527 lines
12 KiB
YAML
527 lines
12 KiB
YAML
---
|
|
# Source: webhook/templates/serviceaccount.yaml
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: webhook
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
|
|
---
|
|
# Source: webhook/templates/rbac.yaml
|
|
### Webhook ###
|
|
---
|
|
# apiserver gets the auth-delegator role to delegate auth decisions to
|
|
# the core apiserver
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: webhook:auth-delegator
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:auth-delegator
|
|
subjects:
|
|
- apiGroup: ""
|
|
kind: ServiceAccount
|
|
name: webhook
|
|
namespace: cert-manager
|
|
|
|
---
|
|
|
|
# apiserver gets the ability to read authentication. This allows it to
|
|
# read the specific configmap that has the requestheader-* entries to
|
|
# api agg
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: webhook:webhook-authentication-reader
|
|
namespace: kube-system
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: extension-apiserver-authentication-reader
|
|
subjects:
|
|
- apiGroup: ""
|
|
kind: ServiceAccount
|
|
name: webhook
|
|
namespace: cert-manager
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: webhook:webhook-requester
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
rules:
|
|
- apiGroups:
|
|
- admission.certmanager.k8s.io
|
|
resources:
|
|
- certificates
|
|
- issuers
|
|
- clusterissuers
|
|
verbs:
|
|
- create
|
|
|
|
---
|
|
# Source: webhook/templates/service.yaml
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: webhook
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
spec:
|
|
type: ClusterIP
|
|
ports:
|
|
- name: https
|
|
port: 443
|
|
targetPort: 6443
|
|
selector:
|
|
app: webhook
|
|
release: webhook
|
|
|
|
---
|
|
# Source: webhook/templates/deployment.yaml
|
|
apiVersion: apps/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
name: webhook
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: webhook
|
|
release: webhook
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: webhook
|
|
release: webhook
|
|
annotations:
|
|
spec:
|
|
serviceAccountName: webhook
|
|
containers:
|
|
- name: webhook
|
|
image: "quay.io/jetstack/cert-manager-webhook:canary"
|
|
imagePullPolicy: Always
|
|
args:
|
|
- --v=12
|
|
- --secure-port=6443
|
|
- --tls-cert-file=/certs/tls.crt
|
|
- --tls-private-key-file=/certs/tls.key
|
|
- --disable-admission-plugins=NamespaceLifecycle,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,Initializers
|
|
env:
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 32Mi
|
|
|
|
volumeMounts:
|
|
- name: certs
|
|
mountPath: /certs
|
|
volumes:
|
|
- name: certs
|
|
secret:
|
|
secretName: webhook-webhook-tls
|
|
|
|
---
|
|
# Source: webhook/templates/ca-sync.yaml
|
|
## This file contains a CronJob that runs every 24h to automatically update the
|
|
## caBundle set on the APIService and ValidatingWebhookConfiguration resource.
|
|
## This allows us to store the CA bundle in a Secret resource which is
|
|
## generated by cert-manager's 'selfsigned' Issuer.
|
|
apiVersion: batch/v1beta1
|
|
kind: CronJob
|
|
metadata:
|
|
name: webhook-ca-sync
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
spec:
|
|
schedule: "* * */24 * *"
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: ca-helper
|
|
spec:
|
|
serviceAccountName: webhook-ca-sync
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: ca-helper
|
|
image: quay.io/munnerz/apiextensions-ca-helper:v0.1.0
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- -config=/config/config
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /config
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 32Mi
|
|
limits:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: webhook-ca-sync
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: webhook-ca-sync
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: ca-helper
|
|
spec:
|
|
serviceAccountName: webhook-ca-sync
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: ca-helper
|
|
image: quay.io/munnerz/apiextensions-ca-helper:v0.1.0
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- -config=/config/config
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /config
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 32Mi
|
|
limits:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: webhook-ca-sync
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: webhook-ca-sync
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
data:
|
|
config: |-
|
|
{
|
|
"apiServices": [
|
|
{
|
|
"name": "v1beta1.admission.certmanager.k8s.io",
|
|
"secret": {
|
|
"name": "webhook-ca",
|
|
"namespace": "cert-manager",
|
|
"key": "tls.crt"
|
|
}
|
|
}
|
|
],
|
|
"validatingWebhookConfigurations": [
|
|
{
|
|
"name": "webhook",
|
|
"file": {
|
