diff --git a/bundle/bundle.Dockerfile b/bundle/bundle.Dockerfile
index 531127a..7364697 100644
--- a/bundle/bundle.Dockerfile
+++ b/bundle/bundle.Dockerfile
@@ -5,8 +5,7 @@ LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
LABEL operators.operatorframework.io.bundle.package.v1=cert-manager
-LABEL operators.operatorframework.io.bundle.channels.v1=candidate,stable
-LABEL operators.operatorframework.io.bundle.channel.default.v1=stable
+LABEL operators.operatorframework.io.bundle.channels.v1=candidate
LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.33.0
LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
LABEL operators.operatorframework.io.metrics.project_layout=unknown
diff --git a/bundle/manifests/acme.cert-manager.io_challenges.yaml b/bundle/manifests/acme.cert-manager.io_challenges.yaml
index 39a82cb..4543c8b 100644
--- a/bundle/manifests/acme.cert-manager.io_challenges.yaml
+++ b/bundle/manifests/acme.cert-manager.io_challenges.yaml
@@ -6,7 +6,7 @@ metadata:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: challenges.acme.cert-manager.io
spec:
group: acme.cert-manager.io
@@ -199,12 +199,16 @@ spec:
challenge records.
properties:
clientID:
- description: if both this and ClientSecret are left unset
- MSI will be used
+ description: 'Auth: Azure Service Principal: The ClientID
+ of the Azure Service Principal used to authenticate
+ with Azure DNS. If set, ClientSecret and TenantID must
+ also be set.'
type: string
clientSecretSecretRef:
- description: if both this and ClientID are left unset
- MSI will be used
+ description: 'Auth: Azure Service Principal: A reference
+ to a Secret containing the password associated with
+ the Service Principal. If set, ClientID and TenantID
+ must also be set.'
properties:
key:
description: The key of the entry in the Secret resource's
@@ -230,9 +234,10 @@ spec:
description: name of the DNS zone that should be used
type: string
managedIdentity:
- description: managed identity configuration, can not be
- used at the same time as clientID, clientSecretSecretRef
- or tenantID
+ description: 'Auth: Azure Workload Identity or Azure Managed
+ Service Identity: Settings to enable Azure Workload
+ Identity or Azure Managed Service Identity If set, ClientID,
+ ClientSecret and TenantID must not be set.'
properties:
clientID:
description: client ID of the managed identity, can
@@ -240,7 +245,8 @@ spec:
type: string
resourceID:
description: resource ID of the managed identity,
- can not be used at the same time as clientID
+ can not be used at the same time as clientID Cannot
+ be used for Azure Managed Service Identity
type: string
type: object
resourceGroupName:
@@ -250,8 +256,10 @@ spec:
description: ID of the Azure subscription
type: string
tenantID:
- description: when specifying ClientID and ClientSecret
- then this field is also needed
+ description: 'Auth: Azure Service Principal: The TenantID
+ of the Azure Service Principal used to authenticate
+ with Azure DNS. If set, ClientID and ClientSecret must
+ also be set.'
type: string
required:
- resourceGroupName
@@ -580,16 +588,17 @@ spec:
to. For example: Gateway has the AllowedRoutes
field, and ReferenceGrant provides a generic way
to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the
- same namespace are \"producer\" routes, which
- apply default routing rules to inbound connections
- from any namespace to the Service. \n ParentRefs
- from a Route to a Service in a different namespace
- are \"consumer\" routes, and these routing rules
- are only applied to outbound connections originating
- from the same namespace as the Route, for which
- the intended destination of the connections are
- a Service targeted as a ParentRef of the Route.
+ \n ParentRefs
+ from a Route to a Service in the same namespace
+ are \"producer\" routes, which apply default routing
+ rules to inbound connections from any namespace
+ to the Service. \n ParentRefs from a Route to
+ a Service in a different namespace are \"consumer\"
+ routes, and these routing rules are only applied
+ to outbound connections originating from the same
+ namespace as the Route, for which the intended
+ destination of the connections are a Service targeted
+ as a ParentRef of the Route.
