Skip to content
Snippets Groups Projects
Unverified Commit 08c0b342 authored by 刘旭's avatar 刘旭 Committed by GitHub
Browse files

[cert-manager] upgrade to v1.13.2 (#10616)

parent 1a86b4cb
No related branches found
No related tags found
No related merge requests found
......@@ -177,7 +177,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [weave](https://github.com/weaveworks/weave) v2.8.1
- [kube-vip](https://github.com/kube-vip/kube-vip) v0.5.12
- Application
- [cert-manager](https://github.com/jetstack/cert-manager) v1.12.6
- [cert-manager](https://github.com/jetstack/cert-manager) v1.13.2
- [coredns](https://github.com/coredns/coredns) v1.10.1
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.9.4
- [krew](https://github.com/kubernetes-sigs/krew) v0.4.4
......
......@@ -60,6 +60,20 @@ metadata:
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "{{ cert_manager_version }}"
---
# Source: cert-manager/deploy/charts/cert-manager/templates/controller-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cert-manager
namespace: {{ cert_manager_namespace }}
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "{{ cert_manager_version }}"
data:
---
# Source: cert-manager/deploy/charts/cert-manager/templates/webhook-config.yaml
apiVersion: v1
kind: ConfigMap
......@@ -71,6 +85,7 @@ metadata:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "{{ cert_manager_version }}"
data:
---
# Source: cert-manager/deploy/charts/cert-manager/templates/cainjector-rbac.yaml
......@@ -96,13 +111,13 @@ rules:
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "watch", "update"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update"]
verbs: ["get", "list", "watch", "update", "patch"]
---
# Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
# Issuer controller role
......@@ -330,6 +345,23 @@ rules:
# Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-cluster-view
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "{{ cert_manager_version }}"
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
---
# Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-view
labels:
......@@ -341,6 +373,7 @@ metadata:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
......@@ -476,7 +509,7 @@ subjects:
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount
---
# Source: cert-manager/deploy/charts/cert-manager/templates//rbac.yaml
# Source: cert-manager/deploy/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
......@@ -854,6 +887,7 @@ spec:
app.kubernetes.io/version: "{{ cert_manager_version }}"
spec:
serviceAccountName: cert-manager-cainjector
enableServiceLinks: false
securityContext:
runAsNonRoot: true
seccompProfile:
......@@ -947,6 +981,7 @@ spec:
prometheus.io/port: '9402'
spec:
serviceAccountName: cert-manager
enableServiceLinks: false
securityContext:
runAsNonRoot: true
seccompProfile:
......@@ -966,6 +1001,9 @@ spec:
- containerPort: 9402
name: http-metrics
protocol: TCP
- containerPort: 9403
name: http-healthz
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
......@@ -1051,6 +1089,7 @@ spec:
app.kubernetes.io/version: "{{ cert_manager_version }}"
spec:
serviceAccountName: cert-manager-webhook
enableServiceLinks: false
securityContext:
runAsNonRoot: true
seccompProfile:
......@@ -1194,10 +1233,6 @@ webhooks:
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- cert-manager
rules:
- apiGroups:
- "cert-manager.io"
......
......@@ -314,7 +314,7 @@ ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-ng
ingress_nginx_kube_webhook_certgen_image_tag: "v20231011-8b53cabe0"
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
alb_ingress_image_tag: "v1.1.9"
cert_manager_version: "v1.12.6"
cert_manager_version: "v1.13.2"
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment