--- # Source: trust-manager/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: trust-manager labels: app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm --- # Source: trust-manager/templates/trust.cert-manager.io_bundles.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: bundles.trust.cert-manager.io spec: group: trust.cert-manager.io names: kind: Bundle listKind: BundleList plural: bundles singular: bundle scope: Cluster versions: - additionalPrinterColumns: - description: Bundle Target Key jsonPath: .status.target.configMap.key name: Target type: string - description: Bundle has been synced jsonPath: .status.conditions[?(@.type == "Synced")].status name: Synced type: string - description: Reason Bundle has Synced status jsonPath: .status.conditions[?(@.type == "Synced")].reason name: Reason type: string - description: Timestamp Bundle was created jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: type: object required: - spec properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Desired state of the Bundle resource. type: object required: - sources - target properties: sources: description: Sources is a set of references to data whose data will sync to the target. type: array items: description: BundleSource is the set of sources whose data will be appended and synced to the BundleTarget in all Namespaces. type: object properties: configMap: description: ConfigMap is a reference to a ConfigMap's `data` key, in the trust Namespace. type: object required: - key - name properties: key: description: Key is the key of the entry in the object's `data` field to be used. type: string name: description: Name is the name of the source object in the trust Namespace. type: string inLine: description: InLine is a simple string to append as the source data. type: string secret: description: Secret is a reference to a Secrets's `data` key, in the trust Namespace. type: object required: - key - name properties: key: description: Key is the key of the entry in the object's `data` field to be used. type: string name: description: Name is the name of the source object in the trust Namespace. type: string useDefaultCAs: description: UseDefaultCAs, when true, requests the default CA bundle to be used as a source. Default CAs are available if trust-manager was installed via Helm or was otherwise set up to include a package-injecting init container by using the "--default-package-location" flag when starting the trust-manager controller. If default CAs were not configured at start-up, any request to use the default CAs will fail. The version of the default CA package which is used for a Bundle is stored in the defaultCAPackageVersion field of the Bundle's status field. type: boolean target: description: Target is the target location in all namespaces to sync source data to. type: object properties: configMap: description: ConfigMap is the target ConfigMap in Namespaces that all Bundle source data will be synced to. type: object required: - key properties: key: description: Key is the key of the entry in the object's `data` field to be used. type: string namespaceSelector: description: NamespaceSelector will, if set, only sync the target resource in Namespaces which match the selector. type: object properties: matchLabels: description: MatchLabels matches on the set of labels that must be present on a Namespace for the Bundle target to be synced there. type: object additionalProperties: type: string status: description: Status of the Bundle. This is set and managed automatically. type: object properties: conditions: description: List of status conditions to indicate the status of the Bundle. Known condition types are `Bundle`. type: array items: description: BundleCondition contains condition information for a Bundle. type: object required: - status - type properties: lastTransitionTime: description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. type: string format: date-time message: description: Message is a human readable description of the details of the last transition, complementing reason. type: string observedGeneration: description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Bundle. type: integer format: int64 reason: description: Reason is a brief machine readable explanation for the condition's last transition. type: string status: description: Status of the condition, one of ('True', 'False', 'Unknown'). type: string type: description: Type of the condition, known values are (`Synced`). type: string defaultCAVersion: description: DefaultCAPackageVersion, if set and non-empty, indicates the version information which was retrieved when the set of default CAs was requested in the bundle source. This should only be set if useDefaultCAs was set to "true" on a source, and will be the same for the same version of a bundle with identical certificates. type: string target: description: Target is the current Target that the Bundle is attempting or has completed syncing the source data to. type: object properties: configMap: description: ConfigMap is the target ConfigMap in Namespaces that all Bundle source data will be synced to. type: object required: - key properties: key: description: Key is the key of the entry in the object's `data` field to be used. type: string namespaceSelector: description: NamespaceSelector will, if set, only sync the target resource in Namespaces which match the selector. type: object properties: matchLabels: description: MatchLabels matches on the set of labels that must be present on a Namespace for the Bundle target to be synced there. type: object additionalProperties: type: string served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- # Source: trust-manager/templates/clusterrole.