\n Support: Core"
maxLength: 63
minLength: 1
@@ -608,25 +617,26 @@ spec:
port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected
listener must match both specified values. \n
- When the parent resource is a Service, this targets
- a specific port in the Service spec. When both
- Port (experimental) and SectionName are specified,
- the name and port of the selected port must match
- both specified values. \n Implementations MAY
- choose to support other parent resources. Implementations
- supporting other types of parent resources MUST
- clearly document how/if Port is interpreted. \n
- For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts
- it partially. For example, Gateway listeners can
- restrict which Routes can attach to them by Route
- kind, namespace, or hostname. If 1 of 2 Gateway
- listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment
- from this Route, the Route MUST be considered
- detached from the Gateway. \n Support: Extended
- \n "
+ When the parent
+ resource is a Service, this targets a specific
+ port in the Service spec. When both Port (experimental)
+ and SectionName are specified, the name and port
+ of the selected port must match both specified
+ values. \n
+ Implementations MAY choose to support other parent
+ resources. Implementations supporting other types
+ of parent resources MUST clearly document how/if
+ Port is interpreted. \n For the purpose of status,
+ an attachment is considered successful as long
+ as the parent resource accepts it partially. For
+ example, Gateway listeners can restrict which
+ Routes can attach to them by Route kind, namespace,
+ or hostname. If 1 of 2 Gateway listeners accept
+ attachment from the referencing Route, the Route
+ MUST be considered successfully attached. If no
+ Gateway listeners accept attachment from this
+ Route, the Route MUST be considered detached from
+ the Gateway. \n Support: Extended \n "
format: int32
maximum: 65535
minimum: 1
@@ -870,6 +880,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -938,6 +958,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -1004,6 +1034,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -1072,6 +1112,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
diff --git a/bundle/manifests/acme.cert-manager.io_orders.yaml b/bundle/manifests/acme.cert-manager.io_orders.yaml
index 1949d5e..d1290b3 100644
--- a/bundle/manifests/acme.cert-manager.io_orders.yaml
+++ b/bundle/manifests/acme.cert-manager.io_orders.yaml
@@ -6,7 +6,7 @@ metadata:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: orders.acme.cert-manager.io
spec:
group: acme.cert-manager.io
diff --git a/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml
index 755d384..d9a21d7 100644
--- a/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml
+++ b/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml
@@ -7,7 +7,7 @@ metadata:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
name: cert-manager-cluster-view
rules:
diff --git a/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml
index e7a4b95..405ddd2 100644
--- a/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml
+++ b/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml
@@ -7,7 +7,7 @@ metadata:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: cert-manager-edit
diff --git a/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml
index 2f91118..1833888 100644
--- a/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml
+++ b/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml
@@ -7,7 +7,7 @@ metadata:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
diff --git a/bundle/manifests/cert-manager-webhook_v1_configmap.yaml b/bundle/manifests/cert-manager-webhook_v1_configmap.yaml
deleted file mode 100644
index 5f743c9..0000000
--- a/bundle/manifests/cert-manager-webhook_v1_configmap.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: v1
-data: null
-kind: ConfigMap
-metadata:
- labels:
- app: webhook
- app.kubernetes.io/component: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/name: webhook
- app.kubernetes.io/version: v1.13.3
- name: cert-manager-webhook
diff --git a/bundle/manifests/cert-manager-webhook_v1_service.yaml b/bundle/manifests/cert-manager-webhook_v1_service.yaml
index 2723b50..04495e9 100644
--- a/bundle/manifests/cert-manager-webhook_v1_service.yaml
+++ b/bundle/manifests/cert-manager-webhook_v1_service.yaml
@@ -7,7 +7,7 @@ metadata:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: cert-manager-webhook
spec:
ports:
diff --git a/bundle/manifests/cert-manager.clusterserviceversion.yaml b/bundle/manifests/cert-manager.clusterserviceversion.yaml
index 89e8b8a..1f338ab 100644
--- a/bundle/manifests/cert-manager.clusterserviceversion.yaml
+++ b/bundle/manifests/cert-manager.clusterserviceversion.yaml
@@ -67,9 +67,9 @@ metadata:
]
capabilities: Full Lifecycle
categories: Security
- containerImage: quay.io/jetstack/cert-manager-controller:v1.13.3
- createdAt: '2024-02-06T13:43:31'
- olm.skipRange: '>=1.13.0 <1.13.3'
+ containerImage: quay.io/jetstack/cert-manager-controller:v1.14.1
+ createdAt: '2024-02-07T10:00:36'
+ olm.skipRange: '>=1.14.0 <1.14.1-rc1'
operators.operatorframework.io/builder: operator-sdk-v1.33.0
operators.operatorframework.io/internal-objects: |-
[
@@ -84,7 +84,7 @@ metadata:
operatorframework.io/arch.arm64: supported
operatorframework.io/arch.ppc64le: supported
operatorframework.io/arch.s390x: supported
- name: cert-manager.v1.13.3
+ name: cert-manager.v1.14.1-rc1
namespace: placeholder
spec:
apiservicedefinitions: {}
@@ -621,7 +621,7 @@ spec:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: cert-manager
spec:
replicas: 1
@@ -642,22 +642,32 @@ spec:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
spec:
containers:
- args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
- - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.13.3
+ - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.1
- --max-concurrent-challenges=60
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- image: quay.io/jetstack/cert-manager-controller:v1.13.3
+ image: quay.io/jetstack/cert-manager-controller:v1.14.1
imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 8
+ httpGet:
+ path: /livez
+ port: http-healthz
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 15
name: cert-manager-controller
ports:
- containerPort: 9402
@@ -672,6 +682,7 @@ spec:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
enableServiceLinks: false
nodeSelector:
kubernetes.io/os: linux
@@ -685,7 +696,7 @@ spec:
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: cert-manager-cainjector
spec:
replicas: 1
@@ -702,7 +713,7 @@ spec:
app.kubernetes.io/component: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cainjector
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
spec:
containers:
- args:
@@ -713,7 +724,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- image: quay.io/jetstack/cert-manager-cainjector:v1.13.3
+ image: quay.io/jetstack/cert-manager-cainjector:v1.14.1
imagePullPolicy: IfNotPresent
name: cert-manager-cainjector
resources: {}
@@ -722,6 +733,7 @@ spec:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
enableServiceLinks: false
nodeSelector:
kubernetes.io/os: linux
@@ -735,7 +747,7 @@ spec:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: cert-manager-webhook
spec:
replicas: 1
@@ -752,7 +764,7 @@ spec:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: webhook
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
spec:
containers:
- args:
@@ -768,7 +780,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- image: quay.io/jetstack/cert-manager-webhook:v1.13.3
+ image: quay.io/jetstack/cert-manager-webhook:v1.14.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
@@ -804,6 +816,7 @@ spec:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
enableServiceLinks: false
nodeSelector:
kubernetes.io/os: linux
@@ -897,7 +910,7 @@ spec:
provider:
name: The cert-manager maintainers
url: https://cert-manager.io/
- version: 1.13.3
+ version: 1.14.1-rc1
webhookdefinitions:
- admissionReviewVersions:
- v1
@@ -919,7 +932,7 @@ spec:
- '*/*'
sideEffects: None
targetPort: https
- timeoutSeconds: 10
+ timeoutSeconds: 30
type: ValidatingAdmissionWebhook
webhookPath: /validate
- admissionReviewVersions:
@@ -932,16 +945,14 @@ spec:
rules:
- apiGroups:
- cert-manager.io
- - acme.cert-manager.io
apiVersions:
- v1
operations:
- CREATE
- - UPDATE
resources:
- - '*/*'
+ - certificaterequests
sideEffects: None
targetPort: https
- timeoutSeconds: 10
+ timeoutSeconds: 30
type: MutatingAdmissionWebhook
webhookPath: /mutate
diff --git a/bundle/manifests/cert-manager.io_certificaterequests.yaml b/bundle/manifests/cert-manager.io_certificaterequests.yaml
index e1de9ea..72a64dc 100644
--- a/bundle/manifests/cert-manager.io_certificaterequests.yaml
+++ b/bundle/manifests/cert-manager.io_certificaterequests.yaml
@@ -6,7 +6,7 @@ metadata:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: certificaterequests.cert-manager.io
spec:
group: cert-manager.io
diff --git a/bundle/manifests/cert-manager.io_certificates.yaml b/bundle/manifests/cert-manager.io_certificates.yaml
index f89e028..f13eb5a 100644
--- a/bundle/manifests/cert-manager.io_certificates.yaml
+++ b/bundle/manifests/cert-manager.io_certificates.yaml
@@ -6,7 +6,7 @@ metadata:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: certificates.cert-manager.io
spec:
group: cert-manager.io
@@ -226,6 +226,23 @@ spec:
required:
- name
type: object
+ profile:
+ description: "Profile specifies the key and certificate encryption
+ algorithms and the HMAC algorithm used to create the PKCS12
+ keystore. Default value is `LegacyRC2` for backward compatibility.
+ \n If provided, allowed values are: `LegacyRC2`: Deprecated.
+ Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`:
+ Less secure algorithm. Use this option for maximal compatibility.
+ `Modern2023`: Secure algorithm. Use this option in case
+ you have to always use secure algorithms (eg. because of
+ company policy). Please note that the security of the algorithm
+ is not that important in reality, because the unencrypted
+ certificate and private key are also stored in the Secret."
+ enum:
+ - LegacyRC2
+ - LegacyDES
+ - Modern2023
+ type: string
required:
- create
- passwordSecretRef
@@ -244,6 +261,97 @@ spec:
is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true`
option set on both the controller and webhook components."
type: string
+ nameConstraints:
+ description: "x.509 certificate NameConstraint extension which MUST
+ NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+ \n This is an Alpha Feature and is only enabled with the `--feature-gates=NameConstraints=true`
+ option set on both the controller and webhook components."
+ properties:
+ critical:
+ description: if true then the name constraints are marked critical.
+ type: boolean
+ excluded:
+ description: Excluded contains the constraints which must be disallowed.
+ Any name matching a restriction in the excluded field is invalid
+ regardless of information appearing in the permitted
+ properties:
+ dnsDomains:
+ description: DNSDomains is a list of DNS domains that are
+ permitted or excluded.
+ items:
+ type: string
+ type: array
+ emailAddresses:
+ description: EmailAddresses is a list of Email Addresses that
+ are permitted or excluded.
+ items:
+ type: string
+ type: array
+ ipRanges:
+ description: IPRanges is a list of IP Ranges that are permitted
+ or excluded. This should be a valid CIDR notation.
+ items:
+ type: string
+ type: array
+ uriDomains:
+ description: URIDomains is a list of URI domains that are
+ permitted or excluded.
+ items:
+ type: string
+ type: array
+ type: object
+ permitted:
+ description: Permitted contains the constraints in which the names
+ must be located.
+ properties:
+ dnsDomains:
+ description: DNSDomains is a list of DNS domains that are
+ permitted or excluded.
+ items:
+ type: string
+ type: array
+ emailAddresses:
+ description: EmailAddresses is a list of Email Addresses that
+ are permitted or excluded.
+ items:
+ type: string
+ type: array
+ ipRanges:
+ description: IPRanges is a list of IP Ranges that are permitted
+ or excluded. This should be a valid CIDR notation.
+ items:
+ type: string
+ type: array
+ uriDomains:
+ description: URIDomains is a list of URI domains that are
+ permitted or excluded.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ otherNames:
+ description: '`otherNames` is an escape hatch for SAN that allows
+ any type. We currently restrict the support to string like otherNames,
+ cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed
+ with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for
+ `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
+ You should ensure that any OID passed is valid for the UTF8String
+ type as we do not explicitly validate this.'
+ items:
+ properties:
+ oid:
+ description: OID is the object identifier for the otherName
+ SAN. The object identifier must be expressed as a dotted string,
+ for example, "1.2.840.113556.1.4.221".
+ type: string
+ utf8Value:
+ description: utf8Value is the string value of the otherName
+ SAN. The utf8Value accepts any valid UTF8 string to set as
+ value for the otherName SAN.
+ type: string
+ type: object
+ type: array
privateKey:
description: Private key options. These include the key algorithm
and size, the used encoding and the rotation policy.
diff --git a/bundle/manifests/cert-manager.io_clusterissuers.yaml b/bundle/manifests/cert-manager.io_clusterissuers.yaml
index 61597df..0ae660b 100644
--- a/bundle/manifests/cert-manager.io_clusterissuers.yaml
+++ b/bundle/manifests/cert-manager.io_clusterissuers.yaml
@@ -6,7 +6,7 @@ metadata:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: clusterissuers.cert-manager.io
spec:
group: cert-manager.io
@@ -296,12 +296,16 @@ spec:
DNS01 challenge records.
properties:
clientID:
- description: if both this and ClientSecret are left
- unset MSI will be used
+ description: 'Auth: Azure Service Principal: The
+ ClientID of the Azure Service Principal used to
+ authenticate with Azure DNS. If set, ClientSecret
+ and TenantID must also be set.'
type: string
clientSecretSecretRef:
- description: if both this and ClientID are left
- unset MSI will be used
+ description: 'Auth: Azure Service Principal: A reference
+ to a Secret containing the password associated
+ with the Service Principal. If set, ClientID and
+ TenantID must also be set.'
properties:
key:
description: The key of the entry in the Secret
@@ -330,9 +334,11 @@ spec:
used
type: string
managedIdentity:
- description: managed identity configuration, can
- not be used at the same time as clientID, clientSecretSecretRef
- or tenantID
+ description: 'Auth: Azure Workload Identity or Azure
+ Managed Service Identity: Settings to enable Azure
+ Workload Identity or Azure Managed Service Identity
+ If set, ClientID, ClientSecret and TenantID must
+ not be set.'
properties:
clientID:
description: client ID of the managed identity,
@@ -341,6 +347,7 @@ spec:
resourceID:
description: resource ID of the managed identity,
can not be used at the same time as clientID
+ Cannot be used for Azure Managed Service Identity
type: string
type: object
resourceGroupName:
@@ -351,8 +358,10 @@ spec:
description: ID of the Azure subscription
type: string
tenantID:
- description: when specifying ClientID and ClientSecret
- then this field is also needed
+ description: 'Auth: Azure Service Principal: The
+ TenantID of the Azure Service Principal used to
+ authenticate with Azure DNS. If set, ClientID
+ and ClientSecret must also be set.'
type: string
required:
- resourceGroupName
@@ -701,19 +710,20 @@ spec:
are referring to. For example: Gateway has
the AllowedRoutes field, and ReferenceGrant
provides a generic way to enable any other
- kind of cross-namespace reference. \n ParentRefs
- from a Route to a Service in the same namespace
- are \"producer\" routes, which apply default
- routing rules to inbound connections from
- any namespace to the Service. \n ParentRefs
- from a Route to a Service in a different
- namespace are \"consumer\" routes, and these
- routing rules are only applied to outbound
- connections originating from the same namespace
- as the Route, for which the intended destination
- of the connections are a Service targeted
- as a ParentRef of the Route. \n Support:
- Core"
+ kind of cross-namespace reference. \n
+ ParentRefs from a Route to a Service in
+ the same namespace are \"producer\" routes,
+ which apply default routing rules to inbound
+ connections from any namespace to the Service.
+ \n ParentRefs from a Route to a Service
+ in a different namespace are \"consumer\"
+ routes, and these routing rules are only
+ applied to outbound connections originating
+ from the same namespace as the Route, for
+ which the intended destination of the connections
+ are a Service targeted as a ParentRef of
+ the Route.
+ \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -732,25 +742,27 @@ spec:
may be changed. When both Port and SectionName
are specified, the name and port of the
selected listener must match both specified
- values. \n When the parent resource is a
- Service, this targets a specific port in
- the Service spec. When both Port (experimental)
- and SectionName are specified, the name
- and port of the selected port must match
- both specified values. \n Implementations
- MAY choose to support other parent resources.
- Implementations supporting other types of
- parent resources MUST clearly document how/if
- Port is interpreted. \n For the purpose
- of status, an attachment is considered successful
- as long as the parent resource accepts it
- partially. For example, Gateway listeners
- can restrict which Routes can attach to
- them by Route kind, namespace, or hostname.
- If 1 of 2 Gateway listeners accept attachment
- from the referencing Route, the Route MUST
- be considered successfully attached. If
- no Gateway listeners accept attachment from
+ values. \n
+ When the parent resource is a Service, this
+ targets a specific port in the Service spec.
+ When both Port (experimental) and SectionName
+ are specified, the name and port of the
+ selected port must match both specified
+ values.
