From 5e92aaccd3b01e041bd53c24b0eb6da778908596 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Wed, 7 Feb 2024 10:00:48 +0000 Subject: [PATCH] make bundle-generate Signed-off-by: Richard Wall --- bundle/bundle.Dockerfile | 3 +- .../acme.cert-manager.io_challenges.yaml | 130 +++++++++++----- .../acme.cert-manager.io_orders.yaml | 2 +- ...c.authorization.k8s.io_v1_clusterrole.yaml | 2 +- ...c.authorization.k8s.io_v1_clusterrole.yaml | 2 +- ...c.authorization.k8s.io_v1_clusterrole.yaml | 2 +- .../cert-manager-webhook_v1_configmap.yaml | 11 -- .../cert-manager-webhook_v1_service.yaml | 2 +- .../cert-manager.clusterserviceversion.yaml | 51 ++++--- .../cert-manager.io_certificaterequests.yaml | 2 +- .../cert-manager.io_certificates.yaml | 110 +++++++++++++- .../cert-manager.io_clusterissuers.yaml | 143 +++++++++++++----- bundle/manifests/cert-manager.io_issuers.yaml | 143 +++++++++++++----- .../manifests/cert-manager_v1_configmap.yaml | 11 -- bundle/manifests/cert-manager_v1_service.yaml | 2 +- bundle/metadata/annotations.yaml | 3 +- 16 files changed, 441 insertions(+), 178 deletions(-) delete mode 100644 bundle/manifests/cert-manager-webhook_v1_configmap.yaml delete mode 100644 bundle/manifests/cert-manager_v1_configmap.yaml diff --git a/bundle/bundle.Dockerfile b/bundle/bundle.Dockerfile index 531127a..7364697 100644 --- a/bundle/bundle.Dockerfile +++ b/bundle/bundle.Dockerfile @@ -5,8 +5,7 @@ LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=cert-manager -LABEL operators.operatorframework.io.bundle.channels.v1=candidate,stable -LABEL operators.operatorframework.io.bundle.channel.default.v1=stable +LABEL operators.operatorframework.io.bundle.channels.v1=candidate LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.33.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=unknown diff --git a/bundle/manifests/acme.cert-manager.io_challenges.yaml b/bundle/manifests/acme.cert-manager.io_challenges.yaml index 39a82cb..4543c8b 100644 --- a/bundle/manifests/acme.cert-manager.io_challenges.yaml +++ b/bundle/manifests/acme.cert-manager.io_challenges.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: challenges.acme.cert-manager.io spec: group: acme.cert-manager.io @@ -199,12 +199,16 @@ spec: challenge records. properties: clientID: - description: if both this and ClientSecret are left unset - MSI will be used + description: 'Auth: Azure Service Principal: The ClientID + of the Azure Service Principal used to authenticate + with Azure DNS. If set, ClientSecret and TenantID must + also be set.' type: string clientSecretSecretRef: - description: if both this and ClientID are left unset - MSI will be used + description: 'Auth: Azure Service Principal: A reference + to a Secret containing the password associated with + the Service Principal. If set, ClientID and TenantID + must also be set.' properties: key: description: The key of the entry in the Secret resource's @@ -230,9 +234,10 @@ spec: description: name of the DNS zone that should be used type: string managedIdentity: - description: managed identity configuration, can not be - used at the same time as clientID, clientSecretSecretRef - or tenantID + description: 'Auth: Azure Workload Identity or Azure Managed + Service Identity: Settings to enable Azure Workload + Identity or Azure Managed Service Identity If set, ClientID, + ClientSecret and TenantID must not be set.' properties: clientID: description: client ID of the managed identity, can @@ -240,7 +245,8 @@ spec: type: string resourceID: description: resource ID of the managed identity, - can not be used at the same time as clientID + can not be used at the same time as clientID Cannot + be used for Azure Managed Service Identity type: string type: object resourceGroupName: @@ -250,8 +256,10 @@ spec: description: ID of the Azure subscription type: string tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed + description: 'Auth: Azure Service Principal: The TenantID + of the Azure Service Principal used to authenticate + with Azure DNS. If set, ClientID and ClientSecret must + also be set.' type: string required: - resourceGroupName @@ -580,16 +588,17 @@ spec: to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. - \n ParentRefs from a Route to a Service in the - same namespace are \"producer\" routes, which - apply default routing rules to inbound connections - from any namespace to the Service. \n ParentRefs - from a Route to a Service in a different namespace - are \"consumer\" routes, and these routing rules - are only applied to outbound connections originating - from the same namespace as the Route, for which - the intended destination of the connections are - a Service targeted as a ParentRef of the Route. + \n ParentRefs + from a Route to a Service in the same namespace + are \"producer\" routes, which apply default routing + rules to inbound connections from any namespace + to the Service. \n ParentRefs from a Route to + a Service in a different namespace are \"consumer\" + routes, and these routing rules are only applied + to outbound connections originating from the same + namespace as the Route, for which the intended + destination of the connections are a Service targeted + as a ParentRef of the Route. \n Support: Core" maxLength: 63 minLength: 1 @@ -608,25 +617,26 @@ spec: port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n - When the parent resource is a Service, this targets - a specific port in the Service spec. When both - Port (experimental) and SectionName are specified, - the name and port of the selected port must match - both specified values. \n Implementations MAY - choose to support other parent resources. Implementations - supporting other types of parent resources MUST - clearly document how/if Port is interpreted. \n - For the purpose of status, an attachment is considered - successful as long as the parent resource accepts - it partially. For example, Gateway listeners can - restrict which Routes can attach to them by Route - kind, namespace, or hostname. If 1 of 2 Gateway - listeners accept attachment from the referencing - Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment - from this Route, the Route MUST be considered - detached from the Gateway. \n Support: Extended - \n " + When the parent + resource is a Service, this targets a specific + port in the Service spec. When both Port (experimental) + and SectionName are specified, the name and port + of the selected port must match both specified + values. \n + Implementations MAY choose to support other parent + resources. Implementations supporting other types + of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long + as the parent resource accepts it partially. For + example, Gateway listeners can restrict which + Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept + attachment from the referencing Route, the Route + MUST be considered successfully attached. If no + Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from + the Gateway. \n Support: Extended \n " format: int32 maximum: 65535 minimum: 1 @@ -870,6 +880,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -938,6 +958,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1004,6 +1034,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1072,6 +1112,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: diff --git a/bundle/manifests/acme.cert-manager.io_orders.yaml b/bundle/manifests/acme.cert-manager.io_orders.yaml index 1949d5e..d1290b3 100644 --- a/bundle/manifests/acme.cert-manager.io_orders.yaml +++ b/bundle/manifests/acme.cert-manager.io_orders.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: orders.acme.cert-manager.io spec: group: acme.cert-manager.io diff --git a/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml index 755d384..d9a21d7 100644 --- a/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ b/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" name: cert-manager-cluster-view rules: diff --git a/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml index e7a4b95..405ddd2 100644 --- a/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ b/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" name: cert-manager-edit diff --git a/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml index 2f91118..1833888 100644 --- a/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ b/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" diff --git a/bundle/manifests/cert-manager-webhook_v1_configmap.yaml b/bundle/manifests/cert-manager-webhook_v1_configmap.yaml deleted file mode 100644 index 5f743c9..0000000 --- a/bundle/manifests/cert-manager-webhook_v1_configmap.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: null -kind: ConfigMap -metadata: - labels: - app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.13.3 - name: cert-manager-webhook diff --git a/bundle/manifests/cert-manager-webhook_v1_service.yaml b/bundle/manifests/cert-manager-webhook_v1_service.yaml index 2723b50..04495e9 100644 --- a/bundle/manifests/cert-manager-webhook_v1_service.yaml +++ b/bundle/manifests/cert-manager-webhook_v1_service.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: cert-manager-webhook spec: ports: diff --git a/bundle/manifests/cert-manager.clusterserviceversion.yaml b/bundle/manifests/cert-manager.clusterserviceversion.yaml index 89e8b8a..1f338ab 100644 --- a/bundle/manifests/cert-manager.clusterserviceversion.yaml +++ b/bundle/manifests/cert-manager.clusterserviceversion.yaml @@ -67,9 +67,9 @@ metadata: ] capabilities: Full Lifecycle categories: Security - containerImage: quay.io/jetstack/cert-manager-controller:v1.13.3 - createdAt: '2024-02-06T13:43:31' - olm.skipRange: '>=1.13.0 <1.13.3' + containerImage: quay.io/jetstack/cert-manager-controller:v1.14.1 + createdAt: '2024-02-07T10:00:36' + olm.skipRange: '>=1.14.0 <1.14.1-rc1' operators.operatorframework.io/builder: operator-sdk-v1.33.0 operators.operatorframework.io/internal-objects: |- [ @@ -84,7 +84,7 @@ metadata: operatorframework.io/arch.arm64: supported operatorframework.io/arch.ppc64le: supported operatorframework.io/arch.s390x: supported - name: cert-manager.v1.13.3 + name: cert-manager.v1.14.1-rc1 namespace: placeholder spec: apiservicedefinitions: {} @@ -621,7 +621,7 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: cert-manager spec: replicas: 1 @@ -642,22 +642,32 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 spec: containers: - args: - --v=2 - --cluster-resource-namespace=$(POD_NAMESPACE) - --leader-election-namespace=kube-system - - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.13.3 + - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.1 - --max-concurrent-challenges=60 env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-controller:v1.13.3 + image: quay.io/jetstack/cert-manager-controller:v1.14.1 imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 8 + httpGet: + path: /livez + port: http-healthz + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 15 name: cert-manager-controller ports: - containerPort: 9402 @@ -672,6 +682,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true enableServiceLinks: false nodeSelector: kubernetes.io/os: linux @@ -685,7 +696,7 @@ spec: app.kubernetes.io/component: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: cert-manager-cainjector spec: replicas: 1 @@ -702,7 +713,7 @@ spec: app.kubernetes.io/component: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 spec: containers: - args: @@ -713,7 +724,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-cainjector:v1.13.3 + image: quay.io/jetstack/cert-manager-cainjector:v1.14.1 imagePullPolicy: IfNotPresent name: cert-manager-cainjector resources: {} @@ -722,6 +733,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true enableServiceLinks: false nodeSelector: kubernetes.io/os: linux @@ -735,7 +747,7 @@ spec: app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: cert-manager-webhook spec: replicas: 1 @@ -752,7 +764,7 @@ spec: app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 spec: containers: - args: @@ -768,7 +780,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-webhook:v1.13.3 + image: quay.io/jetstack/cert-manager-webhook:v1.14.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 @@ -804,6 +816,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true enableServiceLinks: false nodeSelector: kubernetes.io/os: linux @@ -897,7 +910,7 @@ spec: provider: name: The cert-manager maintainers url: https://cert-manager.io/ - version: 1.13.3 + version: 1.14.1-rc1 webhookdefinitions: - admissionReviewVersions: - v1 @@ -919,7 +932,7 @@ spec: - '*/*' sideEffects: None targetPort: https - timeoutSeconds: 10 + timeoutSeconds: 30 type: ValidatingAdmissionWebhook webhookPath: /validate - admissionReviewVersions: @@ -932,16 +945,14 @@ spec: rules: - apiGroups: - cert-manager.io - - acme.cert-manager.io apiVersions: - v1 operations: - CREATE - - UPDATE resources: - - '*/*' + - certificaterequests sideEffects: None targetPort: https - timeoutSeconds: 10 + timeoutSeconds: 30 type: MutatingAdmissionWebhook webhookPath: /mutate diff --git a/bundle/manifests/cert-manager.io_certificaterequests.yaml b/bundle/manifests/cert-manager.io_certificaterequests.yaml index e1de9ea..72a64dc 100644 --- a/bundle/manifests/cert-manager.io_certificaterequests.yaml +++ b/bundle/manifests/cert-manager.io_certificaterequests.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: certificaterequests.cert-manager.io spec: group: cert-manager.io diff --git a/bundle/manifests/cert-manager.io_certificates.yaml b/bundle/manifests/cert-manager.io_certificates.yaml index f89e028..f13eb5a 100644 --- a/bundle/manifests/cert-manager.io_certificates.yaml +++ b/bundle/manifests/cert-manager.io_certificates.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: certificates.cert-manager.io spec: group: cert-manager.io @@ -226,6 +226,23 @@ spec: required: - name type: object + profile: + description: "Profile specifies the key and certificate encryption + algorithms and the HMAC algorithm used to create the PKCS12 + keystore. Default value is `LegacyRC2` for backward compatibility. + \n If provided, allowed values are: `LegacyRC2`: Deprecated. + Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: + Less secure algorithm. Use this option for maximal compatibility. + `Modern2023`: Secure algorithm. Use this option in case + you have to always use secure algorithms (eg. because of + company policy). Please note that the security of the algorithm + is not that important in reality, because the unencrypted + certificate and private key are also stored in the Secret." + enum: + - LegacyRC2 + - LegacyDES + - Modern2023 + type: string required: - create - passwordSecretRef @@ -244,6 +261,97 @@ spec: is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components." type: string + nameConstraints: + description: "x.509 certificate NameConstraint extension which MUST + NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 + \n This is an Alpha Feature and is only enabled with the `--feature-gates=NameConstraints=true` + option set on both the controller and webhook components." + properties: + critical: + description: if true then the name constraints are marked critical. + type: boolean + excluded: + description: Excluded contains the constraints which must be disallowed. + Any name matching a restriction in the excluded field is invalid + regardless of information appearing in the permitted + properties: + dnsDomains: + description: DNSDomains is a list of DNS domains that are + permitted or excluded. + items: + type: string + type: array + emailAddresses: + description: EmailAddresses is a list of Email Addresses that + are permitted or excluded. + items: + type: string + type: array + ipRanges: + description: IPRanges is a list of IP Ranges that are permitted + or excluded. This should be a valid CIDR notation. + items: + type: string + type: array + uriDomains: + description: URIDomains is a list of URI domains that are + permitted or excluded. + items: + type: string + type: array + type: object + permitted: + description: Permitted contains the constraints in which the names + must be located. + properties: + dnsDomains: + description: DNSDomains is a list of DNS domains that are + permitted or excluded. + items: + type: string + type: array + emailAddresses: + description: EmailAddresses is a list of Email Addresses that + are permitted or excluded. + items: + type: string + type: array + ipRanges: + description: IPRanges is a list of IP Ranges that are permitted + or excluded. This should be a valid CIDR notation. + items: + type: string + type: array + uriDomains: + description: URIDomains is a list of URI domains that are + permitted or excluded. + items: + type: string + type: array + type: object + type: object + otherNames: + description: '`otherNames` is an escape hatch for SAN that allows + any type. We currently restrict the support to string like otherNames, + cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed + with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for + `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 + You should ensure that any OID passed is valid for the UTF8String + type as we do not explicitly validate this.' + items: + properties: + oid: + description: OID is the object identifier for the otherName + SAN. The object identifier must be expressed as a dotted string, + for example, "1.2.840.113556.1.4.221". + type: string + utf8Value: + description: utf8Value is the string value of the otherName + SAN. The utf8Value accepts any valid UTF8 string to set as + value for the otherName SAN. + type: string + type: object + type: array privateKey: description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy. diff --git a/bundle/manifests/cert-manager.io_clusterissuers.yaml b/bundle/manifests/cert-manager.io_clusterissuers.yaml index 61597df..0ae660b 100644 --- a/bundle/manifests/cert-manager.io_clusterissuers.yaml +++ b/bundle/manifests/cert-manager.io_clusterissuers.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: clusterissuers.cert-manager.io spec: group: cert-manager.io @@ -296,12 +296,16 @@ spec: DNS01 challenge records. properties: clientID: - description: if both this and ClientSecret are left - unset MSI will be used + description: 'Auth: Azure Service Principal: The + ClientID of the Azure Service Principal used to + authenticate with Azure DNS. If set, ClientSecret + and TenantID must also be set.' type: string clientSecretSecretRef: - description: if both this and ClientID are left - unset MSI will be used + description: 'Auth: Azure Service Principal: A reference + to a Secret containing the password associated + with the Service Principal. If set, ClientID and + TenantID must also be set.' properties: key: description: The key of the entry in the Secret @@ -330,9 +334,11 @@ spec: used type: string managedIdentity: - description: managed identity configuration, can - not be used at the same time as clientID, clientSecretSecretRef - or tenantID + description: 'Auth: Azure Workload Identity or Azure + Managed Service Identity: Settings to enable Azure + Workload Identity or Azure Managed Service Identity + If set, ClientID, ClientSecret and TenantID must + not be set.' properties: clientID: description: client ID of the managed identity, @@ -341,6 +347,7 @@ spec: resourceID: description: resource ID of the managed identity, can not be used at the same time as clientID + Cannot be used for Azure Managed Service Identity type: string type: object resourceGroupName: @@ -351,8 +358,10 @@ spec: description: ID of the Azure subscription type: string tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed + description: 'Auth: Azure Service Principal: The + TenantID of the Azure Service Principal used to + authenticate with Azure DNS. If set, ClientID + and ClientSecret must also be set.' type: string required: - resourceGroupName @@ -701,19 +710,20 @@ spec: are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other - kind of cross-namespace reference. \n ParentRefs - from a Route to a Service in the same namespace - are \"producer\" routes, which apply default - routing rules to inbound connections from - any namespace to the Service. \n ParentRefs - from a Route to a Service in a different - namespace are \"consumer\" routes, and these - routing rules are only applied to outbound - connections originating from the same namespace - as the Route, for which the intended destination - of the connections are a Service targeted - as a ParentRef