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm name: trust-manager rules: - apiGroups: - "trust.cert-manager.io" resources: - "bundles" verbs: ["get", "list", "watch"] # Permissions to update finalizers are required for trust-manager to work correctly # on OpenShift, even though we don't directly use finalizers at the time of writing - apiGroups: - "trust.cert-manager.io" resources: - "bundles/finalizers" verbs: ["update"] - apiGroups: - "trust.cert-manager.io" resources: - "bundles/status" verbs: ["update"] - apiGroups: - "" resources: - "configmaps" verbs: ["get", "list", "create", "update", "watch", "delete"] - apiGroups: - "" resources: - "namespaces" verbs: ["get", "list", "watch"] - apiGroups: - "" resources: - "events" verbs: ["create", "patch"] --- # Source: trust-manager/templates/clusterrolebinding.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm name: trust-manager roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: trust-manager subjects: - kind: ServiceAccount name: trust-manager namespace: cert-manager --- # Source: trust-manager/templates/role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: trust-manager namespace: cert-manager labels: app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: - "" resources: - "secrets" verbs: - "get" - "list" - "watch" - apiGroups: - "coordination.k8s.io" resources: - "leases" verbs: - "get" - "create" - "update" - "watch" - "list" --- # Source: trust-manager/templates/rolebinding.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: trust-manager namespace: cert-manager labels: app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: trust-manager subjects: - kind: ServiceAccount name: trust-manager namespace: cert-manager --- # Source: trust-manager/templates/metrics-service.yaml apiVersion: v1 kind: Service metadata: name: trust-manager-metrics labels: app: trust-manager app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP ports: - port: 9402 targetPort: 9402 protocol: TCP name: metrics selector: app: trust-manager --- # Source: trust-manager/templates/webhook.yaml apiVersion: v1 kind: Service metadata: name: trust-manager labels: app: trust-manager app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP ports: - port: 443 targetPort: 6443 protocol: TCP name: webhook selector: app: trust-manager --- # Source: trust-manager/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: trust-manager labels: app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 selector: matchLabels: app: trust-manager template: metadata: labels: app: trust-manager spec: serviceAccountName: trust-manager initContainers: - name: cert-manager-package-debian image: "quay.io/jetstack/cert-manager-package-debian:20210119.0" imagePullPolicy: IfNotPresent args: - "/copyandmaybepause" - "/debian-package" - "/packages" volumeMounts: - mountPath: /packages name: packages readOnly: false securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: trust-manager image: "quay.io/jetstack/trust-manager:v0.4.0" imagePullPolicy: IfNotPresent ports: - containerPort: 6443 - containerPort: 9402 readinessProbe: httpGet: port: 6060 path: /readyz periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 6 command: ["trust-manager"] args: - "--log-level=1" - "--metrics-port=9402" - "--readiness-probe-port=6060" - "--readiness-probe-path=/readyz" # trust - "--trust-namespace=cert-manager" # webhook - "--webhook-host=0.0.0.0" - "--webhook-port=6443" - "--webhook-certificate-dir=/tls" - "--default-package-location=/packages/cert-manager-package-debian.json" volumeMounts: - mountPath: /tls name: tls readOnly: true - mountPath: /packages name: packages readOnly: true resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault volumes: - name: packages emptyDir: {} - name: tls secret: defaultMode: 420 secretName: trust-manager-tls --- # Source: trust-manager/templates/certificate.yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: trust-manager labels: app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm spec: dnsNames: - "trust-manager.cert-manager.svc" secretName: trust-manager-tls revisionHistoryLimit: 1 issuerRef: name: trust-manager kind: Issuer group: cert-manager.io --- # Source: trust-manager/templates/certificate.yaml apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: trust-manager labels: app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm spec: selfSigned: {} --- # Source: trust-manager/templates/webhook.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: trust-manager labels: app: trust-manager app.kubernetes.io/name: trust-manager helm.sh/chart: trust-manager-v0.4.0 app.kubernetes.io/instance: trust-manager app.kubernetes.io/version: "v0.4.0" app.kubernetes.io/managed-by: Helm annotations: cert-manager.io/inject-ca-from: "cert-manager/trust-manager" webhooks: - name: trust.cert-manager.io rules: - apiGroups: - "trust.cert-manager.io" apiVersions: - "*" operations: - CREATE - UPDATE resources: - "*/*" admissionReviewVersions: ["v1"] timeoutSeconds: 5 failurePolicy: Fail sideEffects: None clientConfig: service: name: trust-manager namespace: "cert-manager" path: /validate