+ \n Implementations MAY choose to support
+ other parent resources. Implementations
+ supporting other types of parent resources
+ MUST clearly document how/if Port is interpreted.
+ \n For the purpose of status, an attachment
+ is considered successful as long as the
+ parent resource accepts it partially. For
+ example, Gateway listeners can restrict
+ which Routes can attach to them by Route
+ kind, namespace, or hostname. If 1 of 2
+ Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be
+ considered successfully attached. If no
+ Gateway listeners accept attachment from
this Route, the Route MUST be considered
detached from the Gateway. \n Support: Extended
\n "
@@ -1006,6 +1018,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -1074,6 +1096,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -1140,6 +1172,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -1208,6 +1250,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -1345,6 +1397,13 @@ spec:
items:
type: string
type: array
+ issuingCertificateURLs:
+ description: IssuingCertificateURLs is a list of URLs which this
+ issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1
+ for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt".
+ items:
+ type: string
+ type: array
ocspServers:
description: The OCSP server list is an X.509 v3 extension that
defines a list of URLs of OCSP responders. The OCSP responders
diff --git a/bundle/manifests/cert-manager.io_issuers.yaml b/bundle/manifests/cert-manager.io_issuers.yaml
index 012115c..d49e295 100644
--- a/bundle/manifests/cert-manager.io_issuers.yaml
+++ b/bundle/manifests/cert-manager.io_issuers.yaml
@@ -6,7 +6,7 @@ metadata:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: issuers.cert-manager.io
spec:
group: cert-manager.io
@@ -295,12 +295,16 @@ spec:
DNS01 challenge records.
properties:
clientID:
- description: if both this and ClientSecret are left
- unset MSI will be used
+ description: 'Auth: Azure Service Principal: The
+ ClientID of the Azure Service Principal used to
+ authenticate with Azure DNS. If set, ClientSecret
+ and TenantID must also be set.'
type: string
clientSecretSecretRef:
- description: if both this and ClientID are left
- unset MSI will be used
+ description: 'Auth: Azure Service Principal: A reference
+ to a Secret containing the password associated
+ with the Service Principal. If set, ClientID and
+ TenantID must also be set.'
properties:
key:
description: The key of the entry in the Secret
@@ -329,9 +333,11 @@ spec:
used
type: string
managedIdentity:
- description: managed identity configuration, can
- not be used at the same time as clientID, clientSecretSecretRef
- or tenantID
+ description: 'Auth: Azure Workload Identity or Azure
+ Managed Service Identity: Settings to enable Azure
+ Workload Identity or Azure Managed Service Identity
+ If set, ClientID, ClientSecret and TenantID must
+ not be set.'
properties:
clientID:
description: client ID of the managed identity,
@@ -340,6 +346,7 @@ spec:
resourceID:
description: resource ID of the managed identity,
can not be used at the same time as clientID
+ Cannot be used for Azure Managed Service Identity
type: string
type: object
resourceGroupName:
@@ -350,8 +357,10 @@ spec:
description: ID of the Azure subscription
type: string
tenantID:
- description: when specifying ClientID and ClientSecret
- then this field is also needed
+ description: 'Auth: Azure Service Principal: The
+ TenantID of the Azure Service Principal used to
+ authenticate with Azure DNS. If set, ClientID
+ and ClientSecret must also be set.'
type: string
required:
- resourceGroupName
@@ -700,19 +709,20 @@ spec:
are referring to. For example: Gateway has
the AllowedRoutes field, and ReferenceGrant
provides a generic way to enable any other
- kind of cross-namespace reference. \n ParentRefs
- from a Route to a Service in the same namespace
- are \"producer\" routes, which apply default
- routing rules to inbound connections from
- any namespace to the Service. \n ParentRefs
- from a Route to a Service in a different
- namespace are \"consumer\" routes, and these
- routing rules are only applied to outbound
- connections originating from the same namespace
- as the Route, for which the intended destination
- of the connections are a Service targeted
- as a ParentRef of the Route. \n Support:
- Core"
+ kind of cross-namespace reference. \n
+ ParentRefs from a Route to a Service in
+ the same namespace are \"producer\" routes,
+ which apply default routing rules to inbound
+ connections from any namespace to the Service.