of the Route. \n Support: - Core" + kind of cross-namespace reference. \n + ParentRefs from a Route to a Service in + the same namespace are \"producer\" routes, + which apply default routing rules to inbound + connections from any namespace to the Service. + \n ParentRefs from a Route to a Service + in a different namespace are \"consumer\" + routes, and these routing rules are only + applied to outbound connections originating + from the same namespace as the Route, for + which the intended destination of the connections + are a Service targeted as a ParentRef of + the Route. + \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -732,25 +742,27 @@ spec: may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified - values. \n When the parent resource is a - Service, this targets a specific port in - the Service spec. When both Port (experimental) - and SectionName are specified, the name - and port of the selected port must match - both specified values. \n Implementations - MAY choose to support other parent resources. - Implementations supporting other types of - parent resources MUST clearly document how/if - Port is interpreted. \n For the purpose - of status, an attachment is considered successful - as long as the parent resource accepts it - partially. For example, Gateway listeners - can restrict which Routes can attach to - them by Route kind, namespace, or hostname. - If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST - be considered successfully attached. If - no Gateway listeners accept attachment from + values. \n + When the parent resource is a Service, this + targets a specific port in the Service spec. + When both Port (experimental) and SectionName + are specified, the name and port of the + selected port must match both specified + values. + \n Implementations MAY choose to support + other parent resources. Implementations + supporting other types of parent resources + MUST clearly document how/if Port is interpreted. + \n For the purpose of status, an attachment + is considered successful as long as the + parent resource accepts it partially. For + example, Gateway listeners can restrict + which Routes can attach to them by Route + kind, namespace, or hostname. If 1 of 2 + Gateway listeners accept attachment from + the referencing Route, the Route MUST be + considered successfully attached. If no + Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " @@ -1006,6 +1018,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1074,6 +1096,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1140,6 +1172,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1208,6 +1250,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1345,6 +1397,13 @@ spec: items: type: string type: array + issuingCertificateURLs: + description: IssuingCertificateURLs is a list of URLs which this + issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 + for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt". + items: + type: string + type: array ocspServers: description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders diff --git a/bundle/manifests/cert-manager.io_issuers.yaml b/bundle/manifests/cert-manager.io_issuers.yaml index 012115c..d49e295 100644 --- a/bundle/manifests/cert-manager.io_issuers.yaml +++ b/bundle/manifests/cert-manager.io_issuers.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: issuers.cert-manager.io spec: group: cert-manager.io @@ -295,12 +295,16 @@ spec: DNS01 challenge records. properties: clientID: - description: if both this and ClientSecret are left - unset MSI will be used + description: 'Auth: Azure Service Principal: The + ClientID of the Azure Service Principal used to + authenticate with Azure DNS. If set, ClientSecret + and TenantID must also be set.' type: string clientSecretSecretRef: - description: if both this and ClientID are left - unset MSI will be used + description: 'Auth: Azure Service Principal: A reference + to a Secret containing the password associated + with the Service Principal. If set, ClientID and + TenantID must also be set.' properties: key: description: The key of the entry in the Secret @@ -329,9 +333,11 @@ spec: used type: string managedIdentity: - description: managed identity configuration, can - not be used at the same time as clientID, clientSecretSecretRef - or tenantID + description: 'Auth: Azure Workload Identity or Azure + Managed Service Identity: Settings to enable Azure + Workload Identity or Azure Managed Service Identity + If set, ClientID, ClientSecret and TenantID must + not be set.' properties: clientID: description: client ID of the managed identity, @@ -340,6 +346,7 @@ spec: resourceID: description: resource ID of the managed identity, can not be used at the same time as clientID + Cannot be used for Azure Managed Service Identity type: string type: object resourceGroupName: @@ -350,8 +357,10 @@ spec: description: ID of the Azure subscription type: string tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed + description: 'Auth: Azure Service Principal: The + TenantID of the Azure Service Principal used to + authenticate with Azure DNS. If set, ClientID + and ClientSecret must also be set.' type: string required: - resourceGroupName @@ -700,19 +709,20 @@ spec: are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other - kind of cross-namespace reference. \n ParentRefs - from a Route to a Service in the same namespace - are \"producer\" routes, which apply default - routing rules to inbound connections from - any namespace to the Service. \n ParentRefs - from a Route to a Service in a different - namespace are \"consumer\" routes, and these - routing rules are only applied to outbound - connections originating from the same namespace - as the Route, for which the intended destination - of the connections are a Service targeted - as a ParentRef of the Route. \n Support: - Core" + kind of cross-namespace reference. \n + ParentRefs from a Route to a Service in + the same namespace are \"producer\" routes, + which apply default routing rules to inbound + connections from any namespace to the Service. + \n ParentRefs from a Route to a Service + in a different namespace are \"consumer\" + routes, and these routing rules are only + applied to outbound connections originating + from the same namespace as the Route, for + which the intended destination of the connections + are a Service targeted as a ParentRef of + the Route. + \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -731,25 +741,27 @@ spec: may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified - values. \n When the parent resource is a - Service, this targets a specific port in - the Service spec. When both Port (experimental) - and SectionName are specified, the name - and port of the selected port must match - both specified values. \n Implementations - MAY choose to support other parent resources. - Implementations supporting other types of - parent resources MUST clearly document how/if - Port is interpreted. \n For the purpose - of status, an attachment is considered successful - as long as the parent resource accepts it - partially. For example, Gateway listeners - can restrict which Routes can attach to - them by Route kind, namespace, or hostname. - If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST - be considered successfully attached. If - no Gateway listeners accept attachment from + values. \n + When the parent resource is a Service, this + targets a specific port in the Service spec. + When both Port (experimental) and SectionName + are specified, the name and port of the + selected port must match both specified + values. + \n Implementations MAY choose to support + other parent resources. Implementations + supporting other types of parent resources + MUST clearly document how/if Port is interpreted. + \n For the purpose of status, an attachment + is considered successful as long as the + parent resource accepts it partially. For + example, Gateway listeners can restrict + which Routes can attach to them by Route + kind, namespace, or hostname. If 1 of 2 + Gateway listeners accept attachment from + the referencing Route, the Route MUST be + considered successfully attached. If no + Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " @@ -1005,6 +1017,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1073,6 +1095,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1139,6 +1171,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1207,6 +1249,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1344,6 +1396,13 @@ spec: items: type: string type: array + issuingCertificateURLs: + description: IssuingCertificateURLs is a list of URLs which this + issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 + for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt". + items: + type: string + type: array ocspServers: description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders diff --git a/bundle/manifests/cert-manager_v1_configmap.yaml b/bundle/manifests/cert-manager_v1_configmap.yaml deleted file mode 100644 index 27ceef5..0000000 --- a/bundle/manifests/cert-manager_v1_configmap.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: null -kind: ConfigMap -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 - name: cert-manager diff --git a/bundle/manifests/cert-manager_v1_service.yaml b/bundle/manifests/cert-manager_v1_service.yaml index fb944fa..57e5ec7 100644 --- a/bundle/manifests/cert-manager_v1_service.yaml +++ b/bundle/manifests/cert-manager_v1_service.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.13.3 + app.kubernetes.io/version: v1.14.1 name: cert-manager spec: ports: diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index 4264fd7..64d6351 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -4,8 +4,7 @@ annotations: operators.operatorframework.io.bundle.manifests.v1: manifests/ operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: cert-manager - operators.operatorframework.io.bundle.channels.v1: candidate,stable - operators.operatorframework.io.bundle.channel.default.v1: stable + operators.operatorframework.io.bundle.channels.v1: candidate operators.operatorframework.io.metrics.builder: operator-sdk-v1.33.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: unknown