Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Document common ingressShim.extraArgs use case in chart
**What this PR does / why we need it**:
Lots of new users don't realize:
(a) They need to create a Issuer/ClusterIssuer themselves
(b) They need to tell `ingress-shim` the name via `extra-args`
This PR adds a comment to the helm chart `values.yaml` to address these issues.
(Ideally the `helm` would create an ClusterIssuer for you by default, and set these options, if you specify and email address to use with LE.)
Release note:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
docs/devel: add 'deploy to minikube' docs
**What this PR does / why we need it**:
I felt that the steps to deploy/run/test cert-manager in minikube were non-trivial enough that it was worth documenting.
Let me know if this should live somewhere else in the repo or if you have suggestions for how to better document this.
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Helm Chart: Add support for affinity and tolerations
Adds support for setting the node affinity and tolerations scheduling options
```release-note
Add support for node affinity and tolerations in Helm chart
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix .gitlab-ci.yml build
Since #372 merged, builds of master (which lead to releases) have been failing.
Technically, the PULL_BASE_SHA should be set to the SHA value of the branch this PR is being *merged into*. Because we don't actually test these on GitLab, this workaround is okay (setting it to the value of the current commit).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add missing apiVersion to Issuer sample docs
**What this PR does / why we need it**:
This PR is in response to #379
```release-note
NONE
```
Lots of new users don't realize:
(a) They need to create a Issuer/ClusterIssuer themselves
(b) They need to tell `ingress-shim` the name via `extra-args`
(Ideally the `helm` would create an ClusterIssuer for you by default, and set these options, if you specify and email address to use with LE.)
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Verify helm chart version is bumped when a chart is changed
**What this PR does / why we need it**:
Verifies that the Helm chart version is bumped when a file in the chart is changed.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Document the minimum necessary permissions for using cert-manager with Route53
**What this PR does / why we need it**: Necessary permissions previously not documented.
**Release note**:
```release-note
Document the minimum necessary permissions for using cert-manager with Route53
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use Google's DNS IPs instead of domain
**What this PR does / why we need it**:
If /etc/resolv.conf does not have any entries, then its unlikely
that the domain name representation of google's DNS would get
resolved too. Hence using IP address directly makes sense.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#360
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove old deployment manifests. Update RBAC disable advice.
**What this PR does / why we need it**:
Since #352 merged, we now use the k/charts chart in the deployment guide. This PR updates our deploying docs to reflect the options on the upstream k/charts chart.
It also removes some old and unused deployment files to reduce confusion for new users.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign
If /etc/resolv.conf does not have any entries, then its unlikely
that the domain name representation of google's DNS would get
resolved too. Hence using IP address directly makes sense.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update guides to use official Charts repository
**What this PR does / why we need it**:
Updates docs to use Chart from kubernetes/charts in the installation/migration guides. This makes it less confusing which Chart to use. There was a short discussion about this with @ahmetb and @munnerz on Slack https://kubernetes.slack.com/archives/C4NV3DWUC/p1519675336000598
**Which issue this PR fixes**
No issue filed.
**Special notes for your reviewer**:
None.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
docs: fix value name that disables rbac
**What this PR does / why we need it**:
Proper documentation for deploying cert-manager for k8s clusters without rbac enabled (happens to be the default for cdk on localhost).
**Which issue this PR fixes**
No issue per se, a follow-up on #256.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add Endpoints back into the cert-manager RBAC policy
**What this PR does / why we need it**:
Adds permission to CRUD Endpoints resources back into the cert-manager RBAC role. This is to prevent deployments using the 'master' version of the Helm chart failing when deploying a pre-0.3 (unreleased) release of cert-manager.
We will remove this in 0.4. This is in order to reduce friction for new users if they forget/decide not to use a tagged release of the Helm chart.
**Release note**:
```release-note
NONE
```
/cc @davecheney @mikebryant
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set default cluster resource namespace to current pod namespace
**What this PR does / why we need it**:
Changes the default cluster resource namespace from kube-system to the current namespace of the cert-manager deployment.