|
"path": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: webhook-ca-sync
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: webhook-ca-sync
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get"]
|
|
resourceNames:
|
|
- webhook-ca
|
|
- apiGroups: ["admissionregistration.k8s.io"]
|
|
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
|
verbs: ["get", "update"]
|
|
resourceNames:
|
|
- webhook
|
|
- apiGroups: ["apiregistration.k8s.io"]
|
|
resources: ["apiservices"]
|
|
verbs: ["get", "update"]
|
|
resourceNames:
|
|
- v1beta1.admission.certmanager.k8s.io
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: webhook-ca-sync
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: webhook-ca-sync
|
|
subjects:
|
|
- name: webhook-ca-sync
|
|
namespace: cert-manager
|
|
kind: ServiceAccount
|
|
|
|
---
|
|
# Source: webhook/templates/apiservice.yaml
|
|
apiVersion: apiregistration.k8s.io/v1beta1
|
|
kind: APIService
|
|
metadata:
|
|
name: v1beta1.admission.certmanager.k8s.io
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
spec:
|
|
group: admission.certmanager.k8s.io
|
|
groupPriorityMinimum: 1000
|
|
versionPriority: 15
|
|
service:
|
|
name: webhook
|
|
namespace: "cert-manager"
|
|
version: v1beta1
|
|
|
|
---
|
|
# Source: webhook/templates/pki.yaml
|
|
---
|
|
# Create a selfsigned Issuer, in order to create a root CA certificate for
|
|
# signing webhook serving certificates
|
|
apiVersion: certmanager.k8s.io/v1alpha1
|
|
kind: Issuer
|
|
metadata:
|
|
name: webhook-selfsign
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
spec:
|
|
selfsigned: {}
|
|
|
|
---
|
|
|
|
# Generate a CA Certificate used to sign certificates for the webhook
|
|
apiVersion: certmanager.k8s.io/v1alpha1
|
|
kind: Certificate
|
|
metadata:
|
|
name: webhook-ca
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
spec:
|
|
secretName: webhook-ca
|
|
issuerRef:
|
|
name: webhook-selfsign
|
|
commonName: "ca.webhook.cert-manager"
|
|
isCA: true
|
|
|
|
---
|
|
|
|
# Create an Issuer that uses the above generated CA certificate to issue certs
|
|
apiVersion: certmanager.k8s.io/v1alpha1
|
|
kind: Issuer
|
|
metadata:
|
|
name: webhook-ca
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
spec:
|
|
ca:
|
|
secretName: webhook-ca
|
|
|
|
---
|
|
|
|
# Finally, generate a serving certificate for the webhook to use
|
|
apiVersion: certmanager.k8s.io/v1alpha1
|
|
kind: Certificate
|
|
metadata:
|
|
name: webhook-webhook-tls
|
|
namespace: "cert-manager"
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
spec:
|
|
secretName: webhook-webhook-tls
|
|
issuerRef:
|
|
name: webhook-ca
|
|
dnsNames:
|
|
- webhook
|
|
- webhook.cert-manager
|
|
- webhook.cert-manager.svc
|
|
|
|
---
|
|
# Source: webhook/templates/validating-webhook.yaml
|
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
|
kind: ValidatingWebhookConfiguration
|
|
metadata:
|
|
name: webhook
|
|
labels:
|
|
app: webhook
|
|
chart: webhook-v0.6.0-dev.3
|
|
release: webhook
|
|
heritage: Tiller
|
|
webhooks:
|
|
- name: certificates.admission.certmanager.k8s.io
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: "certmanager.k8s.io/disable-validation"
|
|
operator: "NotIn"
|
|
values:
|
|
- "true"
|
|
- key: "name"
|
|
operator: "NotIn"
|
|
values:
|
|
- cert-manager
|
|
rules:
|
|
- apiGroups:
|
|
- "certmanager.k8s.io"
|
|
apiVersions:
|
|
- v1alpha1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- certificates
|
|
failurePolicy: Fail
|
|
clientConfig:
|
|
service:
|
|
name: kubernetes
|
|
namespace: default
|
|
path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
|
|
- name: issuers.admission.certmanager.k8s.io
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: "certmanager.k8s.io/disable-validation"
|
|
operator: "NotIn"
|
|
values:
|
|
- "true"
|
|
- key: "name"
|
|
operator: "NotIn"
|
|
values:
|
|
- cert-manager
|
|
rules:
|
|
- apiGroups:
|
|
- "certmanager.k8s.io"
|
|
apiVersions:
|
|
- v1alpha1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- issuers
|
|
failurePolicy: Fail
|
|
clientConfig:
|
|
service:
|
|
name: kubernetes
|
|
namespace: default
|
|
path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
|
|
- name: clusterissuers.admission.certmanager.k8s.io
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: "certmanager.k8s.io/disable-validation"
|
|
operator: "NotIn"
|
|
values:
|
|
- "true"
|
|
- key: "name"
|
|
operator: "NotIn"
|
|
values:
|
|
- cert-manager
|
|
rules:
|
|
- apiGroups:
|
|
- "certmanager.k8s.io"
|
|
apiVersions:
|
|
- v1alpha1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- clusterissuers
|
|
failurePolicy: Fail
|
|
clientConfig:
|
|
service:
|
|
name: kubernetes
|
|
namespace: default
|
|
path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers
|
|
|