mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-13 08:29:38 -05:00
deps: Update cert manager to 1.12.6 (#2700)
* deps: bump cert manager to 1.13.2 * helm: allow minor jump for cert-manager
This commit is contained in:
parent
a1f67d0884
commit
0111b6d718
@ -453,6 +453,10 @@ go_library(
|
||||
"charts/cilium/templates/spire/server/service.yaml",
|
||||
"charts/cilium/templates/spire/server/serviceaccount.yaml",
|
||||
"charts/cilium/templates/spire/server/statefulset.yaml",
|
||||
"charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml",
|
||||
"charts/cert-manager/templates/controller-config.yaml",
|
||||
"charts/cert-manager/templates/poddisruptionbudget.yaml",
|
||||
"charts/cert-manager/templates/webhook-poddisruptionbudget.yaml",
|
||||
],
|
||||
importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm",
|
||||
visibility = ["//:__subpackages__"],
|
||||
|
@ -122,7 +122,7 @@ func (a actionFactory) appendNewAction(
|
||||
if err := newVersion.IsUpgradeTo(currentVersion); err != nil {
|
||||
// TODO(3u13r): Remove when Constellation v2.14 is released.
|
||||
// We need to ignore that we jump from Cilium v1.12 to v1.15-pre. We have verified that this works.
|
||||
if !(errors.Is(err, compatibility.ErrMinorDrift) && release.releaseName == "cilium") {
|
||||
if !(errors.Is(err, compatibility.ErrMinorDrift) && (release.releaseName == "cilium" || release.releaseName == "cert-manager")) {
|
||||
return fmt.Errorf("invalid upgrade for %s: %w", release.releaseName, err)
|
||||
}
|
||||
}
|
||||
|
@ -4,7 +4,7 @@ annotations:
|
||||
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
|
||||
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
|
||||
apiVersion: v1
|
||||
appVersion: v1.10.0
|
||||
appVersion: v1.12.6
|
||||
description: A Helm chart for cert-manager
|
||||
home: https://github.com/cert-manager/cert-manager
|
||||
icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
|
||||
@ -13,7 +13,7 @@ keywords:
|
||||
- kube-lego
|
||||
- letsencrypt
|
||||
- tls
|
||||
kubeVersion: '>= 1.20.0-0'
|
||||
kubeVersion: '>= 1.22.0-0'
|
||||
maintainers:
|
||||
- email: cert-manager-maintainers@googlegroups.com
|
||||
name: cert-manager-maintainers
|
||||
@ -21,4 +21,4 @@ maintainers:
|
||||
name: cert-manager
|
||||
sources:
|
||||
- https://github.com/cert-manager/cert-manager
|
||||
version: v1.10.0
|
||||
version: v1.12.6
|
||||
|
@ -90,6 +90,10 @@ spec:
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
@ -106,4 +110,8 @@ spec:
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.volumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -0,0 +1,26 @@
|
||||
{{- if .Values.cainjector.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
|
||||
{{- with .Values.cainjector.podDisruptionBudget.minAvailable }}
|
||||
minAvailable: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.podDisruptionBudget.maxUnavailable }}
|
||||
maxUnavailable: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -22,13 +22,13 @@ rules:
|
||||
verbs: ["get", "create", "update", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["apiregistration.k8s.io"]
|
||||
resources: ["apiservices"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
|
@ -0,0 +1,25 @@
|
||||
{{- if .Values.config -}}
|
||||
{{- if not .Values.config.apiVersion -}}
|
||||
{{- fail "config.apiVersion must be set" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if not .Values.config.kind -}}
|
||||
{{- fail "config.kind must be set" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- if .Values.config }}
|
||||
config.yaml: |
|
||||
{{ .Values.config | toYaml | nindent 4 }}
|
||||
{{- end }}
|
File diff suppressed because it is too large
Load Diff
@ -90,6 +90,9 @@ spec:
|
||||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.acmesolver.image }}
|
||||
- --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}
|
||||
{{- end }}
|
||||
{{- with .Values.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
@ -107,10 +110,25 @@ spec:
|
||||
{{- if .Values.featureGates }}
|
||||
- --feature-gates={{ .Values.featureGates }}
|
||||
{{- end }}
|
||||
{{- if .Values.maxConcurrentChallenges }}
|
||||
- --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
|
||||
{{- end }}
|
||||
{{- if .Values.enableCertificateOwnerRef }}
|
||||
- --enable-certificate-owner-ref=true
|
||||
{{- end }}
|
||||
{{- if .Values.dns01RecursiveNameserversOnly }}
|
||||
- --dns01-recursive-nameservers-only=true
|
||||
{{- end }}
|
||||
{{- with .Values.dns01RecursiveNameservers }}
|
||||
- --dns01-recursive-nameservers={{ . }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
- containerPort: 9403
|
||||
name: http-healthz
|
||||
protocol: TCP
|
||||
{{- with .Values.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
@ -143,6 +161,24 @@ spec:
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
|
||||
{{- with .Values.livenessProbe }}
|
||||
{{- if .enabled }}
|
||||
# LivenessProbe settings are based on those used for the Kubernetes
|
||||
# controller-manager. See:
|
||||
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
port: http-healthz
|
||||
path: /livez
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .initialDelaySeconds }}
|
||||
periodSeconds: {{ .periodSeconds }}
|
||||
timeoutSeconds: {{ .timeoutSeconds }}
|
||||
successThreshold: {{ .successThreshold }}
|
||||
failureThreshold: {{ .failureThreshold }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
|
@ -0,0 +1,26 @@
|
||||
{{- if .Values.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "cert-manager.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
|
||||
{{- with .Values.podDisruptionBudget.minAvailable }}
|
||||
minAvailable: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.podDisruptionBudget.maxUnavailable }}
|
||||
maxUnavailable: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -70,7 +70,6 @@ rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
||||
---
|
||||
|
||||
# ClusterIssuer controller role
|
||||
|
@ -34,6 +34,9 @@ spec:
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
{{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
@ -62,6 +65,10 @@ spec:
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
@ -74,4 +81,8 @@ spec:
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.volumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -17,6 +17,7 @@ metadata:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- if .Values.webhook.config }}
|
||||
config.yaml: |
|
||||
|
@ -71,6 +71,9 @@ spec:
|
||||
{{ if not $config.securePort -}}
|
||||
- --secure-port={{ .Values.webhook.securePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.featureGates }}
|
||||
- --feature-gates={{ .Values.featureGates }}
|
||||
{{- end }}
|
||||
{{- $tlsConfig := default $config.tlsConfig "" }}
|
||||
{{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
|
||||
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
||||
@ -143,10 +146,15 @@ spec:
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
{{- if or .Values.webhook.config .Values.webhook.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if .Values.webhook.config }}
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.volumeMounts }}
|
||||
{{- toYaml .Values.webhook.volumeMounts | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.nodeSelector }}
|
||||
nodeSelector:
|
||||
@ -164,9 +172,14 @@ spec:
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
{{- if or .Values.webhook.config .Values.webhook.volumes }}
|
||||
volumes:
|
||||
{{- if .Values.webhook.config }}
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.volumes }}
|
||||
{{- toYaml .Values.webhook.volumes | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -0,0 +1,26 @@
|
||||
{{- if .Values.webhook.podDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
|
||||
{{- with .Values.webhook.podDisruptionBudget.minAvailable }}
|
||||
minAvailable: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.podDisruptionBudget.maxUnavailable }}
|
||||
maxUnavailable: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -60,10 +60,25 @@ strategy: {}
