Undercloud/k8s-apps
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
k8s-apps/cert-manager/trust-manager.yaml
shodan dfc3c91e54 .
2026-03-16 16:27:25 +00:00

534 lines
18 KiB
YAML
Raw Permalink Blame History

---
# Source: trust-manager/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: trust-manager
labels:
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
---
# Source: trust-manager/templates/trust.cert-manager.io_bundles.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: bundles.trust.cert-manager.io
spec:
group: trust.cert-manager.io
names:
kind: Bundle
listKind: BundleList
plural: bundles
singular: bundle
scope: Cluster
versions:
- additionalPrinterColumns:
- description: Bundle Target Key
jsonPath: .status.target.configMap.key
name: Target
type: string
- description: Bundle has been synced
jsonPath: .status.conditions[?(@.type == "Synced")].status
name: Synced
type: string
- description: Reason Bundle has Synced status
jsonPath: .status.conditions[?(@.type == "Synced")].reason
name: Reason
type: string
- description: Timestamp Bundle was created
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the Bundle resource.
type: object
required:
- sources
- target
properties:
sources:
description: Sources is a set of references to data whose data will sync to the target.
type: array
items:
description: BundleSource is the set of sources whose data will be appended and synced to the BundleTarget in all Namespaces.
type: object
properties:
configMap:
description: ConfigMap is a reference to a ConfigMap's `data` key, in the trust Namespace.
type: object
required:
- key
- name
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
type: string
name:
description: Name is the name of the source object in the trust Namespace.
type: string
inLine:
description: InLine is a simple string to append as the source data.
type: string
secret:
description: Secret is a reference to a Secrets's `data` key, in the trust Namespace.
type: object
required:
- key
- name
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
type: string
name:
description: Name is the name of the source object in the trust Namespace.
type: string
useDefaultCAs:
description: UseDefaultCAs, when true, requests the default CA bundle to be used as a source. Default CAs are available if trust-manager was installed via Helm or was otherwise set up to include a package-injecting init container by using the "--default-package-location" flag when starting the trust-manager controller. If default CAs were not configured at start-up, any request to use the default CAs will fail. The version of the default CA package which is used for a Bundle is stored in the defaultCAPackageVersion field of the Bundle's status field.
type: boolean
target:
description: Target is the target location in all namespaces to sync source data to.
type: object
properties:
configMap:
description: ConfigMap is the target ConfigMap in Namespaces that all Bundle source data will be synced to.
type: object
required:
- key
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
type: string
namespaceSelector:
description: NamespaceSelector will, if set, only sync the target resource in Namespaces which match the selector.
type: object
properties:
matchLabels:
description: MatchLabels matches on the set of labels that must be present on a Namespace for the Bundle target to be synced there.
type: object
additionalProperties:
type: string
status:
description: Status of the Bundle. This is set and managed automatically.
type: object
properties:
conditions:
description: List of status conditions to indicate the status of the Bundle. Known condition types are `Bundle`.
type: array
items:
description: BundleCondition contains condition information for a Bundle.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
observedGeneration:
description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Bundle.
type: integer
format: int64
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of ('True', 'False', 'Unknown').
type: string
type:
description: Type of the condition, known values are (`Synced`).
type: string
defaultCAVersion:
description: DefaultCAPackageVersion, if set and non-empty, indicates the version information which was retrieved when the set of default CAs was requested in the bundle source. This should only be set if useDefaultCAs was set to "true" on a source, and will be the same for the same version of a bundle with identical certificates.
type: string
target:
description: Target is the current Target that the Bundle is attempting or has completed syncing the source data to.
type: object
properties:
configMap:
description: ConfigMap is the target ConfigMap in Namespaces that all Bundle source data will be synced to.
type: object
required:
- key
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
type: string
namespaceSelector:
description: NamespaceSelector will, if set, only sync the target resource in Namespaces which match the selector.
type: object
properties:
matchLabels:
description: MatchLabels matches on the set of labels that must be present on a Namespace for the Bundle target to be synced there.