+ \n ParentRefs from a Route to a Service
+ in a different namespace are \"consumer\"
+ routes, and these routing rules are only
+ applied to outbound connections originating
+ from the same namespace as the Route, for
+ which the intended destination of the connections
+ are a Service targeted as a ParentRef of
+ the Route.
+ \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -731,25 +741,27 @@ spec:
may be changed. When both Port and SectionName
are specified, the name and port of the
selected listener must match both specified
- values. \n When the parent resource is a
- Service, this targets a specific port in
- the Service spec. When both Port (experimental)
- and SectionName are specified, the name
- and port of the selected port must match
- both specified values. \n Implementations
- MAY choose to support other parent resources.
- Implementations supporting other types of
- parent resources MUST clearly document how/if
- Port is interpreted. \n For the purpose
- of status, an attachment is considered successful
- as long as the parent resource accepts it
- partially. For example, Gateway listeners
- can restrict which Routes can attach to
- them by Route kind, namespace, or hostname.
- If 1 of 2 Gateway listeners accept attachment
- from the referencing Route, the Route MUST
- be considered successfully attached. If
- no Gateway listeners accept attachment from
+ values. \n
+ When the parent resource is a Service, this
+ targets a specific port in the Service spec.
+ When both Port (experimental) and SectionName
+ are specified, the name and port of the
+ selected port must match both specified
+ values.
+ \n Implementations MAY choose to support
+ other parent resources. Implementations
+ supporting other types of parent resources
+ MUST clearly document how/if Port is interpreted.
+ \n For the purpose of status, an attachment
+ is considered successful as long as the
+ parent resource accepts it partially. For
+ example, Gateway listeners can restrict
+ which Routes can attach to them by Route
+ kind, namespace, or hostname. If 1 of 2
+ Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be
+ considered successfully attached. If no
+ Gateway listeners accept attachment from
this Route, the Route MUST be considered
detached from the Gateway. \n Support: Extended
\n "
@@ -1005,6 +1017,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -1073,6 +1095,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -1139,6 +1171,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -1207,6 +1249,16 @@ spec:
type: object
type: object
x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
namespaceSelector:
properties:
matchExpressions:
@@ -1344,6 +1396,13 @@ spec:
items:
type: string
type: array
+ issuingCertificateURLs:
+ description: IssuingCertificateURLs is a list of URLs which this
+ issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1
+ for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt".
+ items:
+ type: string
+ type: array
ocspServers:
description: The OCSP server list is an X.509 v3 extension that
defines a list of URLs of OCSP responders. The OCSP responders
diff --git a/bundle/manifests/cert-manager_v1_configmap.yaml b/bundle/manifests/cert-manager_v1_configmap.yaml
deleted file mode 100644
index 27ceef5..0000000
--- a/bundle/manifests/cert-manager_v1_configmap.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: v1
-data: null
-kind: ConfigMap
-metadata:
- labels:
- app: cert-manager
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
- name: cert-manager
diff --git a/bundle/manifests/cert-manager_v1_service.yaml b/bundle/manifests/cert-manager_v1_service.yaml
index fb944fa..57e5ec7 100644
--- a/bundle/manifests/cert-manager_v1_service.yaml
+++ b/bundle/manifests/cert-manager_v1_service.yaml
@@ -7,7 +7,7 @@ metadata:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/version: v1.13.3
+ app.kubernetes.io/version: v1.14.1
name: cert-manager
spec:
ports:
diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml
index 4264fd7..64d6351 100644
--- a/bundle/metadata/annotations.yaml
+++ b/bundle/metadata/annotations.yaml
@@ -4,8 +4,7 @@ annotations:
operators.operatorframework.io.bundle.manifests.v1: manifests/
operators.operatorframework.io.bundle.metadata.v1: metadata/
operators.operatorframework.io.bundle.package.v1: cert-manager
- operators.operatorframework.io.bundle.channels.v1: candidate,stable
- operators.operatorframework.io.bundle.channel.default.v1: stable
+ operators.operatorframework.io.bundle.channels.v1: candidate
operators.operatorframework.io.metrics.builder: operator-sdk-v1.33.0
operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
operators.operatorframework.io.metrics.project_layout: unknown