|
||||
# maxSurge: 0
|
||||
# maxUnavailable: 1
|
||||
|
||||
# Comma separated list of feature gates that should be enabled on the
|
||||
# controller pod.
|
||||
podDisruptionBudget:
|
||||
enabled: false
|
||||
|
||||
minAvailable: 1
|
||||
# maxUnavailable: 1
|
||||
|
||||
# minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
|
||||
# or a percentage value (e.g. 25%)
|
||||
|
||||
# Comma separated list of feature gates that should be enabled on the controller
|
||||
# Note: do not use this field to pass feature gate values into webhook
|
||||
# component as this behaviour relies on a bug that will be fixed in cert-manager 1.13
|
||||
# https://github.com/cert-manager/cert-manager/pull/6093
|
||||
# Use webhook.extraArgs to pass --feature-gates flag directly instead.
|
||||
featureGates: ""
|
||||
|
||||
# The maximum number of challenges that can be scheduled as 'processing' at once
|
||||
maxConcurrentChallenges: 60
|
||||
|
||||
image:
|
||||
repository: quay.io/jetstack/cert-manager-controller
|
||||
# You can manage a registry with
|
||||
@ -104,12 +119,23 @@ serviceAccount:
|
||||
# Automounting API credentials for a particular pod
|
||||
# automountServiceAccountToken: true
|
||||
|
||||
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
|
||||
enableCertificateOwnerRef: false
|
||||
|
||||
# Setting Nameservers for DNS01 Self Check
|
||||
# See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check
|
||||
|
||||
# Comma separated string with host and port of the recursive nameservers cert-manager should query
|
||||
dns01RecursiveNameservers: ""
|
||||
|
||||
# Forces cert-manager to only use the recursive nameservers for verification.
|
||||
# Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers
|
||||
dns01RecursiveNameserversOnly: false
|
||||
|
||||
# Additional command line flags to pass to cert-manager controller binary.
|
||||
# To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help
|
||||
extraArgs: []
|
||||
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
|
||||
# - --enable-certificate-owner-ref=true
|
||||
# Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver
|
||||
# Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver
|
||||
# - --controllers=*,-certificaterequests-approver
|
||||
|
||||
extraEnv: []
|
||||
@ -194,7 +220,7 @@ prometheus:
|
||||
# https_proxy: "https://proxy:8080"
|
||||
# no_proxy: 127.0.0.1,localhost
|
||||
|
||||
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
|
||||
# A Kubernetes Affinty, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
|
||||
# for example:
|
||||
# affinity:
|
||||
# nodeAffinity:
|
||||
@ -207,7 +233,7 @@ prometheus:
|
||||
# - master
|
||||
affinity: {}
|
||||
|
||||
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
|
||||
# A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
|
||||
# for example:
|
||||
# tolerations:
|
||||
# - key: foo.bar.com/role
|
||||
@ -216,7 +242,7 @@ affinity: {}
|
||||
# effect: NoSchedule
|
||||
tolerations: []
|
||||
|
||||
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#topologyspreadconstraint-v1-core
|
||||
# A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
|
||||
# for example:
|
||||
# topologySpreadConstraints:
|
||||
# - maxSkew: 2
|
||||
@ -228,6 +254,22 @@ tolerations: []
|
||||
# app.kubernetes.io/component: controller
|
||||
topologySpreadConstraints: []
|
||||
|
||||
# LivenessProbe settings for the controller container of the controller Pod.
|
||||
#
|
||||
# Disabled by default, because the controller has a leader election mechanism
|
||||
# which should cause it to exit if it is unable to renew its leader election
|
||||
# record.
|
||||
# LivenessProbe durations and thresholds are based on those used for the Kubernetes
|
||||
# controller-manager. See:
|
||||
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
|
||||
livenessProbe:
|
||||
enabled: false
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 15
|
||||
successThreshold: 1
|
||||
failureThreshold: 8
|
||||
|
||||
webhook:
|
||||
replicaCount: 1
|
||||
timeoutSeconds: 10
|
||||
@ -262,6 +304,15 @@ webhook:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
podDisruptionBudget:
|
||||
enabled: false
|
||||
|
||||
minAvailable: 1
|
||||
# maxUnavailable: 1
|
||||
|
||||
# minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
|
||||
# or a percentage value (e.g. 25%)
|
||||
|
||||
# Container Security Context to be set on the webhook component container
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
containerSecurityContext:
|
||||
@ -406,10 +457,17 @@ webhook:
|
||||
protocol: TCP
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
# On OpenShift and OKD, the Kubernetes API server listens on
|
||||
# port 6443.
|
||||
- port: 6443
|
||||
protocol: TCP
|
||||
to:
|
||||
- ipBlock:
|
||||
cidr: 0.0.0.0/0
|
||||
|
||||
volumes: []
|
||||
volumeMounts: []
|
||||
|
||||
cainjector:
|
||||
enabled: true
|
||||
replicaCount: 1
|
||||
@ -427,6 +485,15 @@ cainjector:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
podDisruptionBudget:
|
||||
enabled: false
|
||||
|
||||
minAvailable: 1
|
||||
# maxUnavailable: 1
|
||||
|
||||
# minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
|
||||
# or a percentage value (e.g. 25%)
|
||||
|
||||
# Container Security Context to be set on the cainjector component container
|
||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
containerSecurityContext:
|
||||
@ -498,6 +565,23 @@ cainjector:
|
||||
# Automounting API credentials for a particular pod
|
||||
# automountServiceAccountToken: true
|
||||
|
||||
volumes: []
|
||||
volumeMounts: []
|
||||
|
||||
acmesolver:
|
||||
image:
|
||||
repository: quay.io/jetstack/cert-manager-acmesolver
|
||||
# You can manage a registry with
|
||||
# registry: quay.io
|
||||
# repository: jetstack/cert-manager-acmesolver
|
||||
|
||||
# Override the image tag to deploy by setting this variable.
|
||||
# If no value is set, the chart's appVersion will be used.
|
||||
# tag: canary
|
||||
|
||||
# Setting a digest will override any tag
|
||||
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
||||
|
||||
# This startupapicheck is a Helm post-install hook that waits for the webhook
|
||||
# endpoints to become available.
|
||||
# The check is implemented using a Kubernetes Job- if you are injecting mesh
|
||||
@ -581,6 +665,9 @@ startupapicheck:
|
||||
helm.sh/hook-weight: "-5"
|
||||
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
||||
|
||||
# Automounting API credentials for a particular pod
|
||||
# automountServiceAccountToken: true
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a service account should be created
|
||||
create: true
|
||||
@ -600,3 +687,6 @@ startupapicheck:
|
||||
|
||||
# Optional additional labels to add to the startupapicheck's ServiceAccount
|
||||
# labels: {}
|
||||
|
||||
volumes: []
|
||||
volumeMounts: []
|
||||
|
@ -7,13 +7,13 @@ shopt -s inherit_errexit
|
||||
echo "Pulling cert-manager Helm chart..."
|
||||
|
||||
function cleanup {
|
||||
rm -r "charts/cert-manager/README.md" "charts/cert-manager-v1.10.0.tgz"
|
||||
rm -r "charts/cert-manager/README.md" "charts/cert-manager-v1.12.6.tgz"
|
||||
}
|
||||
|
||||
trap cleanup EXIT
|
||||
|
||||
helm pull cert-manager \
|
||||
--version 1.10.0 \
|
||||
--version 1.12.6 \
|
||||
--repo "https://charts.jetstack.io" \
|
||||
--untar \
|
||||
--untardir "charts"
|
||||
|
@ -194,7 +194,7 @@ func TestHelmApply(t *testing.T) {
|
||||
awsLbVersion = *tc.clusterAWSLBVersion
|
||||
}
|
||||
|
||||
certManagerVersion := "v1.10.0" // current version
|
||||
certManagerVersion := "v1.12.6" // current version
|
||||
if tc.clusterCertManagerVersion != nil {
|
||||
certManagerVersion = *tc.clusterCertManagerVersion
|
||||
}
|
||||
|
@ -239,7 +239,7 @@ func (i *chartLoader) loadCertManagerValues() map[string]any {
|
||||
"startupapicheck": map[string]any{
|
||||
"timeout": "5m",
|
||||
"extraArgs": []string{
|
||||
"--verbose",
|
||||
"-v",
|
||||
},
|
||||
"tolerations": controlPlaneTolerations,
|
||||
},
|
||||
|
Loading…
Reference in New Issue
Block a user