type: object
additionalProperties:
type: string
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
# Source: trust-manager/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
name: trust-manager
rules:
- apiGroups:
- "trust.cert-manager.io"
resources:
- "bundles"
verbs: ["get", "list", "watch"]
# Permissions to update finalizers are required for trust-manager to work correctly
# on OpenShift, even though we don't directly use finalizers at the time of writing
- apiGroups:
- "trust.cert-manager.io"
resources:
- "bundles/finalizers"
verbs: ["update"]
- apiGroups:
- "trust.cert-manager.io"
resources:
- "bundles/status"
verbs: ["update"]
- apiGroups:
- ""
resources:
- "configmaps"
verbs: ["get", "list", "create", "update", "watch", "delete"]
- apiGroups:
- ""
resources:
- "namespaces"
verbs: ["get", "list", "watch"]
- apiGroups:
- ""
resources:
- "events"
verbs: ["create", "patch"]
---
# Source: trust-manager/templates/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
name: trust-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: trust-manager
subjects:
- kind: ServiceAccount
name: trust-manager
namespace: cert-manager
---
# Source: trust-manager/templates/role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: trust-manager
namespace: cert-manager
labels:
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- "coordination.k8s.io"
resources:
- "leases"
verbs:
- "get"
- "create"
- "update"
- "watch"
- "list"
---
# Source: trust-manager/templates/rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: trust-manager
namespace: cert-manager
labels:
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: trust-manager
subjects:
- kind: ServiceAccount
name: trust-manager
namespace: cert-manager
---
# Source: trust-manager/templates/metrics-service.yaml
apiVersion: v1
kind: Service
metadata:
name: trust-manager-metrics
labels:
app: trust-manager
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 9402
targetPort: 9402
protocol: TCP
name: metrics
selector:
app: trust-manager
---
# Source: trust-manager/templates/webhook.yaml
apiVersion: v1
kind: Service
metadata:
name: trust-manager
labels:
app: trust-manager
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 443
targetPort: 6443
protocol: TCP
name: webhook
selector:
app: trust-manager
---
# Source: trust-manager/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: trust-manager
labels:
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
selector:
matchLabels:
app: trust-manager
template:
metadata:
labels:
app: trust-manager
spec:
serviceAccountName: trust-manager
initContainers:
- name: cert-manager-package-debian
image: "quay.io/jetstack/cert-manager-package-debian:20210119.0"
imagePullPolicy: IfNotPresent
args:
- "/copyandmaybepause"
- "/debian-package"
- "/packages"
volumeMounts:
- mountPath: /packages
name: packages
readOnly: false
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: trust-manager
image: "quay.io/jetstack/trust-manager:v0.4.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 6443
- containerPort: 9402
readinessProbe:
httpGet:
port: 6060
path: /readyz
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
command: ["trust-manager"]
args:
- "--log-level=1"
- "--metrics-port=9402"
- "--readiness-probe-port=6060"
- "--readiness-probe-path=/readyz"
# trust
- "--trust-namespace=cert-manager"
# webhook
- "--webhook-host=0.0.0.0"
- "--webhook-port=6443"
- "--webhook-certificate-dir=/tls"
- "--default-package-location=/packages/cert-manager-package-debian.json"
volumeMounts:
- mountPath: /tls
name: tls
readOnly: true
- mountPath: /packages
name: packages
readOnly: true
resources:
{}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- name: packages
emptyDir: {}
- name: tls
secret:
defaultMode: 420
secretName: trust-manager-tls
---
# Source: trust-manager/templates/certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: trust-manager
labels:
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
spec:
dnsNames:
- "trust-manager.cert-manager.svc"
secretName: trust-manager-tls
revisionHistoryLimit: 1
issuerRef:
name: trust-manager
kind: Issuer
group: cert-manager.io
---
# Source: trust-manager/templates/certificate.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: trust-manager
labels:
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
spec:
selfSigned: {}
---
# Source: trust-manager/templates/webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: trust-manager
labels:
app: trust-manager
app.kubernetes.io/name: trust-manager
helm.sh/chart: trust-manager-v0.4.0
app.kubernetes.io/instance: trust-manager
app.kubernetes.io/version: "v0.4.0"
app.kubernetes.io/managed-by: Helm
annotations:
cert-manager.io/inject-ca-from: "cert-manager/trust-manager"
webhooks:
- name: trust.cert-manager.io
rules:
- apiGroups:
- "trust.cert-manager.io"
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1"]
timeoutSeconds: 5
failurePolicy: Fail
sideEffects: None
clientConfig:
service:
name: trust-manager
namespace: "cert-manager"
path: /validate
Reference in New Issue View Git Blame Copy Permalink