**Which issue this PR fixes**: fixes#103
**Release note**:
```release-note
Supporting resources for ClusterIssuer's (e.g. signing CA certificates, or ACME account private keys) will now be stored in the same namespace as cert-manager, instead of kube-system in previous versions. Action required: you will need to ensure to properly manually migrate these referenced resources across into the deployment namespace of cert-manager, else cert-manager may not be able to find account private keys or signing CA certificates.
```
/cc @mikebryant
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create a Namespace resource as part of the static manifest bundle
**What this PR does / why we need it**:
Create a Namespace resource as part of the static deployment manifests bundle, to make it easier for users to deploy cert-manager without a Helm chart
**Release note**:
```release-note
NONE
```
/cc @davecheney @wallrj
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update default deployment namespace to be 'cert-manager'
**What this PR does / why we need it**:
Previously, our deployment manifests deployed into the 'default' namespace. This changes them to deploy into 'cert-manager' instead.
**Release note**:
```release-note
The static deployment manifests now automatically deploy into the 'cert-manager' namespace by default
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Rename Event types to be prefixed 'Err' instead of 'Error' for brevity
**What this PR does / why we need it**:
Shortens the event type names we use to be prefixed 'Err' instead of 'Error'
**Special notes for your reviewer**:
This brings us in-line with the issuer and cluster issuer controllers, and other controllers in Kubernetes.
**Release note**:
```release-note
Rename Event types to be prefixed 'Err' instead of 'Error' for brevity
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make existing TLS certificate check emit a Normal event instead of Warning when the existing certificate is invalid
**What this PR does / why we need it**:
Previously, when requesting a certificate for the first time, the following events are logged:
```
Warning ErrorCheckCertificate 1m cert-manager-controller Error checking existing TLS certificate: secret "httpbin" not found
Normal PrepareCertificate 1m cert-manager-controller Preparing certificate with issuer
```
This has caused confusion for users when they see a Warning/Error being logged. This PR changes that to be:
```
Normal ErrorCheckCertificate 1m cert-manager-controller Error checking existing TLS certificate, will re-issue: secret "httpbin" not found
Normal PrepareCertificate 1m cert-manager-controller Preparing certificate with issuer
```
**Release note**:
```release-note
Clearer event logging when issuing a certificate for the first time
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add default shortNames to certificates CRD
Defaults to `[cert, certs]` and is configurable with `certificateCRDShortNames` parameter.
**What this PR does / why we need it**:
Simplifies manual certificate management with kubectl.
Fixes#311
<div name="review-notes" />
**Special notes for your reviewer**:
Instead of a boolean switch do/dont include the shortNames, the value defines the aliases. This may be handy if anybody prefers `[crt, crts]` instead.
I'm not too keen on the `certificateCRDShortNames` variable name. It might be better to use `Resource` instead of `CRD` to be consistent with the `createCustomResource` var.
Other CRDs are probably ok without an alias, but other people workflows may differ. Should these also be configurable? In that case, the variables could be `shortNames: {certificates: [], …}`.
**Release note**:
```release-note
Add Certificate CRD shortnames `cert` and `certs`. This is configurable in the Helm Chart with `certificateResourceShortNames`.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix: Use ConfigMaps for leaderelection
**What this PR does / why we need it**:
Use ConfigMaps for leader election. Improves scalability by not modifying Endpoints, which are watched by kube-proxy.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#293
**Special notes for your reviewer**:
**Release note**:
```release-note
action required: Before upgrading, scale the cert-manager Deployment to 0, to avoid two controllers attempting to operate on the same resources
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Check the value of the tls-acme annotation, not just its existence
**What this PR does / why we need it**: Previously the ingress-shim would sync an Ingress resource if it simply contained the `kubernetes.io/tls-acme` annotation, regardless of the value; now it will only do so if the annotation value is truthy (e.g., "true", "t", "1", so forth).
**Special notes for your reviewer**: This could probably be done in a way that doesn't disrupt the function's aesthetics so much. Open to all suggestions.
**Release note**:
```release-note
ingress-shim will only sync Ingress resources with `kubernetes.io/tls-acme` annotation if the value of that annotation is true.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Install Helm during .gitlab-ci.yml release build
Install Helm during .gitlab-ci.yml script
(in future, this file will go away altogether once we have set up a 'trusted' build cluster to push releases)
**Release note**:
```release-note
NONE
```
/assign
