
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: webhook-ca
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
spec:
secretName: webhook-ca
issuerRef:
name: webhook-selfsign
commonName: "ca.webhook.cert-manager"
isCA: true
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: webhook-ca
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
spec:
ca:
secretName: webhook-ca
---
# Finally, generate a serving certificate for the webhook to use
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: webhook-webhook-tls
namespace: "cert-manager"
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
spec:
secretName: webhook-webhook-tls
issuerRef:
name: webhook-ca
dnsNames:
- webhook
- webhook.cert-manager
- webhook.cert-manager.svc
---
# Source: webhook/templates/validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: webhook
labels:
app: webhook
chart: webhook-v0.6.0-dev.3
release: webhook
heritage: Tiller
webhooks:
- name: certificates.admission.certmanager.k8s.io
namespaceSelector:
matchExpressions:
- key: "certmanager.k8s.io/disable-validation"
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- cert-manager
rules:
- apiGroups:
- "certmanager.k8s.io"
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- certificates
failurePolicy: Fail
clientConfig:
service:
name: kubernetes
namespace: default
path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
- name: issuers.admission.certmanager.k8s.io
namespaceSelector:
matchExpressions:
- key: "certmanager.k8s.io/disable-validation"
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- cert-manager
rules:
- apiGroups:
- "certmanager.k8s.io"
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- issuers
failurePolicy: Fail
clientConfig:
service:
name: kubernetes
namespace: default
path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
- name: clusterissuers.admission.certmanager.k8s.io
namespaceSelector:
matchExpressions:
- key: "certmanager.k8s.io/disable-validation"
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- cert-manager
rules:
- apiGroups:
- "certmanager.k8s.io"
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- clusterissuers
failurePolicy: Fail
clientConfig:
service:
name: kubernetes
namespace: default
path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers

161
deploy/manifests/without-rbac.yaml
View File

@ -1,161 +0,0 @@
---
# Source: cert-manager/templates/00-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: "cert-manager"
labels:
name: "cert-manager"
certmanager.k8s.io/disable-validation: "true"
---
# Source: cert-manager/templates/certificate-crd.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.certmanager.k8s.io
annotations:
"helm.sh/hook": crd-install
labels:
app: cert-manager
chart: cert-manager-v0.6.0-dev.6
release: cert-manager
heritage: Tiller
spec:
group: certmanager.k8s.io
version: v1alpha1
scope: Namespaced
names:
kind: Certificate
plural: certificates
shortNames:
- cert
- certs
---
# Source: cert-manager/templates/challenge-crd.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: challenges.certmanager.k8s.io
labels:
app: cert-manager
chart: cert-manager-v0.6.0-dev.6
release: cert-manager
heritage: Tiller
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: Challenge
plural: challenges
scope: Namespaced
---
# Source: cert-manager/templates/clusterissuer-crd.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterissuers.certmanager.k8s.io
annotations:
"helm.sh/hook": crd-install
labels:
app: cert-manager
chart: cert-manager-v0.6.0-dev.6
release: cert-manager
heritage: Tiller
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: ClusterIssuer
plural: clusterissuers
scope: Cluster
---
# Source: cert-manager/templates/issuer-crd.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: issuers.certmanager.k8s.io
annotations:
"helm.sh/hook": crd-install
labels:
app: cert-manager
chart: cert-manager-v0.6.0-dev.6
release: cert-manager
heritage: Tiller
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: Issuer
plural: issuers
scope: Namespaced
---
# Source: cert-manager/templates/order-crd.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: orders.certmanager.k8s.io
labels:
app: cert-manager
chart: cert-manager-v0.6.0-dev.6
release: cert-manager
heritage: Tiller
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: Order
plural: orders
scope: Namespaced
---
# Source: cert-manager/templates/deployment.yaml
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
chart: cert-manager-v0.6.0-dev.6
release: cert-manager
heritage: Tiller
spec:
replicas: 1
selector:
matchLabels:
app: cert-manager
release: cert-manager
template:
metadata:
labels:
app: cert-manager
release: cert-manager
annotations:
spec:
serviceAccountName: default
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-controller:canary"
imagePullPolicy: Always
args:
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=$(POD_NAMESPACE)
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
requests:
cpu: 10m
memory: 32Mi
---
# Source: cert-manager/templates/rbac.yaml
---
# Source: cert-manager/templates/serviceaccount.yaml

2
hack/BUILD.bazel
View File

@ -109,7 +109,6 @@ sh_test(
data = [
":update-deploy-gen",
"//deploy:all-srcs",
"//hack/deploy:all-srcs",
],
)
@ -164,7 +163,6 @@ filegroup(
":package-srcs",
"//hack/bin:all-srcs",
"//hack/boilerplate:all-srcs",
"//hack/deploy:all-srcs",
],
tags = ["automanaged"],
visibility = ["//visibility:public"],

13
hack/deploy/BUILD.bazel
View File

@ -1,13 +0,0 @@
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
visibility = ["//visibility:public"],
)

16
hack/deploy/without-rbac-values.yaml
View File

@ -1,16 +0,0 @@
rbac:
create: false
serviceAccount:
create: false
resources:
requests:
cpu: 10m
memory: 32Mi
ingressShim:
resources:
requests:
cpu: 10m
memory: 32Mi

11
hack/update-deploy-gen.sh
View File

@ -28,22 +28,20 @@ cd "${REPO_ROOT}"
KUBE_VERSION=1.9
gen() {
VALUES=$1
OUTPUT=$2
OUTPUT=$1
TMP_OUTPUT=$(mktemp)
TMP_OUTPUT_WEBHOOK=$(mktemp)
mkdir -p "$(dirname ${OUTPUT})"
helm template \
"${REPO_ROOT}/deploy/chart" \
--values "${REPO_ROOT}/hack/deploy/${VALUES}.yaml" \
--values "${REPO_ROOT}/deploy/manifests/helm-values.yaml" \
--kube-version "${KUBE_VERSION}" \
--namespace "cert-manager" \
--name "cert-manager" \
--set "fullnameOverride=cert-manager" \
--set "createNamespaceResource=true" > "${TMP_OUTPUT}"
helm template \
"${REPO_ROOT}/deploy/chart/webhook" \
--values "${REPO_ROOT}/hack/deploy/${VALUES}.yaml" \
--values "${REPO_ROOT}/deploy/manifests/helm-values.yaml" \
--kube-version "${KUBE_VERSION}" \
--namespace "cert-manager" \
--name "webhook" > "${TMP_OUTPUT_WEBHOOK}"
@ -54,5 +52,4 @@ gen() {
export HELM_HOME="$(mktemp -d)"
helm init --client-only
helm dep update "${REPO_ROOT}/deploy/chart"
gen rbac-values "${REPO_ROOT}/deploy/manifests/with-rbac"
gen without-rbac-values "${REPO_ROOT}/deploy/manifests/without-rbac"
gen "${REPO_ROOT}/deploy/manifests/cert-manager"